If the OWASP Mobile Top 10 tells you which risks to care about and MASVS tells you which controls to meet, the MASTG is the manual that tells you how to test for them. The Mobile Application Security Testing Guide is OWASP's comprehensive reference for testing mobile app security, with concrete test cases and techniques for iOS and Android. You do not need to read it cover to cover, but it is the authoritative source behind serious mobile security testing, and it is the companion to the MASVS standard. Here is what the MASTG is, how it relates to MASVS and the Top 10, and how it is used.
Short answer
The OWASP Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for testing the security of mobile apps, providing detailed test cases and techniques for iOS and Android. Per OWASP, it is the companion to the Mobile Application Security Verification Standard (MASVS): MASVS defines the security requirements an app should meet, the "what," and the MASTG describes how to verify them, the "how," through static analysis, dynamic analysis, and reverse engineering. It sits alongside the OWASP Mobile Top 10, which is the high-level awareness list. Together, the Top 10 frames the risks, MASVS sets the controls, and the MASTG provides the testing methodology, which is what security assessments and scans draw on.
What you should know
- MASTG is a testing guide: how to test mobile app security, with concrete cases.
- It is the companion to MASVS: MASVS is the standard, MASTG the testing manual.
- It covers iOS and Android: platform-specific test cases and techniques.
- It spans static and dynamic: analysis methods and reverse engineering.
- It underlies assessments and scans: the methodology serious testing draws on.
What is the MASTG?
It is OWASP's authoritative, detailed guide to testing mobile application security. Where a standard says what an app should do, the MASTG explains how to check whether it does, providing test cases, procedures, and techniques for verifying security controls on iOS and Android. It covers the full range of mobile security testing: static analysis of the app and its binary, dynamic analysis of the running app, reverse engineering, and platform-specific concerns for each operating system. It is a living document maintained by OWASP, and it was previously known as the MSTG before the renaming. For practitioners, the MASTG is the reference manual behind a thorough mobile security assessment, the place that describes how to actually test for the weaknesses that matter. You do not have to read it end to end, but it is the source of truth for mobile security testing methodology.
How does the MASTG relate to MASVS and the Top 10?
They are three OWASP resources at different levels. The table maps them.
| Resource | Role |
|---|---|
| Mobile Top 10 | High-level awareness list of the most critical risks |
| MASVS | The standard: security requirements an app should meet |
| MASTG | The testing guide: how to verify those requirements |
| MAS Checklist | Maps MASVS controls to MASTG tests for assessments |
The relationship is a progression from awareness to verification. The Mobile Top 10 names the risk categories so you know what to prioritize, MASVS turns those into specific, verifiable security requirements across storage, cryptography, network, platform, and resilience, and the MASTG provides the test cases and techniques to verify each requirement, with the MAS Checklist tying controls to tests. So you use the Top 10 to orient, MASVS to define the bar, and the MASTG to actually test against it. A security assessment or a scan that reports in MASVS terms is applying MASTG-style testing to check the controls.
How is the MASTG used?
As the methodology behind mobile security testing, by people and by tools. A security tester uses the MASTG as the reference for how to assess an app: which checks to perform for each MASVS control, how to do static and dynamic analysis, and what techniques apply on iOS versus Android. You do not need to memorize it; it is a manual you consult for the right way to test a given control. Automated tools draw on the same methodology, applying MASTG-style static checks against MASVS requirements at scale, which is how a pre-submission scan can assess a build quickly. For a developer, the practical value is knowing that mobile security has an authoritative testing standard behind it, so an assessment or scan is grounded in a recognized methodology rather than ad-hoc opinion. You aim your app at MASVS, and the MASTG is how that is verified.
What to watch out for
The first trap is confusing the three resources: the Top 10 is awareness, MASVS is the standard, and the MASTG is the testing guide, so they complement rather than replace each other. The second is treating the MASTG as something to read cover to cover, when it is a reference to consult for how to test a control. The third is assuming an automated scan covers everything in the MASTG, when manual testing adds depth a tool cannot. A pre-submission scan such as PTKD.com (https://ptkd.com) applies MASTG-style static analysis against OWASP MASVS on your compiled build, which is the efficient automated layer, complemented by manual MASTG-based testing for depth. The methodology is OWASP's; the application is the scan and the assessment.
What to take away
- The OWASP MASTG is the comprehensive guide to testing mobile app security, with test cases and techniques for iOS and Android.
- It is the companion to MASVS: MASVS defines the requirements (the what), and the MASTG describes how to verify them (the how), alongside the Mobile Top 10 awareness list.
- It covers static and dynamic analysis and reverse engineering, and underlies both manual assessments and automated scans.
- A pre-submission scan such as PTKD.com applies MASTG-style static checks against MASVS on your build, complemented by manual testing for depth.
