The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).
MASTG Refactor Part 2: Techniques, Tools & Reference Apps: This release introduces the second phase of the MASTG (Mobile Application Security Testing Guide) refactor. These changes aim to enhance the usability and accessibility of the MASTG.
The primary focus of this new refactor is the reorganization of the MASTG content into different components, each housed in its dedicated section/folder and existing now as individual pages in our website (markdown files with metadata/frontmatter in GitHub):
NOTE: You may find broken links on the website and in the PDF/eBook. This is a consequence of these massive changes and we expect to be able to fix them soon.
Tests:
tests/
folder.MASTG-TEST-XXXX
.Techniques:
techniques/
folder.MASTG-TECH-XXXX
.Tools:
tools/
folder.MASTG-TOOL-XXXX
.Apps:
apps/
folder.MASTG-APP-XXXX
.We hope that the revamped structure enables you to navigate the MASTG more efficiently and access the information you need with ease. See below for a detailed list of changes.
We'd like to thank all of our loyal contributors and welcome our new contributors.
Special thanks to NowSecure for their consistent high-impact contributions to the project, especially for this new OWASP MASTG refactoring phase and for continuing spreading the word about the OWASP MAS project.
We'd also like to thank our new MAS Advocate applicants for waiting patiently while we get everything ready behind the scenes for them to help us efficiently.
π Thanks to Zimperium for their generous donation!
Carlos Holguera, Sven Schleier and Jeroen Beckers - OWASP MAS project
NOTE: the OWASP MASTG v1.7.0 relies on the latest MASVS v2.0.0
Help us improve! questions | ideas | contact
:
instead of \
for command start by @Shiva953 in https://github.com/OWASP/owasp-mastg/pull/2450
Full Changelog: https://github.com/OWASP/owasp-mastg/compare/v1.6.0...v1.7.0
Following up on the OWASP MASVS v2.0.0 Release we're excited to announce the release of the new OWASP MASTG version v1.6.0. This update includes a range of new features, including the first phase of the MASTG refactoring, MASVS color-coding, upgraded MAS Checklists (for OWASP MASVS v2.0.0 + MASTG v1.6.0), and much more. See below for a detailed list of changes.
We'd like to thank all of our loyal contributors and welcome our new contributors.
Special thanks to NowSecure for their consistent high-impact contributions to the project, especially for the MASVS refactoring, the OWASP MASTG refactoring, the OWASP MAS website and this MASTG v1.6.0 release and for continuing spreading the word about the OWASP MAS project.
π Thanks to dvuln, eShard, OHRUS and devoteam Cyber Trust for their generous donations!
Carlos Holguera, Sven Schleier and Jeroen Beckers - OWASP MAS project
NOTE: the OWASP MASTG v1.6.0 relies on the latest MASVS v2.0.0
Help us improve! questions | ideas | contact
We're bringing official colors to the MASVS! The new colors will be used across the MASVS v2.0.0 and MASTG v2.0.0 to help users quickly identify the different control groups. We've also revamped certain areas of our website to make them more readable and easier to navigate as well as to prepare for what's coming with the MASTSG v2.0.0 (keyword: "atomic tests").
In the MASVS home page, the new colors will be used to highlight the different control groups.
The individual controls will also be color-coded to help users quickly identify the different control groups. We've also redesigned the control pages to make them more readable and easier to navigate.
Now, when you navigate to the MASTG tests, you'll see that they are categorized by platform (Android/iOS) as well as by MASVS category, also using our new colors in the sidebar. The colors will also be used to highlight the different control groups in the test description.
Each test now contains a header section indicating the platform, the MASVS v1.5.0 controls, and the MASVS v2.0.0 controls.
We've also introduced a new section called "Resources" which is automatically generated using the inline links within the MASTG pages and serve as a quick reference to the most important resources for each test.
NOTE: The MASTG tests themselves haven't changed yet, we're still working on the refactoring. For now we've simply split the tests into individual pages to make them easier to navigate and reference. This will facilitate the work on the refactoring and the introduction of the new atomic tests.
The MAS Checklist pages and the MAS checklist itself have also been updated to use the new colors to highlight the different control groups and to make them easier to navigate.
When you click on a MASVS group you'll see a table listing the new MASVS v2.0.0 controls as well as the corresponding MASTG tests (v1.5.0) for both the Android and the iOS platforms.
NOTE: The checklist contains the old MASVS v1 verification levels (L1, L2 and R) which we are currently reworking into "security testing profiles". The levels were assigned according to the MASVS v1 ID that the test was previously covering and might differ in the upcoming version of the MASTG and MAS Checklist.
For the upcoming of the MASTG version we will progressively split the MASTG tests into smaller tests, the so-called "atomic tests" and assign the new MAS profiles accordingly.
We hope you like the new colors and the changes we've made to the website. We're looking forward to your feedback! Please use our GitHub Discussions to post any questions or ideas you might have. If you see something wrong please let us know by opening a bug issue.
Full Changelog: https://github.com/OWASP/owasp-mastg/compare/v1.5.0...v1.6.0
We've been very busy with the OWASP MASVS refactoring but we're very excited to be able to bring you the new OWASP MASTG in its version v1.5.0 including loads of news including new Test Cases, Testing Fundamentals, upgraded MAS Checklists and many more, see below.
We'd like to thank all of our loyal contributors and welcome our new contributors.
Special thanks to NowSecure for their consistent high-impact contributions to the project, especially for the MASVS refactoring, the OWASP MAS rebranding, the brand new OWASP MAS website and this MASTG v1.5.0 release and for continuing spreading the word about the OWASP MAS project.
Carlos Holguera & Sven Schleier - OWASP MAS project
NOTE: the OWASP MASTG v1.5.0 relies on the latest MASVS v1.4.2
Checklist test coverage changes: removed (2) added (13) updated (51)
Full Changelog: https://github.com/OWASP/owasp-mastg/compare/v1.4.0...v1.5.0
The highly anticipated OWASP Mobile App Security Checklists are back including very exciting news.
N/A
Pass
or Fail
.Your feedback is essential for the development of the project. If you have any comments or new ideas please post them here:
https://github.com/OWASP/owasp-mstg/discussions/new?category=ideas
Full Changelog: https://github.com/OWASP/owasp-mstg/compare/v1.3.0...v1.4.0
Full Changelog: https://github.com/OWASP/owasp-mstg/compare/v1.2.1...v1.3.0
Minor release without relevant content changes.
Full Changelog: https://github.com/OWASP/owasp-mstg/compare/v1.2...v1.2.1
167 issues were closed since the last release. A full overview can be seen in Github Issues https://github.com/OWASP/owasp-mstg/issues?q=is%3Aissue+is%3Aclosed+closed%3A2019-08-03..2021-07-25.
326 pull requests were merged since the last release. A full overview can be seen in Github Pull Requests https://github.com/OWASP/owasp-mstg/pulls?q=is%3Apr+is%3Aclosed+closed%3A2019-08-03..2021-07-25
Major changes include:
Several other minor updates include fixing typos and markdown lint errors and updating outdated links.
We thank you all contributors for the hard work and continuously improving the document and the OWASP MSTG project!
Intermediate update (1.1.3-excel). See CHANGELOG.md for updates on intermediate update releases.
This is a special release with the new compliance lists for 1.1.2 only. Grab them while they're hot!