OWASP Mobile Security Testing Guide

This is the official Github Repository of the OWASP Mobile Security Testing Guide (MSTG). The MSTG is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for black-box and white-box security tests, and to help ensure completeness and consistency of the tests.

Table of Contents

The following lists contains the individual sections of the MSTG, along with the person(s) responsible for each section. Please contact them directly to join as an author or give feedback. Another good place to start browsing is the detailed list of security test cases. If all you desire is a checklist, you can also download this as an Excel sheet.

Introductionary

• Header
• Foreword
• Frontispiece -- Bernhard Mueller
• The OWASP Mobile Security Project -- Bernhard Mueller

High-Level Guides

• Mobile Platforms Overview
  • Android -- Cláudio André
  • iOS -- Looking for Lead Authors
• Security Testing Processes, Tools and Techniques
  • Android -- Looking for Lead Authors
  • iOS -- Looking for Lead Authors
• Tampering and Reverse Engineering -- Bernhard Mueller, Sebastian Banescu
  • Android -- Bernhard Mueller
  • iOS -- Bernhard Mueller

Detailed Howtos -> Full list

• Android
  • Testing Data Storage -- Francesco Stillavato, Sven Schleier
  • Testing Cryptography -- Alexander Anthuk, Gerhard Wagner
  • Testing Authentication and Session Management -- Daniel Ramirez
  • Testing Network Communication -- Pawel Rzepa, Jeroen Willemsen
  • Testing Environmental Interaction -- Sven Schleier
  • Testing Code Quality and Build Settings -- Abdessamad Temmar
  • Testing Resiliency Against Reverse Engineering -- Bernhard Mueller
• iOS
  • Testing Data Storage -- Gerhard Wagner
  • Testing Cryptography -- Alexander Anthuk, Gerhard Wagner
  • Testing Authentication and Session Management -- Daniel Ramirez
  • Testing Network Communication -- Pawel Rzepa, Jeroen Willemsen
  • Testing Environmental Interaction -- Sven Schleier
  • Testing Code Quality and Build Settings -- Abdessamad Temmar
  • Testing Resiliency Against Reverse Engineering -- Bernhard Mueller

Complementary

• Security Testing in the Application Development Lifecycle -- Stefan Streichsbier
• Assessing the Quality of Software Protections -- Bernhard Mueller
• Testing Tools -- Prathan Phongthiproek
• Suggested Reading - T.b.d.

Suggestions and feedback

To report and error or suggest an improvement, please create an issue.

How to Contribute

Please read the author's guide first if you want to contribute.

The MSTG is an open source effort and we welcome contributions and feedback. To discuss the MASVS or MSTG join the OWASP Mobile Security Project Slack Channel. You can sign up here:

http://owasp.herokuapp.com/