Mobile Application Security
6.1.2 MAS testing guide
The MAS Verification Standard (MASVS) explains the processes, techniques and tools used for security testing a mobile application.
The OWASP MAS project provides the Mobile Application Security Testing Guide (MASTG) which describes technical processes that can be used for verification of the mobile application controls .
What is MASTG?
The OWASP Mobile Application Security Testing Guide is a comprehensive manual for mobile application security testing and reverse engineering. It describes the technical processes used for verifying the controls listed in the OWASP MASVS.
The MASTG provides several resources for testing the controls:
- Sections detailing the concepts and theory behind testing of both Android and iOS platforms
- Lists of tests for each section of the MASVS
- Descriptions of techniques for Android or iOS used during testing
- Lists of generic tools and also ones specific for Android or iOS
- Reference applications that can be used as training material
Why use MASTG?
The OWASP MASVS is the industry standard for mobile application security, and provides a list of security controls that are expected in a mobile application. If the application does not implement these controls correctly then it could be vulnerable; the MASTG tests that the application has the controls listed in the MASVS.
How to use MASTG
The OWASP Spotlight series provides an overview of using the MASTG: ‘Project 13 - OWASP Mobile Security Testing Guide (MSTG)’.
The MASTG project contains a large number of resources that can be used during verification and testing of mobile applications; pick and choose the resources that are applicable to specific application.
- Refer to the MASTG section on the concepts and theory to ensure good understanding of the testing process
- Select the MASTG tests that are applicable to the application and its platform OS
- Use the section on MASTG techniques to run the selected tests correctly
- Become familiar with the range of MASTG tools available and select the ones that you need
- Use the MAS Checklists to provide evidence of compliance
References
- OWASP Mobile Application Security (MAS) project
- OWASP MAS Testing Guide (MASTG)
- OWASP MAS Checklists
- OWASP MAS Verification Standard (MASVS)
- OWASP Mobile Application Security cheat sheet
The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.
\newpage