OWASP MASVS

    OWASP MASVS: Mobile Security Testing Checklist (2026)

    An OWASP MASVS mobile security testing checklist covering the eight control groups, combining static build analysis with dynamic testing on an owned device.

    An OWASP MASVS mobile security testing checklist is a structured way to verify an app against the eight MASVS control groups, using the companion MASTG for the actual test cases and combining static analysis of the build with dynamic testing on a device you own. The MASVS says what secure means across storage, cryptography, authentication, network, platform, code, resilience, and privacy; the MASTG gives you the concrete checks to prove each one. For an auditor, the two areas that come up most are data storage, where you confirm no sensitive data sits in insecure locations, and cryptography, where you confirm strong algorithms and safe key handling. Run the checks on your own build and device, map findings back to the control groups, and remediate by severity.

    Short answer

    A MASVS testing checklist verifies your app against the eight control groups using the MASTG's test cases. Per the OWASP MASVS, the groups are MASVS-STORAGE, MASVS-CRYPTO, MASVS-AUTH, MASVS-NETWORK, MASVS-PLATFORM, MASVS-CODE, MASVS-RESILIENCE, and MASVS-PRIVACY. Per the OWASP MASTG, you test each with static analysis of the build and dynamic analysis at runtime on a device you own. For data storage, confirm no sensitive data is in shared preferences, files, databases, or logs in plaintext. For cryptography, confirm strong, standard algorithms and that keys are not weak or hardcoded. Map every finding to a control group and fix by severity.

    What a MASVS testing checklist is

    A MASVS testing checklist is the audit form for mobile security: a list of the controls an app should meet, grouped by area, that you check off by testing. The MASVS defines the requirements across eight control groups covering data storage, cryptography, authentication, network, platform interaction, code quality, resilience, and privacy, so the checklist has a place for every category of mobile risk. It is the standard against which you judge whether an app is secure, giving structure to an audit rather than testing at random.

    The checklist is paired with a testing guide, because knowing the requirement is not the same as verifying it. The MASTG, the testing companion to the MASVS, provides the concrete test cases and techniques for each control, so where the MASVS says sensitive data must not be stored insecurely, the MASTG tells you how to look. So a real MASVS checklist is two things working together: the control groups that define what to check, and the test cases that tell you how to check them. An audit works through the groups, applying the tests, and records a pass or fail with evidence for each.

    Setting up the test environment

    MASVS testing needs a controlled environment where you can both inspect the build and run the app under observation, on hardware you own. The two halves are static analysis, examining the app package itself by decompiling it and reviewing its code, resources, and manifest, and dynamic analysis, running the app on a device or emulator and watching its behavior, files, and network traffic. A defense-in-depth or resilience assessment also needs a rooted or jailbroken test device so you can attempt bypasses, which requires full control of the device.

    Set it up responsibly. Use a device or virtual instance you own, keep it isolated from personal accounts and production systems, and only test applications you are authorized to test. Common tooling includes a mobile security framework such as MobSF for automated static and basic dynamic analysis, and instrumentation like Frida and Objection for runtime inspection and testing resilience controls. The environment is the same controlled setup used for any responsible assessment: your own app, your own device, isolated, with the tools to look at both the static package and the running behavior.

    Data storage checks

    Data storage is one of the most examined groups, and the rule is simple: no sensitive data should be stored insecurely, so your check is to look everywhere the app writes and confirm nothing sensitive sits in plaintext. Examine the app's private storage, its shared preferences, its databases, any files it creates, its logs, and the clipboard and any external storage it touches, looking for credentials, tokens, personal data, or keys stored in the clear. Do this both statically, by reviewing how the code writes data, and dynamically, by inspecting the actual files the app produces at runtime.

    The checks that most often find problems are logs and preferences. Sensitive values written to logs are a frequent finding, since debug logging tends to leak tokens and personal data, and shared preferences or plaintext files holding credentials are common in apps that skipped secure storage. Confirm that sensitive data is either not stored on the device or is protected using the platform's secure mechanisms, with keys in hardware-backed storage. Also check that the app is not backed up in a way that exposes sensitive data. A clean storage result means an inspection of every place the app writes turns up nothing sensitive in the clear.

    Cryptography checks

    Cryptography is the other group auditors focus on, and the checks cover both the algorithms used and how keys are handled. On algorithms, confirm the app uses strong, current, standard cryptography and avoids weak or broken choices: no ECB mode, no outdated ciphers like DES or RC4, no MD5 or SHA-1 for security purposes, and authenticated encryption such as AES-GCM where confidentiality and integrity are needed. You find these by reviewing the cryptographic calls in the decompiled code and flagging any weak algorithm or mode.

    On keys, confirm they are managed safely: not hardcoded in the app, generated with a secure random source, and, for sensitive keys, stored in hardware-backed key storage rather than in software. A hardcoded key or an insecure random source undermines otherwise-strong cryptography, so these are as important as the algorithm choice. Check that the app does not roll its own cryptography where a standard primitive exists, since custom crypto is a common source of weakness. A clean cryptography result means strong standard algorithms used correctly, with keys that are neither weak, hardcoded, nor exposed.

    Testing the other control groups

    The remaining groups round out the checklist, each with its own focus. For authentication, confirm identity and authorization are enforced on the server rather than trusted from the client, and that sessions and tokens are handled securely. For network, intercept the app's traffic on your own test device to confirm strong transport security and, where used, certificate pinning, and that no sensitive data travels in cleartext. For platform, review the manifest and code for over-broad permissions, unsafely exported components, insecure inter-app communication, and any web components that mishandle input.

    For code, check that inputs are validated, dependencies are current and free of known vulnerabilities, and unsafe patterns are absent. For resilience, on a rooted device, attempt to bypass the app's anti-tampering and root detection to see whether they hold, remembering these are defense-in-depth rather than a boundary. For privacy, confirm the app collects only the data it needs, discloses it accurately, and honors consent. Each group is tested the same way in principle: apply the MASTG checks, record a result with evidence, and note what needs fixing.

    Static versus dynamic testing

    A thorough MASVS audit uses static and dynamic testing together, because each finds what the other misses. Static analysis, examining the decompiled app, is where you find hardcoded secrets, weak cryptographic calls, over-broad permissions in the manifest, and insecure code patterns, since these are visible in the package without running it. It is fast and broad, and it is what an automated scanner does well, giving you a wide first pass over the build.

    Dynamic analysis, running the app and observing it, is where you find how the app actually behaves: what it writes to storage at runtime, what its network traffic looks like, how it handles a manipulated request, and whether its resilience controls can be bypassed. Some findings only appear at runtime, so dynamic testing catches what static review cannot infer. The two are complementary, and a real audit combines them: static analysis to survey the build quickly and dynamic analysis to confirm behavior and probe the controls that only reveal themselves when the app is running.

    MASVS testing at a glance

    Mapping each control group to what and how you test focuses the audit. The table below summarizes it.

    Control groupWhat to testHow
    MASVS-STORAGENo sensitive data in insecure storageInspect files, preferences, logs, static and dynamic
    MASVS-CRYPTOStrong algorithms, safe key handlingReview crypto calls; no weak modes or hardcoded keys
    MASVS-AUTHServer-enforced authentication and authorizationTest the API and session handling
    MASVS-NETWORKSecure transport, no cleartextIntercept traffic on a device you own
    MASVS-PLATFORMPermissions, IPC, and web componentsReview the manifest and exported components
    MASVS-RESILIENCEAnti-tampering as defense in depthAttempt bypasses on a rooted device

    Read the table as the audit spine: the storage and cryptography rows are where audits spend the most time and find the most.

    Audit checklist

    Working through these steps runs a MASVS audit end to end. The checklist below covers them.

    StepActionDone?
    Set up the environmentOwn device, rooted for resilience, plus tooling[ ]
    Run static analysisDecompile and review storage, crypto, and manifest[ ]
    Run dynamic analysisObserve runtime storage, traffic, and behavior[ ]
    Check data storageNo sensitive data in the clear anywhere it writes[ ]
    Check cryptographyStrong algorithms, keys not weak or hardcoded[ ]
    Map and remediateTie findings to control groups, fix by severity[ ]

    The step that structures the whole audit is mapping findings to control groups, because it turns a list of issues into a clear picture of which MASVS areas pass and which need work.

    Automate part of the audit

    Because static analysis is broad and repeatable, automating it gives your audit a fast, consistent first pass over the build before the manual dynamic testing, and it is the part most easily standardized across apps.

    A scanner like PTKD.com analyzes your build and reports issues such as insecure data storage, weak cryptography, leaked keys, over-broad permissions, and weak binary protections by severity, mapped to OWASP MASVS control groups, covering much of the storage, cryptography, platform, and resilience static checks automatically. To be clear about the boundary: PTKD covers what is analyzable from the build and does not replace the dynamic and manual MASTG tests, such as intercepting live traffic or verifying server-side authorization. It gives you the static, MASVS-mapped portion of the checklist quickly so your manual effort goes to the runtime and server checks.

    What to take away

    • A MASVS testing checklist verifies an app against the eight control groups, using the MASTG for the concrete test cases and combining static and dynamic analysis.
    • Test on your own build and device, kept isolated, with a rooted device for the resilience checks, and only test apps you are authorized to test.
    • For data storage, confirm no sensitive data sits in preferences, files, databases, or logs in the clear, and that keys use hardware-backed storage.
    • For cryptography, confirm strong, standard algorithms with no weak modes, and keys that are not hardcoded, weak, or generated with an insecure random source.
    • Map every finding to a control group, remediate by severity, and automate the static portion with a MASVS-mapped scanner like PTKD.com.
    • #owasp masvs
    • #mastg
    • #security testing
    • #mobile audit
    • #data storage

    Frequently asked questions

    What is an OWASP MASVS testing checklist?
    It is the audit form for mobile security: a list of the controls an app should meet, grouped into the eight MASVS control groups covering storage, cryptography, authentication, network, platform, code, resilience, and privacy, that you verify by testing. It is paired with the MASTG, which provides the concrete test cases and techniques for each control. So a real checklist is two things: the control groups that define what to check, and the test cases that tell you how to check them.
    What environment do I need for MASVS testing?
    A controlled setup where you can both inspect the build and run the app under observation, on hardware you own. Static analysis decompiles the package to review code, resources, and manifest; dynamic analysis runs the app to watch files, traffic, and behavior; and resilience testing needs a rooted or jailbroken device to attempt bypasses. Keep it isolated from personal accounts and production, only test apps you are authorized to test, and use tools like MobSF, Frida, and Objection.
    What are the MASVS data storage rules to test?
    That no sensitive data is stored insecurely. Inspect the app's private storage, shared preferences, databases, files, logs, clipboard, and external storage for credentials, tokens, personal data, or keys in plaintext, both statically by reviewing how the code writes data and dynamically by examining the files it produces at runtime. Logs and preferences are the most common findings. Confirm sensitive data is either not stored or protected with platform secure storage and hardware-backed keys.
    What cryptography checks does MASVS require?
    Both the algorithms and the key handling. Confirm strong, current, standard cryptography with no ECB mode, no outdated ciphers like DES or RC4, no MD5 or SHA-1 for security, and authenticated encryption such as AES-GCM where needed, found by reviewing the crypto calls in decompiled code. Confirm keys are not hardcoded, are generated with a secure random source, and for sensitive keys use hardware-backed storage, and that the app does not roll its own cryptography where a standard primitive exists.
    Do I need both static and dynamic testing?
    Yes, because each finds what the other misses. Static analysis of the decompiled app finds hardcoded secrets, weak crypto calls, over-broad permissions, and insecure patterns visible without running it, giving a fast broad first pass. Dynamic analysis of the running app finds runtime behavior: what it writes to storage, its network traffic, how it handles manipulated requests, and whether resilience controls can be bypassed. A real audit combines them, static to survey and dynamic to confirm behavior.
    Can I automate a MASVS audit?
    The static portion, yes, which gives a fast consistent first pass before manual dynamic testing. A scanner like PTKD.com (https://ptkd.com) analyzes your build and reports insecure data storage, weak cryptography, leaked keys, over-broad permissions, and weak binary protections by severity, mapped to OWASP MASVS control groups, covering much of the static checks. It does not replace dynamic and manual MASTG tests like intercepting live traffic or verifying server-side authorization, so your manual effort goes to those.

    Keep reading

    Scan your app in minutes

    Upload an APK, AAB, or IPA. PTKD returns an OWASP-aligned report with copy-paste fixes.

    Try PTKD free