Skip to content

Blog

MASTG v2.0.0 is Here

We just released MASTG v2.0.0, the first stable, non-beta release of the fully refactored Mobile Application Security Testing Guide. This is a milestone we have been building toward for three years, and it marks the completion of the most significant structural transformation in the project's history.

https://github.com/OWASP/mastg/releases/tag/v2.0.0

This post explains what MASTG v2 is, how it came to be, and what it means in practice — including how tests are written, how they connect to the rest of the framework, and what changed in this specific release.

Where We Came From

The original MASTG was written as a narrative guide: long chapters that mixed background, static analysis, dynamic analysis and code examples into a single flow. A chapter on "Testing Universal Links" could run 500 lines. A chapter on "Testing Anti-Debugging Detection" included bypass strategies, effectiveness criteria, and philosophical guidance on what "good enough" protection looks like. This was the right format for a book, and for years it was enormously useful as exactly that.

But the world changed. Organizations started building automation pipelines that needed to reference specific checks, not pages from a book. Compliance teams needed to trace a requirement in MASVS down to a test and from there to a specific piece of code. Tool authors wanted to know which technique a test relied on so they could determine whether their tool automated it. All of this was very hard to do with a narrative guide.

We began redesigning the framework in 2021, starting with the MASVS.

  • In August 2022, the project rebranded from OWASP MSTG to OWASP MAS, making explicit what the project had grown into: not just a testing guide, but a full framework comprising MASVS, MASTG, checklists, and a growing community supporting it.

  • MASVS v2.0.0 (April 2023) provided the structural foundation the MASTG redesign needed. MASVS v2 reorganized requirements around the classic categories (MASVS-STORAGE, MASVS-CRYPTO, MASVS-AUTH, MASVS-NETWORK, MASVS-PLATFORM, MASVS-CODE, MASVS-RESILIENCE) and moved the old L1/L2/R verification levels out of the standard itself and into the MASTG as Testing Profiles backed by concrete scenarios rather than abstract threat levels. The idea: controls stay platform-agnostic and stable; how you test them, and at what rigor, depends on context captured in the tests.

  • In October 2023, MASVS-PRIVACY extended this with a dedicated category and profile for privacy-relevant controls.

The MASTG refactor followed in two public milestones:

  • Part 1 in July 2023 introduced atomic tests and the profile system.
  • Part 2 in September 2023 introduced the full modular component model: tests, techniques, tools, and apps as individually addressable, stable-ID components. From there, the work of porting the 90+ v1 tests and building out hundreds of new ones began in earnest.

But even with atomic tests and a modular structure, something was missing: a layer between the high-level, platform-agnostic MASVS controls and the low-level, platform-specific MASTG tests. A MASVS control like "The app employs current strong cryptography and uses it according to industry best practices" is very abstract by design; it says nothing about what a concrete weakness looks like. A test like MASTG-TEST-0352 is very specific to Android anti-debugging and the relevant APIs and attributes involved. What was supposed to connect them?

In July 2024 we introduced the Mobile App Security Weakness Enumeration (MASWE): a structured catalogue of specific weaknesses in mobile applications, modeled after the role CWEs play in the broader software security industry. Each MASWE entry identifies a precise, platform-agnostic weakness and connects upward to the MASVS control it violates and downward to the platform-specific MASTG tests that check for it.

With MASWE in place, the full traceability chain was complete:

Every test in MASTG v2 carries a weakness: MASWE-XXXX field in its metadata. Every MASWE entry traces back to a MASVS control. The chain runs from a compliance requirement all the way to runnable code on a real device.

Here's how it works:

  1. MASVS Controls: High-level platform-agnostic requirements.

For example, "The app employs current cryptography and uses it according to best practices." (MASVS-CRYPTO-1).

  1. MASWE Weaknesses: Specific weaknesses, typically also platform-agnostic, related to the controls.

For example, "use of predictable pseudo-random number generation" (MASWE-0027).

  1. MASTG Tests: Each weakness is evaluated by executing tests that guide the tester in identifying and mitigating the issues using various tools and techniques on each mobile platform.

For example, testing for "insecure random API usage on Android" (MASTG-TEST-0204). Tests are backed by knowledge articles (MASTG-KNOW-****) and best practices (MASTG-BEST-****) that provide additional context and guidance for testers. They use techniques (MASTG-TECH-****) to perform the test steps.

  1. MASTG Demos: Practical demonstrations that include working code samples and test scripts to ensure reproducibility and reliability.

For example, a sample using Java's Random() instead of SecureRandom() (MASTG-DEMO-0007). Demos use specific tools (MASTG-TOOL-****) to perform the test steps.

What MASTG v2 Actually Is

MASTG v2 is now a knowledge graph of individually addressable, cross-linked components with stable IDs, structured metadata, and defined relationships to other components. The component types are:

Component ID Pattern Count
Tests MASTG-TEST-**** 285
Demos MASTG-DEMO-**** 152
Techniques MASTG-TECH-**** 167
Tools MASTG-TOOL-**** 135
Knowledge MASTG-KNOW-**** 140
Best Practices MASTG-BEST-**** 72
Apps MASTG-APP-**** 28

This modular approach allows us to maintain and update each component independently, ensuring that the MASTG remains current and relevant. For example, in our previous structure, the MASTG consisted of large test cases within a single markdown file. This was not only difficult to maintain but also made it challenging to reference specific tests; and it was impossible to have metadata for each test.

The new structure divides tests into individual pages (Markdown files with metadata), each with its own ID (MASTG-TEST-****) and links to relevant techniques (MASTG-TECH-****) and tools (MASTG-TOOL-****). This encapsulation ensures that each test is easily referenced and promotes reusability across all MAS components. For example, you can open a test and see what tools and techniques are being used, and soon you'll be able to do the same in reverse: open a tool or technique and see all the tests that use it. This deep cross-referencing can be extremely powerful when exploring the MASTG.

The New Test Format

The most consequential change in v2 is how individual tests are written.

A v1 test was a "book chapter". It would open with background, explain the mechanism under test, walk through static analysis, then dynamic analysis, often with inline code examples and Frida scripts woven into the prose.

This had many issues. Just to name a few:

  • It was hard to automate. A tool could not parse a 500-line chapter and know what to do.
  • It was hard to reference. A compliance team could not point to a specific test for a specific requirement. Sometimes they would reference a chapter, a section (with an anchor), a paragraph, sometimes a sentence.
  • It was hard to fail. A tester could not say "this test failed" without ambiguity. The chapter blended static and dynamic checks, so a tester could pass one part and fail another, but the chapter itself had no clear pass/fail criteria.
  • It had duplicate content. Many tests repeated the same background, the same Frida scripts, the same "how to decompile and analyze an app" instructions, and the same bypass guidance.
  • It was hard to maintain. A change in a technique or tool required updating dozens of chapters.
  • It was hard to review. A reviewer had to read a long chapter and decide whether it was correct, complete, and consistent with other chapters.

The old MASTG-TEST-0070 "Testing Universal Links" test ran 513 lines. It covered everything in one continuous narrative: entitlement checking, Apple App Site Association (AASA) file retrieval, link receiver method tracing, dynamic analysis with frida-trace and handoff behavior. This test has now become:

  • MASTG-TEST-0370 — Missing Input Validation in Custom URL Scheme Handlers
  • MASTG-TEST-0371 — Missing Source Validation in Custom URL Scheme Handlers
  • MASTG-TEST-0395 — Missing Input Validation in Universal Link Handlers

Each can now be referenced independently, automated independently, and fail independently.

Example: MASTG-TEST-0001 - Testing Local Storage for Sensitive Data

The old MASTG-TEST-0001 "Testing Local Storage for Sensitive Data" test ran 152 lines. It covered everything in one continuous narrative: shared preferences, internal storage, external storage, SQLite databases, and content providers. This has now become:

  • MASTG-TEST-0207 — Runtime Storage of Unencrypted Data in the App Sandbox
  • MASTG-TEST-0200 — Files Written to External Storage
  • MASTG-TEST-0201 — Runtime Use of APIs to Access External Storage
  • MASTG-TEST-0202 — References to APIs and Permissions for Accessing External Storage
  • etc.

And this list will keep growing as we continue to add new specific tests for each storage mechanism that were still missing in the v1 guide.

New MASTG v2 Tests

A v2 test is an atomic check. It has one thing to verify and it has a fixed structure:

  • Frontmatter metadata: platform (Android/iOS), type (static/dynamic/code/manual/hooks), weakness (MASWE-XXXX), profiles (L1, L2, R), knowledge articles, best practices, APIs involved.
  • Overview: describes what the test checks for
  • Steps: describes what you do using existing techniques (MASTG-TECH)
  • Observation: describes the raw output from your steps, before interpretation.
  • Evaluation: describes how you decide the pass/fail condition.

The example below shows this in practice:

  • It’s part of the default L1 and L2 security profiles.
  • It’s targeting Android.
  • The importance of the test is explained in MASWE-0007 (“Sensitive Data Stored Unencrypted in Shared Storage Requiring No User Interaction”).
  • The overview links to additional knowledge articles (MASTG-KNOW) and techniques (MASTG-TECH).
  • The steps link to existing techniques (MASTG-TECH).
  • A clear observation and evaluation are given.

On top of this we now have demos (MASTG-DEMO) tied to specific tests. They provide working code, expected outputs, and full automation artifacts. See below.

MASTG Demos

Each MASTG-DEMO consists of the following items:

  • A working sample app (Kotlin, Swift, or Objective-C) that exhibits the weakness under test.
  • A runnable script containing static analysis command, Frida script, or shell automation
  • A captured output.txt showing the exact expected output
  • An Evaluation section confirming what in the output constitutes a test failure

All demos are built and verified automatically on every push via GitHub Actions.

To ensure our guidelines are practical and reliable, we've developed new MAS Test Apps for both Android and iOS.

These simple skeleton applications are designed to embed code samples directly, allowing users to validate and experiment with the provided demos. This approach ensures that all code samples are functional and up-to-date, fostering a hands-on learning experience.

For example, to test for secure storage, MASTG-DEMO-0002 shows how to use dynamic analysis with Frida to identify the issues in the code. The demo includes:

  • a Kotlin code sample (ready to be copied into the app and run on a device)
  • the specific test steps for this case using Frida
  • the shell script including the Frida command
  • the Frida script to be injected
  • the output with explanations
  • the final evaluation of the test

You can run everything on your own device and validate the results yourself! Just clone the repository and navigate to the demo folder, install Frida on your computer and your Android device, and follow the steps.

These demos can also be used as experimental playgrounds to improve your skills and practice with different cases as you study mobile app security with the MASTG. For example, you can try to reverse engineer the app and see if you're able to find the same issues as the demo or you can try to fix the issues and see if you can validate the fix.

They are also great for advanced researchers and pentesters to quickly validate certain scenarios. For example, it's very common to find cases where Android behaves differently depending on the version or the manufacturer. With these demos, you can quickly validate if a certain issue is present on a specific device or Android version.

What This Means in Practice

For security testers: Every test now tells you exactly what to run, what to expect, and what constitutes a failure. You do not need to interpret prose or decide which parts of a chapter apply to your engagement. The Steps section is your test procedure. The Evaluation section is your reporting criterion.

For compliance and risk teams: Every test maps to a specific MASWE weakness, which maps to specific MASVS controls. You can trace a compliance requirement through the full chain: MASVS control → MASWE weakness → MASTG test. The IDs are stable and permanently resolvable.

For developers: The best-practices field in each test links to MASTG-BEST entries that describe how to build the control correctly. If your app fails MASTG-TEST-0326 (biometric auth fallback), MASTG-BEST-0031 tells you exactly how to fix it. Knowledge articles linked via knowledge: give you the platform-level understanding.

Thank you!

Thank you to everyone who contributed to this release and to the multi-year effort behind it.

Special thanks to Carlos Holguera (@cpholguera), the architect and heart of the MAS project, who kept the vision alive through the years and his persistence that has shaped it into what it is today.

We also want to give special recognition to a group of contributors whose sustained, high-quality involvement had a major impact on MASTG v2. This includes not only code and content contributions, but also review work, technical discussions, task force participation, consistency, and overall project support.

In alphabetical order:

Many others contributed along the way, and we are grateful for every meaningful contribution that helped move the project forward. Additional contributors and acknowledgements can be found in the release notes for v2.0.0, v1.9.0, v1.8.0, and earlier releases.

We cannot thank our MAS Advocates enough for their continuous contributions of quality content to the MAS project:

  • NowSecure
  • Guardsquare
  • vulnIt

Feedback Wanted

The v2 framework is complete. Now we build on it.

View the release on GitHub →

We encourage you to explore the new MASWE, MASTG tests and MASTG demos. Your insights and experiences are invaluable to us, and we invite you to share your feedback in our GitHub discussions to help us continue to improve. This way we can ensure that our resources are practical, reliable, and valuable for real-world application.

You can also contribute to the project by creating new weaknesses, tests, techniques, tools, or demos. We welcome all contributions and feedback, and we look forward to working with you to make the MAS project the best it can be.

OWASP MAScon is here!

For the very first time, the OWASP MAS team is organizing OWASP MAScon, a dedicated event built around the people, research, and practical work that drive mobile app security forward.

OWASP MAS has become a reference point for mobile app security through projects like MASVS, MASWE, and MASTG. Those resources shape how organizations assess mobile security, how testers run engagements, how developers build more securely, and how the industry talks about mobile risk. Now, for the first time, the team behind that work is bringing the community together for a focused conference experience, MAScon.

Even more importantly, MAScon is being held within OWASP Global AppSec EU 2026 in Vienna, Austria, on June 25 to 26, 2026, a flagship event that also celebrates 25 years of OWASP. The main conference page highlights the anniversary, the Vienna venue, and the June 25 to 26 conference dates, with training running June 22 to 24. Tickets are already available through the official event registration page. (Glue Up)

Organized by Carlos Holguera and Sven Schleier, OWASP MAS Leaders, MAScon is designed as a compact, high value program for practitioners who want substance, not fluff. The schedule brings together talks on offensive research, runtime internals, dynamic instrumentation, real world incidents, and the evolving tooling around mobile application testing.

The event opens with an introduction by the OWASP MAS team, with Carlos Holguera and Sven Schleier appearing as the organizers and opening speakers. From there, the program dives straight into technical depth:

  • Carlos Holguera and Stefan Bernhardsgrütter will present Let’s get frooky, Structured Mobile DAST with Frida, a session focused on the practical challenges of mobile penetration testing and how structured, Frida powered instrumentation can help assess hardened applications at runtime.

  • Sergi Alvarez (aka "pancake") will present Unveiling The Internals From Multiplatform Mobile Runtimes, taking attendees into the internals of frameworks such as Flutter, React, and Unity, and showing how low level reverse engineering techniques can recover code and data from release binaries.

  • Jan Seredynski will present Recent Mobile App Security Incidents from Real World Cases, walking through concrete incidents from real mobile applications and extracting practical lessons on what fails in production and which secure practices actually hold up.

  • Ole André Vadla Ravnås will present Meet the New Frida Frontend on the Block, introducing a new Frida frontend for macOS and iOS and exploring a more persistent, interactive, GUI driven workflow for live process analysis.

  • Jeroen Beckers will present Attacking ART, a talk centered on a lesser known technique targeting the Android Runtime through ODEX and VDEX manipulation, especially relevant when dealing with applications protected by strong resiliency controls.

The day concludes with a closing session by the OWASP MAS team, rounding out a memorable first edition.

What makes this launch especially exciting is that MAScon is not just another security event. It is a conference created by a community that has already had a real impact on the mobile ecosystem. The people involved are not just talking about mobile security, they are actively building the standards, methodologies, demos, and tooling that the industry uses.

That is why this first edition matters.

If you care about mobile app security, whether from the perspective of testing, research, engineering, product security, or standards, MAScon is the kind of event you want to watch closely. The first edition sets the tone, and it already looks like a strong one.

You can find more information here:

Guardsquare Achieves MAS Advocate Status

We are very happy to announce that Guardsquare has officially been granted the MAS Advocate status, the highest recognition possible within the OWASP Mobile Application Security (MAS) project.

This status isn't handed out lightly. It's reserved for organizations that have demonstrated consistent, high-impact contributions over a sustained period, dedicating not just technical resources but genuine commitment and passion to the OWASP MAS project, going beyond occasional contributions, as outlined in our official guidelines. The path to MAS Advocate demands at least six months of proven, impactful support, and, in reality, often much longer depending on the scope and depth of contributions.

Guardsquare's Commitment

Since their application on February 7, 2023, Guardsquare has increasingly met our expectations and exceeded them on many occasions. While the MAS Advocate process requires a minimum of six months of consistent engagement, their journey extended well beyond that, reflecting the depth, consistency, and impact of their contributions.

Some highlights about Guardsquare's involvement include:

  • Active participation in the MAS Task Force: Guardsquare has been a consistent presence in our monthly calls, bringing ideas, asking questions, and proactively pushing for core initiatives.
  • Consistent, high-value contributions: Including numerous pull requests, many focused on porting v1 to v2 tests, always with complete demos and documentation.
  • Peer reviews and thought leadership: Providing in-depth, actionable feedback on pull requests and issues, helping maintain the quality and integrity of the MASTG and the ambitious refactoring to v2.

Their involvement culminated in a major milestone during the OWASP Project Summit in November 2024. This five-day event brought together mobile security experts from around the globe. Among the ~40 pull requests created during the summit, the majority were contributed by Guardsquare's team: Dennis Titze, Jan Seredynski, Nuno Antunes, and Pascal Jungblut.

Why They Committed, and Why It Matters

We asked the Guardsquare team why they decided to commit to OWASP MAS. Here's what they said:

"We recognized that typical standards for application security are lacking the precision and nuance that is relevant to mobile application architectures. We felt the OWASP MAS project was headed in the right direction by providing much more specific and actionable guidance for mobile development teams on how to secure their applications." — Ryan Lloyd

A Win-Win Situation

Their contributions have not only benefited the OWASP MAS project and its community but have also had a direct impact on Guardsquare's own team and offerings:

"Our participation has raised awareness about mobile app security, something that's still too often an afterthought. Through a standards-based approach, we're helping to bring vital security topics to the forefront, which in turn drives more interest in our solutions." — Ryan Lloyd

Beyond the organizational benefits, participation in MAS has been a rewarding experience for the individual contributors:

"This project really expanded my perspective on security. I used to focus mainly on reverse engineering and resilience, but this effort pushed me into new areas, like the MASVS-STORAGE category, which deepened my understanding of how mobile apps handle sensitive data." — Jan Seredynski

"The project gave me the opportunity to connect with people from diverse backgrounds, sparking dynamic conversations about secure implementation practices. It's been very rewarding to see the standards evolve as a result of these collaborations." — Dennis Titze

A Model for Others to Follow

Guardsquare's journey is a blueprint for how companies can engage meaningfully with open security standards. Their commitment, ongoing into 2025 and beyond, sets a powerful example.

"The mobile app security landscape benefits enormously from diverse perspectives. By expanding the base of contribution, we can offer more depth and breadth in the resources we're providing to the community, and reach our goal of a complete MASVS/MASTG refactor more quickly." — Ryan Lloyd

We hope others follow their lead. Their story shows what's possible when a company commits time, talent, and heart to improving the state of mobile application security.

Ready to Join?

If your organization is passionate about mobile security and ready to make a real impact, consider joining the MAS Task Force. Whether you're contributing tests, reviewing PRs, or helping shape the next generation of standards, there's a place for you.

You can read more about the MAS Advocate status and our other contributors on our website.

Congratulations once again to Guardsquare, we're proud to have you onboard as a MAS Advocate!

Celebrating 3 Years of NowSecure as an OWASP MAS Advocate

Few partnerships have been as impactful as the one between NowSecure and the OWASP Mobile App Security (MAS) project. Today, as we celebrate three years of NowSecure as an OWASP MAS Advocate, we reflect on a journey marked by innovation, collaboration, and continuous improvement that has set the blueprint for future industry partnerships.

Being a MAS Advocate means making high-impact contributions. NowSecure has delivered consistently, offering dedicated time from key experts, especially project leader Carlos Holguera, and stepping in with additional support whenever needed.

GitHub tells a compelling story about NowSecure's involvement in the OWASP MAS project over the past three years:

  • 320+ Pull Requests
  • 230+ Reviews
  • 42,000+ Additions
  • 29,500+ Deletions

These numbers reflect more than just activity, they demonstrate leadership. NowSecure has significantly enhanced OWASP MAS resources by contributing valuable content, reviewing community submissions, and maintaining the overall clarity and quality of the project.

But there's more to it than just numbers. NowSecure has been a driving force behind the evolution of the OWASP MAS project, providing strategic insights, technical expertise, and a commitment to excellence that has shaped our direction and impact. Below, we look back on the key milestones and contributions over the past few years, a timeline that highlights the valuable role NowSecure has played in each step of the evolution of the MAS project.

Rebranding From MSTG to OWASP MAS

In August 2022, we announced a rebranding of the project, formerly known as the "OWASP Mobile Security Testing Guide (MSTG)" project. The new identity, OWASP Mobile App Security (MAS), better reflects the full scope of our project, from the MAS Verification Standard (MASVS) and MAS Testing Guide (MASTG) to checklists and crackmes. And later, the Mobile App Security Weakness Enumeration (MASWE).

NowSecure provided strategic insight and industry perspective that helped clarify the project's scope and messaging. Their early feedback ensured that the new brand not only resonated with the community but also set a clear direction for future enhancements.

MASVS v2.0.0 Release

April 2023 saw the launch of MASVS v2.0.0, a major milestone that redefined mobile app security standards. This release introduced crucial improvements:

  • Abstraction & Simplification: Redundant controls were removed, making MASVS more approachable for developers.
  • Clarity Through Standardization: Leveraging and referencing well-established standards ensured that our controls were clear and actionable.
  • Introduction of MAS Testing Profiles: Transitioning from the previous "levels" to new "profiles" allowed for more tailored assessments in real-world scenarios.

NowSecure's technical expertise and continuous feedback during the development process were instrumental. Their real-world testing scenarios and rigorous review of the proposed changes helped shape a standard that truly meets the needs of modern mobile app security professionals.

MASTG Refactor Part 1: Testing Profiles & Atomic Tests

In July 2023, we announced the first phase of the MASTG refactor, including:

  • New MAS Testing Profiles: Replacing traditional verification levels with "profiles" backed-up by real-world scenarios. This change allows for more tailored assessments, making it easier to understand the context and applicability of each test.
  • Atomic Tests: Breaking down large tests into smaller, self-contained units has reduced ambiguity and improved traceability.

Throughout this process, NowSecure's in-depth technical reviews and pilot testing were invaluable. Their willingness to experiment with early versions of the refactored tests ensured that the new structure was both robust and practical for real-world application, ultimately enhancing the overall quality and consistency of the MASTG.

MASTG Refactor Part 2 - Modularizing the Framework

Later in September 2023, we announced the second phase of the MASTG refactor, focusing on a modular approach:

  • The guide was reorganized into distinct components—Tests, Techniques, Tools, and Apps—making it easier to locate and reference specific content.
  • This modularity enhances cross-referencing and maintainability of the overall framework.

NowSecure provided critical feedback on the modularization process and performed the implementation of the new structure. Their insights into how security professionals interact with the MASTG helped shape a more user-friendly and efficient resource.

Introducing MASVS-PRIVACY

October 2023 marked a significant expansion in our scope with the introduction of MASVS-PRIVACY as a proposal which was later included into the release of MASVS v2.1.0 in January 2024 after community and industry-wide thorough review.

NowSecure's leadership in mobile security and privacy issues was a driving force behind this addition. Their proactive stance on privacy concerns and hands-on experience with data protection challenges contributed to shaping a robust baseline that addresses modern privacy demands.

MAS Task Force

In February 2024, we launched the MAS Task Force, a focused group of mobile security experts who meet monthly to drive the MAS project roadmap forward. Their efforts include managing GitHub issues, refining new MAS profiles and risks, assigning tasks, and developing vulnerable code snippets for both Android and iOS. Currently, the group is focused on porting V1 tests to V2 in preparation for MASTG V2.

NowSecure's continued support plays a key role in making this initiative possible. By enabling Carlos Holguera to dedicate time and expertise to lead the effort, the task force has maintained strong momentum. With a combination of technical depth and strategic direction, Carlos has helped the group prioritize effectively and push the MAS project forward with consistency and clarity.

New MAS Test Apps and Standardized Demos

In May 2024, we launched new MAS Test Apps for Android and iOS, designed to facilitate hands-on learning and testing. These apps include:

  • Skeleton Applications: Basic frameworks for Android and iOS, allowing users to explore and validate security scenarios.
  • Code Samples: Embedded within the apps, these samples demonstrate best (and worst) practices and common pitfalls in mobile app security.
  • Build Automation: Leveraging GitHub Actions, we automated the build and MASTG integration process for these demos, ensuring that they remain up-to-date and functional.

NowSecure's expertise in mobile app security testing was invaluable in the development of these test apps. Their insights into real-world vulnerabilities and hands-on experience with mobile security challenges helped shape the design and functionality of the apps, ensuring that they are both practical and effective for users.

Introducing the OWASP MASWE

July 2024 saw the introduction of the Mobile App Security Weakness Enumeration (MASWE):

  • MASWE bridges the gap between high-level MASVS controls and detailed MASTG tests.
  • It offers a granular view of specific weaknesses, enhancing traceability from requirements down to individual test cases.

NowSecure's comprehensive review and detailed feedback on early drafts of MASWE were critical. Their ability to pinpoint real-world vulnerabilities and suggest actionable improvements helped shape MASWE into a tool that complements both MASVS and MASTG, ensuring that our framework remains holistic and responsive to emerging threats.

OWASP Project Summit 2024

In November 2024, we hosted the OWASP Project Summit, where NowSecure led the mobile app security track. This five-day event brought together experts from various companies to discuss the future of mobile security, share insights, and collaborate on innovative solutions. During the summit, approximately 40 pull requests were created, and countless discussions were held.

NowSecure played a key role by reviewing the contributions and driving technical discussions, ensuring that the ideas generated were actionable and aligned with the project's goals. Under the leadership of Carlos Holguera, who helped organize and guide the track, NowSecure fostered an environment of collaboration and knowledge sharing—setting a high standard for future OWASP events.

Looking Ahead

As we celebrate this three-year partnership, we're excited about what lies ahead. These contributions aren't just milestones, they're building blocks for the future. Thanks to the incredible community support, ongoing advocacy, and passion of organizations like NowSecure, the next chapters of the MAS project promise even greater innovation and impact in the years to come.

We invite you to join us on this journey, share your insights, and contribute to shaping the future of mobile security.

Thank you, NowSecure, for being a beacon of excellence and a trusted partner in our mission to secure mobile applications worldwide.

Introducing the new Mobile App Security Weakness Enumeration (MASWE)

The OWASP MAS project continues to lead the way in mobile application security, providing robust and up-to-date resources for developers and security professionals alike. Our team has been working diligently with the MAS community and industry to refactor the Mobile Application Security Verification Standard (MASVS) and the Mobile Application Security Testing Guide (MASTG). In this blog post, we'll walk you through our latest addition to the MAS project: the brand new Mobile App Security Weakness Enumeration (MASWE).

Refactoring the MASTG

We began the refactoring process in 2021, focusing first on the MASVS and then on the MASTG. Our primary goal was to break the MASTG v1 into modular components, including tests, techniques, tools, and applications.

This modular approach allows us to maintain and update each component independently, ensuring that the MASTG remains current and relevant. For example, in our previous structure, the MASTG consisted of large test cases within a single markdown file. This was not only difficult to maintain but also made it challenging to reference specific tests; and it was impossible to have metadata for each test.

The new structure divides tests into individual pages (Markdown files with metadata), each with its own ID (MASTG-TEST-****) and links to relevant techniques (MASTG-TECH-****) and tools (MASTG-TOOL-****). This encapsulation ensures that each test is easily referenced and promotes reusability across all MAS components. For example, you can open a test and see what tools and techniques are being used, and soon you'll be able to do the same in reverse: open a tool or technique and see all the tests that use it. This deep cross-referencing can be extremely powerful when exploring the MASTG.

Introducing MASWE

A significant addition to our project is the introduction of MASWE, designed to fill the gap between high-level MASVS controls and low-level MASTG tests. The MASWE identifies specific weaknesses in mobile applications, similar to Common Weakness Enumerations (CWEs) in the broader software security industry. This new layer provides a detailed description of each weakness, bridging the conceptual gap and making the testing process more coherent.

Now MASVS, MASWE and MASTG are all seamlessly connected. We start with the high-level requirements, zoom in on the specific weaknesses, and then go low-level to the tests and hands-on with the demos. Here's how it works:

  1. MASVS Controls: High-level platform-agnostic requirements.

    For example, "The app employs current cryptography and uses it according to best practices." (MASVS-CRYPTO-1).

  2. MASWE Weaknesses: Specific weaknesses, typically also platform-agnostic, related to the controls.

    For example, "use of predictable pseudo-random number generation" (MASWE-0027).

  3. MASTG Tests: Each weakness is evaluated by executing tests that guide the tester in identifying and mitigating the issues using various tools and techniques on each mobile platform.

    For example, testing for "insecure random API usage on Android" (MASTG-TEST-0204).

  4. MASTG Demos: Practical demonstrations that include working code samples and test scripts to ensure reproducibility and reliability.

    For example, a sample using Java's Random() instead of SecureRandom() (MASTG-DEMO-0007).

Practical Applications and Demos

To ensure our guidelines are practical and reliable, we've developed new MAS Test Apps for both Android and iOS.

These simple, skeleton applications are designed to embed code samples directly, allowing users to validate and experiment with the provided demos. This approach ensures that all code samples are functional and up-to-date, fostering a hands-on learning experience.

For example, to test for secure storage, MASTG-DEMO-0002 shows how to use dynamic analysis with Frida to identify the issues in the code. The demo includes:

  • a Kotlin code sample (ready to be copied into the app and run on a device)
  • the specific test steps for this case using Frida
  • the shell script including the Frida command
  • the frida script to be injected
  • the output with explanations
  • the final evaluation of the test

You can run everything on your own device and validate the results yourself! Just clone the repository and navigate to the demo folder, install Frida on your computer and your Android device, and follow the steps.

🧪 These demos can also be used as experimental playgrounds to improve your skills and practice with different cases as you study mobile app security with the MASTG. For example, you can try to reverse engineer the app and see if you're able to find the same issues as the demo or you can try to fix the issues and see if you can validate the fix.

They are also great for advanced researchers and pentesters to quickly validate certain scenarios. For example, it's very common to find cases where Android behaves differently depending on the version or the manufacturer. With these demos, you can quickly validate if a certain issue is present on a specific device or Android version.

Automation with GitHub Actions

Going forward, we want to automate the process of creating and validating the new demos, and ensure that the tests remain functional over time. We'll be using GitHub Actions to do this. Here is the plan:

  1. Build the app: Automatically build the APK/IPA for Android and iOS.
  2. Deploy the app to a virtual device: install and run the generated app on a virtual device.
  3. Execute tests and validate results: Execute static tests with tools like semgrep or radare2 as well as dynamic tests using Frida and mitmproxy on the target device. Finally, compare the test results with the expected output.

We've currently implemented a PoC for the first step (only for Android APKs), and are working on the next steps. If you're interested in contributing to this effort, please let us know!

Feedback Wanted

We encourage you to explore the new MASWE, MASTG tests and MASTG demos. Your insights and experiences are invaluable to us, and we invite you to share your feedback in our GitHub discussions to help us continue to improve. This way we can ensure that our resources are practical, reliable, and valuable for real-world application.

You can also contribute to the project by creating new weaknesses, tests, techniques, tools, or demos. We welcome all contributions and feedback, and we look forward to working with you to make the MAS project the best it can be.

:simple-github: Go to our GitHub repo and check our [milestones](https://github.com/OWASP/mastg/milestones) and [GitHub discussions](https://github.com/OWASP/mastg/discussions/categories/maswe-mastg-v2-beta-Feedback).

New Standard for Secure Mobile App Transactions

The Cyber Security Agency of Singapore (CSA) launched the "Safe App Standard" on January 10, 2024. Tailored for local app developers and service providers, this guideline is based on the OWASP Mobile Application Security Verification Standard (MASVS) and focuses on critical areas such as authentication and authorization (MASVS-AUTH), data storage (MASVS-STORAGE), and tamper resistance (MASVS-RESILIENCE). The initiative aims to protect apps from common cyber threats and ensure a safer digital space for users.

While the Safe App Standard is a significant step forward in securing mobile applications, developers are encouraged to consider the full MASVS and select the appropriate MAS profiles for comprehensive protection. This holistic approach to app security ensures that apps go beyond meeting the baseline and are protected against a wider range of cyber threats, providing robust security for end users.

MASVS-PRIVACY

Mobile applications frequently access sensitive user data to deliver their core functionalities. This data ranges from personally identifiable information (PII), health metrics, location data, to device identifiers. Mobile devices are a constant companion to users, always connected, and equipped with numerous sensors—including cameras, microphones, GPS and BLE—that generate data capable of inferring user behavior and even identifying individuals. The landscape is further complicated by advanced tracking techniques, the integration of third-party SDKs, and a heightened awareness of privacy issues among users and regulators. As a response, there's a growing trend towards on-device processing to keep user data localized and more secure.

MASTG Refactor Part 2 - Techniques, Tools & Reference Apps

We are thrilled to announce the second phase of the MASTG (Mobile Application Security Testing Guide) refactor. These changes aim to enhance the usability and accessibility of the MASTG.

The primary focus of this new refactor is the reorganization of the MASTG content into different components, each housed in its dedicated section/folder and existing now as individual pages in our website (markdown files with metadata/frontmatter in GitHub):