Penetration TestJan Kahmen8 min read

The OWASP Mobile Security Testing Guide

Since the OWASP Testing Guide deals with mobile security, the question - What is mobile security anyway? arises.

Table of content

What is OWASP?

The acronym OWASP stands for Open Web Application Security Project and is best known for its OWASP Testing Guide. This OWASP Testing Guide provides you with a guide on how to use processes, techniques and tools for mobile app security testing. As a testing and security guide, the OWASP Testing Guide presents you with proven measures. By using these, you will increase the security of your sensitive enterprise data.

What is Mobile Security?

Since the OWASP Testing Guide deals with mobile security, the question "What is mobile security anyway?" arises. It is a variety of procedures that help ensure that your applications are secure. This security isn't just important within your organization: it's also important on your mobile devices, which you use to access sensitive information on the go. Methods such as penetration testing follow the guidelines suggested by the OWASP Testing Guide. The following items are always tested:

  • Inappropriate data storage, communications, and platform usage.
  • Insecure authentication, authorization, and communication.
  • Possibility of manipulation within the source code.
  • Reverse engineering.
  • Inadequate cryptography as well as data storage.

You can basically run such tests on all devices and for a wide variety of apps: From native apps to mobile web apps to hybrid solutions, everything is possible.

How Mobilie Security works

Mobile security is a key issue once your organization supports the use of apps. Mobile app pentests - and experience - show that smartphones and tablets in particular are often inadequately secured, creating a major security risk. If an attack occurs, it can result in financial losses and a damaged reputation. To avoid this, the OWASP Testing Guide provides you with a central guideline. With this, you offer potential attackers as little attack surface as possible.
Basically, mobile security doesn't have to be complicated. It is based on technical solutions that protect your mobile systems from the outset. The OWASP Testing Guide offers you such approaches, as well as the necessary understanding of which tests are important at which point in time. One way to increase your mobile security is through container apps, for example. They ensure that the corporate data on your mobile device is secured, rather than securing the device itself. This approach not only makes your IT department's job easier, but it's a stand-alone solution that brings numerous benefits.

The Vision of the OWASP Mobile Security Testing Guide

The OWASP Testing Guide aims to define an industry standard for mobile application security. Therefore, the OWASP Testing Guide is a comprehensive testing guide. It takes into account processes and techniques as well as the necessary tools. Using a high number of test cases, it is possible to deliver consistent and complete results within the proven security standards.

This is what the OWASP Mobile Security Testing Guide Covers

The OWASP Testing Guide contains various topics related to security testing and mobile security. For example, the guide covers mobile app security testing, as well as advanced aspects such as reverse engineering. This makes it a valuable source of information for developers of mobile applications for the iOS and Android operating systems. The following content is provided in the OWASP Testing Guide regarding these topics:

  • Internal expertise on mobile platforms.
  • Important security testing for mobile apps considering their development lifecycle.
  • Basic dynamic and static security testing.
  • Manipulation and reverse engineering of mobile apps.
  • Software protection assessments.
  • In addition, the OWASP Testing Guide provides detailed test cases as required by the MASVS.

The OWASP Testing Guide is an important guideline that you can use to increase the security of your mobile apps. It supports numerous developers in their daily work: among them software architects who want to develop a secure application. Likewise, security testers who want to ensure that their test results are complete and consistent.

Due to the large audience the OWASP Testing Guide is aimed at, it is available in different languages: So you can get the OWASP Testing Guide not only in German, but also in English, French, Russian, Spanish and Chinese, for example.

Furthermore, the OWASP Testing Guide provides you with a comprehensive checklist based on the MASVS and the MSTG. Additionally, MSTG test cases are included to help you achieve better security testing.

Comment on the Mobile Security Testing Guide on GitHub

The OWASP Testing Guide is available online as a GitBook. This means you can find the guide on GitHub, where you can comment on the available advice. This way, it is possible for you to contribute your own suggestions. Although the guide is primarily aimed at iOS and Android app developers: You can also influence it as a non-programmer and thus contribute to better OWASP security.

This is how the OWASP Mobile Security Verification Standard is composed

In order for you to know what steps to take, the first step is to define your app's protection needs. For this, three levels come into consideration regarding your web security. These serve as an extension and enhance your overall approach:

  • R: Resistance to reverse engineering and tampering (for protection through modification by the app).
  • L2: Defense-in-Depth (for example, a two-factor authorization).
  • L1: Standard security (for example, network traffic).

Using these levels, the OWASP Testing Guide defines the security requirements and provides you with basic guidelines.

Prerequisites for using Mobile App Security

If you would like to use the OWASP Testing Guide for your web security, you will need the associated checklist. You can use this to check the MASVS requirements. Another advantage is that you can connect the OWASP Security with the MSTG test case. This will simplify your mobile penetration testing.

Basically, however, it is important that you target training regarding mobile security. Such security training is offered by the Mobile Security Testing Guide, which provides you with standalone learning resources. This way, you will familiarize yourself with the basic fundamental knowledge, but also learn about advanced reverse engineering techniques.

These Versions of the OWASP Testing Guide are Available

You can get the OWASP Testing Guide in different versions. Currently, you can find the following releases on GitHub:

  • Release 1.2 with an update regarding MASVS and MSTG.
  • Release 1.3 for Android Q and iOS 13.
  • Release 1.4 as a major release.

Who is the OWASP Mobile Security Testing Guide for?

If you care about web security, the OWASP Testing Guide is an aid in your endeavor: That's because the OWASP Testing Guide gives you the essential tools you need to securely process sensitive data in your apps. Whether you develop these apps yourself or use existing software is irrelevant. The only important thing is to understand that mobile security is a topic that you should never neglect.


Curious? Convinced? Interested?

Schedule a no-obligation initial consultation with one of our sales representatives. Use the following link to select an appointment: