Domain-Specific Testing

OWASP MASTG

Mobile Application Security Testing Guide

OWASP (Open Worldwide Application Security Project) Source Document →

What It Is

The comprehensive mobile application security testing manual, covering both Android and iOS. MASTG provides step-by-step testing procedures, tool-specific instructions, and platform-specific deep-dives across:

  • General Concepts — Threat taxonomy, testing methodology, tampering and reverse engineering, authentication, network communication, cryptography, code quality, privacy
  • Android Testing — APK analysis, Frida hooking, Binder IPC, Keystore misuse, root detection bypass, anti-tampering
  • iOS Testing — IPA analysis, Objective-C runtime manipulation, Keychain storage, jailbreak detection bypass

MASTG is the “how” companion to OWASP MASVS (Mobile Application Security Verification Standard), which defines the “what” — the security requirements.

Why It Matters

Mobile is a fundamentally different attack surface than web. The app runs on the user’s device — which means the user (or attacker) controls the runtime environment. Concepts like certificate pinning, Keystore/Keychain security, root/jailbreak detection, and anti-tampering have no web equivalent. MASTG is the only public resource that covers these attack surfaces with the depth needed for professional assessments.

When to Use It

Any mobile application security assessment. Like WSTG for web apps, MASTG plugs into PTES phases 4-5 (vulnerability analysis and exploitation) for mobile-specific test cases.

The Offensive Angle

Frida is the dominant tool throughout MASTG, and for good reason — dynamic instrumentation lets you hook any function at runtime, bypass security controls, and intercept data in transit. Understanding Frida isn’t just a pentest skill; it’s how advanced spyware operates. The same hooking techniques that MASTG teaches for testing are used by threat actors for surveillance.

Pairs Well With

  • OWASP MASVS — The requirements standard that MASTG tests against
  • OWASP WSTG — Companion for web components (APIs, backend services)
  • PTES — Engagement framework that MASTG test cases plug into