# OWASP/mastg **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/owasp-mastg).** 12,973 stars · 2,751 forks · Python · CC-BY-SA-4.0 ## Links - GitHub: https://github.com/OWASP/mastg - Homepage: http://mas.owasp.org/ - awesome-repositories: https://awesome-repositories.com/repository/owasp-mastg.md ## Topics `android` `android-application` `compliancy-checklist` `dynamic-analysis` `hacking` `ios` `ios-app` `mast` `mastg` `mobile-app` `mobile-security` `mstg` `network-analysis` `pentesting` `reverse-engineering` `reverse-enginnering` `runtime-analysis` `static-analysis` `testing-cryptography` ## Description The Mobile Application Security Testing Guide is a comprehensive framework and technical resource designed for the assessment of mobile software security. It provides a structured collection of requirements and methodologies to identify vulnerabilities and security flaws in mobile applications prior to their deployment. The project distinguishes itself by integrating reverse engineering techniques with standardized testing procedures to evaluate application logic and binary structures. It supports both Android and iOS platforms, utilizing threat-model-driven methodologies to ensure that security assessments are aligned with identified attack vectors and established industry frameworks. The framework covers a broad range of security verification capabilities, including static analysis of source code and binaries, dynamic instrumentation for real-time assessment, and environment-isolated sandboxing. These procedures allow for the systematic investigation of application architectures and the verification of security controls against consistent evaluation criteria. ## Tags ### Security & Cryptography - [Security Testing Methodologies](https://awesome-repositories.com/f/security-cryptography/vulnerability-assessment-testing/security-testing-auditing/security-testing-methodologies.md) — Serves as the primary comprehensive framework for verifying mobile application security through standardized testing and assessment techniques. - [Mobile Security Tools](https://awesome-repositories.com/f/security-cryptography/security/utilities/security-tools/infrastructure-security-utilities/mobile-security-tools.md) — Provides a comprehensive framework for evaluating mobile software vulnerabilities through standardized testing and reverse engineering. - [iOS Security Auditing](https://awesome-repositories.com/f/security-cryptography/vulnerability-assessment-testing/security-testing-auditing/ios-security-auditing.md) — Provides security review methodologies for iOS applications to detect vulnerabilities and ensure data protection. - [Vulnerability Research](https://awesome-repositories.com/f/security-cryptography/security/offensive-operations/vulnerability-research-analysis/vulnerability-research.md) — Investigates mobile application architectures to discover and document security weaknesses using professional research methodologies. - [Verification Procedures](https://awesome-repositories.com/f/security-cryptography/security/utilities/security-tools/infrastructure-security-utilities/mobile-security-tools/verification-procedures.md) — Provides technical procedures to verify mobile security controls against standardized requirements before production deployment. ([source](https://mas.owasp.org/MASTG/)) - [Threat Modeling](https://awesome-repositories.com/f/security-cryptography/threat-modeling.md) — Structures security assessments around identified attack vectors and adversary paths to ensure comprehensive coverage. - [Sandbox and Isolation](https://awesome-repositories.com/f/security-cryptography/application-and-system-security/sandbox-and-isolation.md) — Utilizes isolated runtime environments to safely execute and observe mobile application behavior during security testing. - [Security Requirement Frameworks](https://awesome-repositories.com/f/security-cryptography/application-security-standards/compliance-mapping-tools/security-requirement-frameworks.md) — Defines standardized security requirements and evaluation criteria for consistent mobile application assessment. ### DevOps & Infrastructure - [Security Assessment Frameworks](https://awesome-repositories.com/f/devops-infrastructure/security-automation-workflows/security-assessment-frameworks.md) — Provides a structured collection of technical requirements and testing methodologies for identifying security flaws in mobile software. ### Mobile Development - [Security Assessment Methodologies](https://awesome-repositories.com/f/mobile-development/mobile-infrastructure-security/mobile-security-tools/android-security-tools/security-assessment-methodologies.md) — Provides structured methodologies for analyzing Android applications to identify security risks and verify compliance. - [Reverse Engineering Guides](https://awesome-repositories.com/f/mobile-development/mobile-infrastructure-security/mobile-reverse-engineering-tools/reverse-engineering-guides.md) — Provides technical guidance on analyzing mobile application binaries to uncover security vulnerabilities and logic flaws. ### Operating Systems & Systems Programming - [Reverse Engineering Tools](https://awesome-repositories.com/f/operating-systems-systems-programming/binary-analysis-capabilities/reverse-engineering-tools.md) — Provides techniques for decompiling and disassembling mobile binaries to reconstruct logic and identify hidden vulnerabilities. ### System Administration & Monitoring - [Dynamic Binary Instrumentation](https://awesome-repositories.com/f/system-administration-monitoring/logging-and-telemetry/dynamic-binary-instrumentation.md) — Provides methodologies for hooking into running mobile application processes to intercept function calls and modify memory state for security assessment. ### Testing & Quality Assurance - [Static Analysis](https://awesome-repositories.com/f/testing-quality-assurance/code-quality-review/static-analysis.md) — Includes procedures for analyzing mobile source code and binary structures to identify security flaws without runtime execution.