This is the official Github Repository of the OWASP Mobile Security Testing Guide (MSTG). The MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for black-box and white-box security tests, and to help ensure completeness and consistency of the tests.
The following lists contains the individual sections of the MSTG, along with the person(s) responsible for each section. Please contact them directly to join as an author or give feedback. Another good place to start browsing is the detailed list of security test cases. If all you desire is a checklist, you can also download this as an Excel sheet.
- Header
- Foreword
- Frontispiece -- Bernhard Mueller
- The OWASP Mobile Security Project -- Bernhard Mueller
- Mobile Platforms Overview - Pishu Mahtani
- Android -- Cláudio André
- iOS -- Pishu Mahtani
- Security Testing Processes, Tools and Techniques -- Bernhard Mueller, Looking for More Lead Authors
Detailed Howtos -> Full list
- Android
- Testing Data Storage -- Francesco Stillavato, Sven Schleier
- Testing Cryptography -- Alexander Antukh, Gerhard Wagner
- Testing Authentication and Session Management -- Daniel Ramirez
- Testing Network Communication -- Pawel Rzepa, Jeroen Willemsen
- Testing Environmental Interaction -- Sven Schleier
- Testing Code Quality and Build Settings -- Abdessamad Temmar
- Testing Resiliency Against Reverse Engineering -- Bernhard Mueller
- iOS
- Testing Data Storage -- Gerhard Wagner
- Testing Cryptography -- Alexander Anthuk, Gerhard Wagner
- Testing Authentication and Session Management -- Daniel Ramirez
- Testing Network Communication -- Pawel Rzepa, Jeroen Willemsen
- Testing Environmental Interaction -- Sven Schleier
- Testing Code Quality and Build Settings -- Abdessamad Temmar
- Testing Resiliency Against Reverse Engineering -- Bernhard Mueller
- Security Testing in the Application Development Lifecycle -- Stefan Streichsbier
- Assessing the Quality of Software Protections -- Bernhard Mueller
- Testing Tools -- Prathan Phongthiproek
- Suggested Reading - T.b.d.
To report and error or suggest an improvement, please create an issue.
Please read the author's guide first if you want to contribute.
The MSTG is an open source effort and we welcome contributions and feedback. To discuss the MASVS or MSTG join the OWASP Mobile Security Project Slack Channel. You can sign up here: