This is the official Github Repository of the OWASP Mobile Security Testing Guide (MSTG). The MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for black-box and white-box security tests, and to help ensure completeness and consistency of the tests.
To report and error or suggest an improvement, please create an issue.
Please read the author's guide first if you want to contribute.
The MSTG is an open source effort and we welcome contributions and feedback. To discuss the MASVS or MSTG join the OWASP Mobile Security Project Slack Channel. You can sign up here:
The following lists contains the individual sections of the MSTG, along with the person(s) responsible for each section. Please contact them directly to join as an author or give feedback.
- Header
- Acknowledgements
- Introduction -- Bernhard Mueller
- The OWASP Moble Application Security Project -- Bernhard Mueller
- Mobile Platforms Overview -- Stephen Corbiaux
- Testing Processes and Techniques -- Stefanie Vanroelen, Stephen Corbiaux
- Reverse Engineering and Tampering -- Bernhard Mueller
- Assessing Software Protections -- Bernhard Mueller
- Security Testing in the Application Development Lifecycle -- Stefan Streichsbier
- Testing Data Storage -- Francesco Stillavato, Sven Schleier
- Testing Cryptography -- Gerhard Wagner
- Testing Authentication and Session Management -- Stephen Corbiaux
- Testing Network Communication -- Jeroen Willemsen
- Testing Environmental Interaction -- Sven Schleier
- Android -- Sven Schleier
- iOS -- Sven Schleier
- Testing Code Quality and Build Settings -- Abdessamad Temmar
- Testing Resiliency Against Reverse Engineering -- Bernhard Mueller
- Testing Tools - T.b.d.
- Suggested Reading - T.b.d.