explaingit

owasp/mastg

12,884PythonAudience · ops devopsComplexity · 3/5Setup · easy

TLDR

The OWASP Mobile Application Security Testing Guide is a free, comprehensive reference manual for testing the security of Android and iOS apps, covering step-by-step procedures and reverse engineering techniques.

Mindmap

mindmap
  root((OWASP MASTG))
    Platforms
      Android
      iOS
    Test Areas
      Data storage
      Authentication
      Network security
    Methods
      Dynamic analysis
      Reverse engineering
      Checklist audits
    Companion Docs
      MASVS controls
      MASWE weaknesses
      Crackme exercises
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Conduct a security audit of an Android or iOS app using the step-by-step testing procedures in the guide.

USE CASE 2

Check whether an app meets the OWASP MASVS security controls before submitting it for certification.

USE CASE 3

Practice mobile reverse engineering skills using the MASTG crackme exercises.

USE CASE 4

Download the audit checklist to track which security requirements have been verified during a client engagement.

Tech stack

Python

Getting it running

Difficulty · easy Time to first run · 5min
Free to use and share under a Creative Commons license, contributions from the security community are welcome.

In plain English

The OWASP Mobile Application Security Testing Guide, commonly called MASTG, is a free reference manual for testing the security of mobile apps on Android and iOS. It is produced by OWASP, a nonprofit foundation focused on software security, and is considered one of the most widely recognized resources in the mobile security field. The guide works alongside two companion documents. The first is the OWASP Mobile Application Verification Standard (MASVS), which defines the security controls a mobile app should meet. The second is the OWASP Mobile Security Weakness Enumeration (MASWE), which catalogs specific types of security weaknesses. MASTG provides the step-by-step testing procedures that show how to check for each weakness listed in MASWE. Practitioners use this guide to verify that a mobile app handles sensitive data, authentication, network communication, and device storage correctly. It covers both dynamic analysis (testing the app while it runs) and reverse engineering techniques that help examine how an app is built without access to the original source code. The project publishes downloadable checklists alongside the guide itself, making it possible to track which security requirements have been verified during an audit. It also offers a set of practice exercises called crackmes for people who want to improve their hands-on testing skills. Platform providers, government agencies, and universities have adopted the MASVS and MASTG as formal references. The project is licensed under Creative Commons and accepts contributions from the broader security community.

Copy-paste prompts

Prompt 1
Using the OWASP MASTG, give me the checklist of tests I should run to verify that an Android app stores sensitive data securely.
Prompt 2
What does the OWASP MASTG say about testing network communication security in iOS apps? List the key checks.
Prompt 3
I'm setting up a mobile security review process for my team. Which MASTG sections should I prioritize for a fintech app?
Prompt 4
Walk me through the MASTG approach for dynamically analyzing an Android app to find authentication bypass vulnerabilities.
Prompt 5
How do I use the MASTG crackme exercises to practice Android reverse engineering from scratch?
Open on GitHub → Explain another repo

← owasp on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.