whatisgithub

What is mastg?

owasp/mastg — explained in plain English

Analysis updated 2026-06-24

12,884PythonAudience · ops devopsComplexity · 3/5Setup · easy

In one sentence

The OWASP Mobile Application Security Testing Guide is a free, comprehensive reference manual for testing the security of Android and iOS apps, covering step-by-step procedures and reverse engineering techniques.

Mindmap

mindmap
  root((OWASP MASTG))
    Platforms
      Android
      iOS
    Test Areas
      Data storage
      Authentication
      Network security
    Methods
      Dynamic analysis
      Reverse engineering
      Checklist audits
    Companion Docs
      MASVS controls
      MASWE weaknesses
      Crackme exercises
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Conduct a security audit of an Android or iOS app using the step-by-step testing procedures in the guide.

USE CASE 2

Check whether an app meets the OWASP MASVS security controls before submitting it for certification.

USE CASE 3

Practice mobile reverse engineering skills using the MASTG crackme exercises.

USE CASE 4

Download the audit checklist to track which security requirements have been verified during a client engagement.

What is it built with?

Python

How does it compare?

owasp/mastgs0md3v/photonshishirpatil/gorilla
Stars12,88412,87512,861
LanguagePythonPythonPython
Setup difficultyeasyeasyhard
Complexity3/52/54/5
Audienceops devopsops devopsresearcher

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min
Free to use and share under a Creative Commons license, contributions from the security community are welcome.

So what is it?

The OWASP Mobile Application Security Testing Guide, commonly called MASTG, is a free reference manual for testing the security of mobile apps on Android and iOS. It is produced by OWASP, a nonprofit foundation focused on software security, and is considered one of the most widely recognized resources in the mobile security field. The guide works alongside two companion documents. The first is the OWASP Mobile Application Verification Standard (MASVS), which defines the security controls a mobile app should meet. The second is the OWASP Mobile Security Weakness Enumeration (MASWE), which catalogs specific types of security weaknesses. MASTG provides the step-by-step testing procedures that show how to check for each weakness listed in MASWE. Practitioners use this guide to verify that a mobile app handles sensitive data, authentication, network communication, and device storage correctly. It covers both dynamic analysis (testing the app while it runs) and reverse engineering techniques that help examine how an app is built without access to the original source code. The project publishes downloadable checklists alongside the guide itself, making it possible to track which security requirements have been verified during an audit. It also offers a set of practice exercises called crackmes for people who want to improve their hands-on testing skills. Platform providers, government agencies, and universities have adopted the MASVS and MASTG as formal references. The project is licensed under Creative Commons and accepts contributions from the broader security community.

Copy-paste prompts

Prompt 1
Using the OWASP MASTG, give me the checklist of tests I should run to verify that an Android app stores sensitive data securely.
Prompt 2
What does the OWASP MASTG say about testing network communication security in iOS apps? List the key checks.
Prompt 3
I'm setting up a mobile security review process for my team. Which MASTG sections should I prioritize for a fintech app?
Prompt 4
Walk me through the MASTG approach for dynamically analyzing an Android app to find authentication bypass vulnerabilities.
Prompt 5
How do I use the MASTG crackme exercises to practice Android reverse engineering from scratch?

Frequently asked questions

What is mastg?

The OWASP Mobile Application Security Testing Guide is a free, comprehensive reference manual for testing the security of Android and iOS apps, covering step-by-step procedures and reverse engineering techniques.

What language is mastg written in?

Mainly Python. The stack also includes Python.

What license does mastg use?

Free to use and share under a Creative Commons license, contributions from the security community are welcome.

How hard is mastg to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is mastg for?

Mainly ops devops.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.