OWASP MASTG
Mobile App Security Testing Guide on one operating record

OWASP MASTG: the testing manual, not the verification standard

The OWASP Mobile Application Security Testing Guide (MASTG) is the open OWASP manual that documents how to test a mobile application for security weaknesses. Where the OWASP MASVS defines what a verified-secure mobile application looks like, control by control, MASTG covers the test procedures themselves. The current stable reference (MASTG v1.7.0) is organised around the MASVS control groups and provides several hundred individual mobile tests, each with a stable MASTG-TEST identifier, an objective, platform-specific how-to steps for iOS and Android, and notes on tooling. Procurement frameworks, regulator guidance, and mobile pentest reporting conventions cite MASTG by name when the question is which tests were run on the mobile tier of a product.

MASTG matters to several audiences for different reasons. AppSec and product security teams shipping mobile features use MASTG as the in-house testing reference and the bar their internal verification reads against. Vulnerability management teams use the MASTG chapter map to assess coverage gaps between automated mobile scanners and manual testing. GRC and compliance teams cite MASTG evidence to support audit reads under ISO 27001 Annex A.8.8, SOC 2 CC7.1, PCI DSS Requirement 6 and 11, PCI MPoC, PSD2 SCA, and GDPR Article 32. Penetration testing firms cite MASTG as the mobile technique reference inside an engagement methodology declared as PTES or NIST SP 800-115. Security buyers read MASTG citations on proposals and reports to compare depth across providers on the mobile tier. The page below walks the chapter map, the MASTG-TEST structure, the profile model, and how MASTG sits next to MASVS, the OWASP Mobile Top 10, the API Security Top 10, WSTG, and the regulator-side reads on the mobile evidence.

The MASTG chapter map: STORAGE, CRYPTO, AUTH, NETWORK, PLATFORM, CODE, RESILIENCE, PRIVACY

MASTG is organised around the MASVS control groups, with each chapter walking the tests that exercise the controls in that group. The chapter map below is a working summary; the canonical text and the individual MASTG-TEST steps live on the OWASP MAS project page. The chapters are the unit a coverage statement reads against, and the per-test identifiers are the unit a finding cites.

The chapter set is broad on purpose, so the chapters in scope on a particular engagement are a deliberate decision rather than an assumed default. For the practical engagement shape MASTG is exercised inside, see the mobile application penetration testing checklist and the penetration testing use case.

The MASTG-TEST identifier: stable citations for engineering and audit

Every MASTG test has a stable identifier in the form MASTG-TEST-NNNN, an objective (what the test verifies on the application), platform-specific steps for iOS and Android, the tooling notes, and a remediation pointer. The identifier is the unit a finding maps to: a finding for credentials stored in unprotected SharedPreferences cites the relevant Android-side MASTG-TEST in the STORAGE chapter; a finding for missing certificate pinning cites the relevant test in the NETWORK chapter; a finding for an exported activity accepting cross-application intents cites the relevant Android-side test in the PLATFORM chapter; a finding for debugger attach succeeding against a release build cites the relevant test in the RESILIENCE chapter when MASVS-R is in scope.

On a MASTG-aligned engagement, every finding cites the MASTG-TEST identifier that produced the evidence, the MASVS control the test verifies, the OWASP Mobile Top 10 risk category for the buyer narrative, the CWE identifier where applicable, and the CVSS 3.1 vector for severity. The citation pattern means the same finding can be read by a developer fixing the underlying weakness, by an auditor reviewing testing evidence for ISO 27001 Annex A.8.8, SOC 2 CC7.1, or PCI DSS Requirement 6 and 11, and by a procurement reviewer comparing reports across providers. The pattern is also what makes retest evidence durable across mobile builds: a retest that re-runs the same MASTG-TEST against the same asset can be paired back to the original finding without reinterpreting the test that produced it.

For the broader engagement scaffolding (scope, rules of engagement, authorisation, retest mechanics) that supports a MASTG-cited engagement, see the pentest rules of engagement template and the pentest scoping calculator. The retesting use case covers how retest evidence carries the original MASTG-TEST citation forward without re-opening the test design.

MASTG profiles: static, dynamic, network and backend, and resilience

MASTG groups its tests into profile-style execution paths. A single engagement rarely runs every profile against every asset; the profile selection is a deliberate scope decision named in the rules of engagement. The profiles below are the practical execution shape most MASTG-aligned engagements declare; the resilience profile only applies when MASVS-R is in scope.

Mature engagements record the profiles in scope on the engagement record, declare the profiles explicitly in the report, and produce per-profile coverage statements rather than rolling everything up into a single mobile assessment claim. For an analytical read on how scope choices ripple through report depth and effective day rate, see the pentest pricing models research.

How MASTG sits next to MASVS, the Mobile Top 10, WSTG, the API Security Top 10, and scanners

MASTG is rarely cited alone. The working pattern is MASTG for the mobile technique (how the mobile test was performed), MASVS for the mobile requirement (what was verified), the OWASP Mobile Top 10 for the mobile risk taxonomy, the OWASP API Security Top 10 plus WSTG-APIT for the backend tier, and CVSS for the severity. A finding written this way names the MASTG-TEST identifier, the MASVS control, the Mobile Top 10 risk category, the CWE identifier, and the CVSS 3.1 vector. The same finding then reads cleanly against ISO 27001 Annex A.8.8, SOC 2 CC7.1, PCI DSS 6.3.2 and 11.4, PCI MPoC, PSD2 SCA, and the platform-specific compliance reads.

Buyers comparing two mobile engagement proposals should look at how each cites MASTG: a chapter-by-chapter coverage statement with named MASTG-TEST references is a meaningful signal; a generic MASTG mention without test references is not. For a broader treatment of how to compare mobile pentest proposals on depth, scope, retest, and reporting depth rather than headline price, see the pentest scope creep research.

Reporting expectations for a MASTG-aligned mobile engagement

A MASTG-aligned engagement report is a structured record, not a wrap-up document. The report is the artefact the buyer pays for, the assessor reviews, and the auditor cites, so its structure and the density of MASTG-TEST citations determine whether the engagement was actually comparable to other MASTG-aligned mobile work.

For a longer treatment of how to structure the report end to end, see how to write a pentest report and the matching penetration testing report template. The retest mechanics that hold up under a MASTG citation are covered in the retesting use case and the how to retest vulnerabilities guide.

Recurring failure modes MASTG-aligned engagements hit

Engagements that struggle with MASTG typically hit a small set of recurring failure modes. Naming the failure modes upfront lets the engagement design controls to avoid them rather than discovering them during the report review or the buyer-side comparison.

How auditors and regulators read a MASTG citation

MASTG is not itself a regulator-issued standard; it is the open mobile testing methodology that regulator-issued standards, certification schemes, and procurement frameworks accept as the technical reference for mobile application testing. The list below maps MASTG citations to the regulator-side and audit-side references that read against them; the same engagement record satisfies several reads at once when the citations are dense enough.

For the broader audit evidence story (how the same finding can satisfy multiple reads without rebuilding the bundle per audit), see the vulnerability evidence reuse across audits research and the audit evidence half-life research.

How MASTG reads across mobile-shipping security functions

MASTG is a cross-functional reference. The same mobile engagement record reads differently depending on the function that holds the work. Programmes that run mobile verification as an engineering exercise alone lose the audit depth the framework supports; programmes that run it as a procurement exercise alone lose the engineering depth. The named functions below own different parts of the same artefact set.

Running MASTG-aligned mobile engagements on SecPortal

SecPortal is the operating record for a MASTG-aligned mobile engagement. The engagement captures the MASVS level claim, the MASTG profiles in scope, the platforms and device matrix, the testing window, and the retest scope. The findings record carries each mobile finding with the MASTG-TEST citation, the MASVS control, the OWASP Mobile Top 10 risk category, the CWE identifier, the CVSS 3.1 vector, and the evidence the test produced. The backend the mobile application calls is tested through authenticated and external scanning against the same engagement so the device-side and backend-side evidence read together. Code scanning against the mobile source repository contributes SAST and SCA evidence on the same record. Document management holds the externally produced artefacts the platform does not generate inline (decompilation output, runtime hook output, platform-specific compliance forms). The platform alignment below maps each verified SecPortal capability to the MASTG profile or evidence type it supports so the engagement is held on one operating record rather than reconstructed at report time.

• Engagement management captures the MASVS level claim (L1, L2, MASVS-R), the MASTG profiles in scope (static, dynamic, network and backend, resilience), the platforms in scope (iOS, Android, or both), the target build inventory (release, staging, internal), the OS versions in scope, the device matrix, the rules of engagement, and the testing window as a structured record so the methodology citation is the workflow rather than a contract attachment
• Findings management stores each mobile finding with a CVSS 3.1 vector, severity, evidence, owner, the MASVS control identifier, the MASTG-TEST identifier, the OWASP Mobile Top 10 category, and the CWE identifier where applicable, so the per-finding citation set is one record rather than a spreadsheet alongside the report
• A library of over 300 finding templates accelerates evidence density on common MASTG-TEST citations (insecure storage in shared preferences and UserDefaults, weak transport layer security, missing certificate pinning, world-readable files, hardcoded API keys, exported components without authorisation, deep links that drive privileged behaviour, WebViews with JavaScript enabled and addJavascriptInterface, weak cryptography primitives) so writeup time goes into the test that found the result rather than the boilerplate around it
• Authenticated scanning (17 modules) runs DAST against the backend the mobile application calls, against the same engagement record, with credentials stored encrypted at rest under AES-256-GCM (cookie, bearer, basic, or form-login) so MASTG-NETWORK and MASTG-AUTH backend evidence is reproducible across retest cycles
• External scanning produces MASTG-NETWORK evidence on the backend perimeter (TLS configuration, HTTP security headers, exposed services, certificate handling, weak cipher suites) on a schedule, attached to the same engagement so transport and configuration claims on the backend are not re-tested manually for every report
• Code scanning via Semgrep against connected GitHub, GitLab, and Bitbucket repositories contributes SAST evidence on MASTG-CODE patterns (hardcoded secrets, insecure cryptographic primitives, debug flags, dangerous WebView configurations, weak SSL trust managers) and pairs the source-side evidence with the binary-side and runtime-side evidence on the same engagement record
• Document management captures the artefacts a mobile engagement produces but does not generate inline (the decompiled binary, the proxy log session, the device screenshots, the runtime hook output, the SCA report on third-party libraries, the platform-specific compliance forms) so the evidence chain ties every MASTG-TEST citation to a retrievable artefact rather than a stale attachment
• AI report generation composes the executive summary, technical body, and remediation roadmap from the live engagement, findings, and MASTG coverage statement, citing the MASTG-TEST identifiers and MASVS controls exercised rather than starting from a blank template
• Retesting workflows pair each retest scan and each retest finding back to the original finding identifier and the original MASTG-TEST identifier, so the verified-fixed claim on a mobile build is auditable rather than asserted
• Compliance tracking maps one MASTG-aligned engagement to ISO 27001 Annex A.8.8 and A.8.25, SOC 2 CC7.1, PCI DSS Requirement 6 and Requirement 11, the MASVS verification claim, the OWASP Mobile Top 10 category coverage, and the PCI MPoC or PSD2 SCA application-side evidence without rebuilding the bundle for each audit

Honest scope: what SecPortal does not ship for mobile

The MASTG verification work runs across multiple specialist tools the SecPortal product does not replicate inline. The honest scope below names the boundaries so the engagement record reads against the verified product surface and the externally produced artefacts attach through document management rather than implying the platform performs analysis it does not perform.

• No native iOS or Android binary static-analysis module ships with SecPortal; static-analysis evidence from MobSF, AndroBugs, QARK, or equivalent is attached to the engagement through document management rather than produced by the platform itself
• No mobile dynamic-instrumentation engine ships with SecPortal; runtime evidence from Frida, Objection, Drozer, Needle, or equivalent is attached to the engagement through document management
• No iOS or Android emulator orchestration is built into SecPortal; the engagement record references the device matrix and the build flavours rather than orchestrating the test runners directly
• No mobile certificate-pinning bypass automation, no IDA, Ghidra, or Hopper integration, and no App Store or Play Store ingestion are part of the SecPortal product surface; these tools and stores remain external to the operating record
• No packaged Jira, ServiceNow, Slack, SIEM, SOAR, Okta, or Entra connectors are shipped with the SecPortal product; the operating record holds the mobile engagement work and exports the evidence on demand rather than syncing into a downstream ticketing or identity surface through a packaged integration

Related reading on SecPortal

• OWASP MASVS verification standard is the requirement set MASTG verifies test by test; the two compose on every mobile engagement.
• OWASP WSTG is the web equivalent of MASTG; engagements covering both web and mobile cite the two guides separately and explicitly.
• OWASP API Security Top 10 is the backend risk taxonomy the MASTG network profile reads against when the backend the mobile application calls is in scope.
• OWASP ASVS is the web verification standard that pairs with WSTG; MASVS is the mobile analogue that pairs with MASTG.
• NIST SP 800-115 and PTES are the engagement methodology references mobile engagements declare alongside MASTG as the mobile technique reference.
• NIST SSDF (SP 800-218) practices PW.7 and PW.8 expect a documented testing methodology for the products a software producer ships; MASTG is the mobile-side reference programmes cite to satisfy the expectation.
• Mobile application penetration testing checklist is the practitioner-side checklist that walks a MASVS plus MASTG engagement end to end.
• API security testing checklist covers the backend testing the MASTG network profile reads against.
• Penetration testing use case covers the engagement workflow MASTG sits inside.
• Pentest project management covers the scope, MASVS level claim, MASTG profile selection, finding intake, retest, and deliverable workflow MASTG engagements run through.
• Retesting use case covers the retest mechanics that pair each retest back to the original MASTG-TEST citation.
• SecPortal for application security teams, SecPortal for product security teams, and SecPortal for mobile security consultancies anchor the audience-specific views of the MASTG engagement record.