This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP Mobile Security Testing Guide

From OWASP
Jump to: navigation, search
OWASP MSTG Header.jpg
Lab big.jpg

Our Vision

"Define the industry standard for mobile application security."

We are writing a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.

Main Deliverables

Mstg-cover-release-small2.jpg Mobile Security Testing Guide (MSTG) - 1.1.1 Release

The 1.1.1 Release of the MSTG is a comprehensive manual for mobile app security testing and reverse engineering for iOS and Android mobile security testers with the following content:

  1. Mobile platform internals
  2. Security testing in the mobile app development lifecycle
  3. Basic static and dynamic security testing
  4. Mobile app reverse engineering and tampering
  5. Assessing software protections
  6. Detailed test cases that map to the requirements in the MASVS.

You can contribute and comment in the GitHub Repo. An online book version of the current master branch is available on Gitbook.

Feel free to download the ePub or Mobi for $0 or contribute any amount you like. All funds raised through sales of this book go directly into the project budget and will be used to for technical editing and designing the book and fund production of future releases.

Masvs-mini-cover2.jpg Mobile App Security Requirements and Verification

The OWASP Mobile Application Security Verification Standard (MASVS) version 1.1.3 is a standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results.You can find the sources on the Github repo. We now have versions in the folllowing languages: Chinese, English, French, German, Japanese, Russian, and Spanish! Want to get a pdf/mobi/epub of the standard? Check the release page on Github.

Checklist.jpg Mobile App Security Checklist

A checklist for use in security assessments. Also contains links to the MSTG test case for each requirement. The current release is can be found at Github in English, Spanish and Japanese.


Classifications

Lab Project Owasp-builders-small.png
Owasp-breakers-small.png
Owasp-defenders-small.png
CC-License-4.0.png
Project Type Files DOC.jpg

Project Leaders

Sven Schleier

Jeroen Willemsen

Training

Presentations

  • AppDevcon (Amsterdam), March 2019 - Securing your mobile app with the OWASP Mobile Security Testing Guide
  • OWASP BeNeLux days 2018 - Fast forwarding mobile security with the MSTG, November 2018 - slides
  • OWASP Germany days 2018 - Introduction to Mobile Security Testing, November 2018 - slides
  • DBS AppSecCon (Singapore) - Fixing Mobile AppSec, October 2018
  • OWASP Bay Area Chapter - Mobile Testing Workshop, October 2018
  • OWASP AppSec USA - Fixing Mobile AppSec, October 2018
  • CSC 2018 - A Perspective on Mobile Security in IoT and how OWASP can Help - slides.
  • OWASP North Sweden Umea - Mobile Security Essentials
  • OWASP Gotentburg - Mobile Security Essentials Introduction into OMTG and All about the keying material
  • OWASP Day Indonesia 2017 - Fixing Mobile AppSec
  • Confidence (Krakow, Poland) - Pawel Rzepa - Testing Mobile Applications
  • OWASP AppSec EU 2017 - Fixing Mobile AppSec - Slides, Video

Parent Project

OWASP_Mobile_Security_Project

Licensing

The guide is licensed under the Creative Commons Attribution-ShareAlike 4.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.