OWASP Mobile Security Testing Guide

This is the official Github Repository of the OWASP Mobile Security Testing Guide (MSTG). The MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for black-box and white-box security tests, and to help ensure completeness and consistency of the tests.

Table of Contents

Use the document index to navigate the master branch of the MSTG.

High-Level Structure

The following lists contains the individual sections of the MSTG, along with the person(s) responsible for each section. Please contact them directly to join as an author or give feedback. Another good place to start browsing is the document index. If all you desire is a checklist, you can also download this as an Excel sheet.

Introductionary

• Header
• Foreword -- Bernhard Mueller
• Frontispiece -- Bernhard Mueller

High-Level Guides

• Mobile Platforms Overview - Pishu Mahtani
  • Android -- Cláudio André, Romuald Szkudlarek
  • iOS -- Pishu Mahtani
• Security Testing Processes, Tools and Techniques -- Bernhard Mueller, Looking for More Lead Authors
  • Android
    • Basic Security Testing -- Luander Ribeiro, Sven Schleier
    • Tampering and Reverse Engineering -- Bernhard Mueller, Sebastian Banescu
  • iOS
    • Basic Security Testing -- Looking for Lead Authors
    • Tampering and Reverse Engineering -- Bernhard Mueller, Sebastian Banescu

Detailed Howtos

• Android
  • Testing Data Storage -- Francesco Stillavato, Sven Schleier
  • Testing Cryptography -- Alexander Antukh, Gerhard Wagner
  • Testing Authentication and Session Management -- Daniel Ramirez
  • Testing Network Communication -- Pawel Rzepa, Jeroen Willemsen
  • Testing Environmental Interaction -- Sven Schleier
  • Testing Code Quality and Build Settings -- Abdessamad Temmar
  • Testing Resiliency Against Reverse Engineering -- Bernhard Mueller
• iOS
  • Testing Data Storage -- Gerhard Wagner
  • Testing Cryptography -- Alexander Anthuk, Gerhard Wagner
  • Testing Authentication and Session Management -- Daniel Ramirez
  • Testing Network Communication -- Pawel Rzepa, Jeroen Willemsen
  • Testing Environmental Interaction -- Sven Schleier
  • Testing Code Quality and Build Settings -- Abdessamad Temmar
  • Testing Resiliency Against Reverse Engineering -- Bernhard Mueller

Complementary

• Security Testing in the Application Development Lifecycle -- Stefan Streichsbier
• Testing Tools -- Prathan Phongthiproek
• Suggested Reading - T.b.d.

Suggestions and feedback

To report an error or suggest an improvement, please create an issue, or do a pull request.

How to Contribute

Please read the author's guide first if you want to contribute.

The MSTG is an open source effort and we welcome contributions and feedback. To discuss the MASVS or MSTG join the OWASP Mobile Security Project Slack Channel. You can sign up here:

http://owasp.herokuapp.com/