Skip to content

OWASP MAScon Vienna Recap - First Edition

In June 2026 we hosted the very first MAScon as part of OWASP Global AppSec EU 2026 at the Austria Center Vienna. It was a milestone year for OWASP, celebrating its 25th anniversary, and a milestone week for the Mobile Application Security (MAS) project hosting its very own conference.

A Full Room, From Start to Finish

MAScon brought together mobile security researchers, penetration testers, developers and AppSec leaders for a full day dedicated to mobile application security. The room stayed packed throughout the event, with great engagement during the sessions, Q&A and the hallway discussions that kept going long after the talks ended.


Photo Credit: Adriana Castro

The program covered offensive research, runtime internals, dynamic instrumentation and real-world mobile security incidents:

  • Let's get frooky: Structured Mobile DAST with Frida by Carlos Holguera & Stefan Bernhardsgrütter A session on the practical challenges of mobile penetration testing and how structured, Frida-powered instrumentation can help assess hardened applications at runtime.
  • Unveiling the Internals from Multiplatform Mobile Runtimes by Sergi Alvarez ("pancake") A deep dive into the internals of the main multiplatform frameworks (Flutter, React Native, Unity) — covering their languages, ecosystems and toolchains, and how to recover code and data from binaries using radare2 plugins.
  • Recent Mobile App Security Incidents from Real-World Cases by Jan Seredynski A walk-through of concrete incidents from banking, food delivery and e-commerce apps, breaking down how the breaches happened and which security practices hold up (or fail) in modern mobile apps.
  • Meet the New Frida Frontend on the Block by Ole André Vadla RavnÃ¥s The creator of Frida presents the new Frida frontend, the next evolution of the dynamic instrumentation tooling the mobile security community relies on.
  • Attacking ART by Jeroen Beckers A lesser-known technique targeting the Android Runtime (ART) through ODEX and VDEX manipulation — advanced instrumentation particularly relevant for resiliency assessments and apps protected by strong resiliency controls.

The OWASP MAS team (Carlos Holguera and Sven Schleier) held the opening and closing session for the first edition.


Photo Credit: Adriana Castro

What made the day special was seeing the community built around the MASVS, MASTG and MASWE come together in person. The people who build the standards, methodologies and tools used across the industry and practitioners using it in their daily work.

A big thank you to all speakers, attendees, volunteers, the OWASP events team (Starr Brown, Stacey Ebbs and Lauren Thomas) and our sponsors for making the first MAScon a success.

Read the recap from our MAS Advocate NowSecure here.

Next Stop: Berlin 🇩🇪

The momentum continues! The next MAScon will take place on October 7–9, 2026 at CityCube Berlin, as part of next.app devcon, alongside droidcon, fluttercon and other mobile developer conferences — a great opportunity to bring mobile security directly to thousands of mobile developers and engineering leads.


Photo Credit: Adriana Castro

The Call for Speakers is open: If you have practical mobile security content to share, whether it's secure coding, testing techniques, reverse engineering or applying the OWASP MAS standards, we'd love to hear from you.

👉 Submit your talk or get your ticket

See you in Berlin!