The OWASP Mobile Security Testing Guide (MSTG) is a comprehensive manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for static and dynamic security tests, and to help ensure completeness and consistency of the tests.
OWASP thanks the many authors, reviewers, and editors for their hard work in developing this guide. If you have any comments or suggestions on the Mobile Security Testing Guide, please join the discussion around MASVS and MSTG in the OWASP Mobile Security Project Slack Channel https://owasp.slack.com/messages/project-mobile_omtg/details/. You can sign up here:
Copyright © 2017 The OWASP Foundation. This document is released under the Creative Commons Attribution ShareAlike 3.0 license. For any reuse or distribution, you must make clear to others the license terms of this work.
Note: This table is generated based on the contribution log, which can be found under https://github.com/OWASP/owasp-mstg/graphs/contributors. For more details, see the GitHub Repository README under https://github.com/OWASP/owasp-mstg/blob/master/README.md. Note that this isn't updated in real time (yet) - we do this manually every few weeks, so don't panic if you're not listed immediately.
Bernhard is a cyber security specialist with a talent in hacking all kinds of systems. During more than a decade in the industry, he has published many zero-day exploits for software such as MS SQL Server, Adobe Flash Player, IBM Director, Cisco VOIP and ModSecurity. If you can name it, he has probably broken it at least once. His pioneering work in mobile security was commended with a BlackHat "Best Research" Pwnie Award.
Sven is an experienced penetration tester and security architect who specialized in implementing secure SDLC for web application, iOS and Android apps. He is a project leader for the OWASP Mobile Security Testing Guide and the creator of OWASP Mobile Hacking Playground. Sven also supports the community with free hands-on workshops on web and mobile app security testing. He has published several security advisories and a white papers about HSTS.
Co-authors have consistently contributed quality content, and have at least 2,000 additions logged in the GitHub repository.
Romuald is a passionate cyber security & privacy professional with over 15 years of experience in the Web, Mobile, IoT and Cloud domains. During his career, he has been dedicating spare time to a variery of projects with the goal of advancing the sectors of software and security. He is also teaching at various institutions. He holds CISSP, CSSLP and CEH credentials.
Jeroen is a full-stack developer specialized in IT security at Xebia with a passion for mobile and risk management. He loves to explain things: starting as a teacher teaching PHP to bachelor students and then move along explaining security, risk management and programming issues to anyone willing to listen and learn.
Top contributors have consistently contributed quality content with at least 500 additions logged in the GitHub repository.
- Francesco Stillavato
- Pawel Rzepa
- Andreas Happe
- Henry Hoggard
- Wen Bin Kong
- Abdessamad Temmar
- Alexander Anthuk
- Slawomir Kosowski
- Bolot Kerimbaev
Contributors have made a quality contribution with at least 50 additions logged in the GitHub repository.
Jin Kung Ong, Gerhard Wagner, Andreas Happe, Michael Helwig, Denis Pilipchuk, Ryan Teoh, Dharshin De Silva, Anita Diamond, Daniel Ramirez Martin, Claudio André, Enrico Verzegnassi, Prathan Phongthiproek, Tom Welch, Luander Ribeiro, Oguzhan Topgul, Carlos Holguera, David Fern, Pishu Mahtani and Anuruddha.
Reviewers have consistently provided useful feedback through GitHub issues and pull request comments.
- Anant Shrivastava
- Sjoerd Langkemper
Many other contributors have committed small amounts of content, such as a single word or sentence (less than 50 additions). The full list of contributors is available on GitHub:
https://github.com/OWASP/owasp-mstg/graphs/contributors
The Mobile Security Testing Guide was initiated by Milan Singh Thakur in 2015. The original document was hosted on Google Drive. Guide development was moved to GitHub in October 2016.
OWASP MSTG "Beta 2" (Google Doc)
| Authors | Reviewers | Top Contributors |
|---|---|---|
| Milan Singh Thakur, Abhinav Sejpal, Blessen Thomas, Dennis Titze, Davide Cioccia, Pragati Singh, Mohammad Hamed Dadpour, David Fern, Mirza Ali, Rahil Parikh, Anant Shrivastava, Stephen Corbiaux, Ryan Dewhurst, Anto Joseph, Bao Lee, Shiv Patel, Nutan Kumar Panda, Julian Schütte, Stephanie Vanroelen, Bernard Wagner, Gerhard Wagner, Javier Dominguez | Andrew Muller, Jonathan Carter, Stephanie Vanroelen, Milan Singh Thakur | Jim Manico, Paco Hope, Pragati Singh, Yair Amit, Amin Lalji, OWASP Mobile Team |
OWASP MSTG "Beta 1" (Google Doc)
| Authors | Reviewers | Top Contributors |
|---|---|---|
| Milan Singh Thakur, Abhinav Sejpal, Pragati Singh, Mohammad Hamed Dadpour, David Fern, Mirza Ali, Rahil Parikh | Andrew Muller, Jonathan Carter | Jim Manico, Paco Hope, Yair Amit, Amin Lalji, OWASP Mobile Team |