OWASP Releases MASTG v2.0 — NowSecure Contributed 320+ Pull Requests to Make It Happen

MASTG v2.0 gives CISOs, auditors and regulators a measurable, evidence-based answer to mobile app risk.

The OWASP Foundation today released the Mobile Application Security Testing Guide (MASTG) v2.0, marking a fundamental shift in how mobile security is defined and executed. This milestone release concludes a three-year, community-driven effort to transform the Mobile Application Security Testing Guide (MASTG) from a reference document into a machine-readable knowledge graph.

By providing a structured, traceable framework of atomic tests, demos and remediation guidance, MASTG v2.0 enables security and development teams to automate compliance, scale mobile application security testing across enterprise pipelines and eliminate ambiguity in mobile app security standards. 

TL;DR

The OWASP MASTG is the first stable, non-beta release of the fully refactored mobile app security testing framework, now a machine-readable knowledge graph of 860+ atomic tests, demos, techniques and remediation guidance. NowSecure contributed 320+ pull requests and led the three-year effort as OWASP MAS project co-chair. Organizations can use MASTG v2 today to automate compliance, benchmark vendor capabilities and produce audit-ready evidence for auditors, regulators and boards. This is the definitive standard for determining if a mobile app is secure.

NowSecure has been at the center of this transformation from day one. Carlos Holguera, a NowSecure distinguished research engineer and OWASP MAS project co-chair, led the refactor from design and through delivery since 2021. Across three years and three major releases, NowSecure has contributed 320+ pull requests, 230+ reviews and 42,000+ additions to the Mobile Application Security Verification Standard (MASVS), MASTG and Mobile Application Security Weakness Enumeration (MASWE).

This release closes the loop on what we started in 2021. Here is what changed, what it means for organizations building mobile AppSec programs and what NowSecure contributed to make it happen.

From a Testing Guide to a Knowledge Graph

The original MASTG was designed as a comprehensive reference document. A chapter on biometric authentication, certificate pinning or anti-debugging detection could run hundreds of lines, mixing background context, static analysis steps, dynamic analysis steps and bypass strategies into a single continuous narrative.  For security professionals reading and interpreting the guide, this worked well. For teams building automated pipelines, compliance trackers or tool integrations, it presented a hard limit: you cannot automate what you cannot precisely define.

You cannot automate what you cannot precisely define.

MASTG v2.0 replaces that narrative structure with a knowledge graph of individually addressable, cross-linked components. Every component has a stable ID, structured metadata and explicit relationships to other components. Learn more about how MASVS, MASTG and MASWE work together in practice. 

The component types are:

The result is a traceability chain the industry has needed for years:

MASVS control → MASWE weakness → MASTG test → MASTG demo

Every test points to a MASWE entry, which maps to a MASVS control. Every test’s type: field (static, dynamic, code, manual, hooks) tells an automation system what kind of tooling it requires. Every MASTG-DEMO provides a reference output that an automated pipeline can validate against. The chain is machine-readable end to end.

Why This Matters for Security Leaders

The structural change in MASTG v2 has direct operational consequences.

Security Testers 

Security testers now work from atomic tests with three fixed sections: what to do (Steps), what to look for (Observation), and when the test fails (Evaluation). A single v1 chapter on anti-debugging became two atomic v2 tests: one that looks for debugging API references in the binary, and one that verifies at runtime using Frida, each with its own unambiguous Evaluation condition. There is no interpretation required; there is no “use the analysis method of your choice.”

Compliance and Risk Teams 

Compliance and risk professionals can now trace from a regulatory or policy requirement through a MASVS control, to the specific weakness it addresses (MASWE), to the test that evaluates it, to the technique and tool used. This full traceability makes MASTG v2 directly usable for frameworks including GDPR, HIPAA, PCI DSS and the Singapore CSA Safe App Standard.

Developers 

Developers get best practices links in every failing test pointing to the MASTG-BEST entry that describes how to implement the control correctly, not just how to find that it’s missing.

CISOs & Executives

For CISOs, boards, auditors and regulators, MASVS and MASTG v2 provide the clearest available answer to “how do you know your mobile apps are secure?” The framework’s full traceability from regulatory requirement to MASVS control to atomic test gives organizations documented, standards-based evidence that mobile app risk has been properly managed. 

It also sets the only objective basis for comparing mobile application security testing vendors. MASVS control coverage is measurable and gaps are visible. As agentic testing tools enter the market, MASVS compliance will become the differentiator that separates comprehensive mobile DevSecOps programs from automated surface scans.

MASTG v2.0 in Numbers

This release added 271 new MASTG components in a single wave:

OWASP MAScon: Vienna, June 25–26

MASTG v2.0 launched the same week as the first OWASP MAScon, a dedicated mobile app security conference at OWASP Global AppSec EU 2026 in Vienna, Austria. Along with Carlos Holguera (OWASP MAS project co-chair), NowSecure’s Sergi Alvarez (pancake, creator of radare2) and Ole André Vadla Ravnås (creator of Frida), are among the featured speakers as two of the engineers whose tools power the MASTG v2 technical infrastructure. 

The timing is intentional: this release and this event together mark the completion of a transformation that the community has been building since 2021. OWASP also happens to be celebrating its 25th anniversary this year.

NowSecure Platform Demo

Get a Demo

Operationalizing MASTG v2 with NowSecure

The structured, machine-readable design of MASTG v2 was built with automation in mind from the start. NowSecure has integrated MASVS and MASTG v2 standards into NowSecure Platform. The automated mobile application security testing software enables security teams to:

• Conduct continuous assessments aligned to MASVS Testing Profiles (L1, L2, R)
• Map findings directly to MASTG tests and MASWE weaknesses
• Produce audit-ready reports traceable to MASVS controls
• Scale testing across internal, third-party and public mobile applications
• Shift left with CI/CD integration and API-first automation

The OWASP MAS framework defines what mobile security testing should look like. NowSecure makes it operational at enterprise scale. Refer to this infographic to learn how organizations can put OWASP MAS into practice.

Frequently Asked OWASP MASTG Questions

What is OWASP MASTG v2.0?

OWASP MASTG v2.0 is the first stable release of the refactored Mobile Application Security Testing Guide, now a machine-readable knowledge graph of 860+ atomic tests, demos, techniques and remediation guidance mapped to MASVS controls and MASWE weaknesses. An Essential Guide to OWASP provides a comprehensive overview.

How is MASTG v2 different from v1?

V1 was a narrative reference document. V2 replaces it with individually addressable, cross-linked components, each with a stable ID, structured metadata and explicit pass/fail conditions, enabling automation, CI/CD integration and full compliance traceability.

How does MASVS help with regulatory compliance?

MASTG v2’s full traceability chain (MASVS control → MASWE weakness → atomic test → demo) maps directly to GDPR, HIPAA, PCI DSS and other frameworks, producing audit-ready evidence that mobile app risk has been properly managed.

Can MASVS be used to compare mobile security testing vendors?

Yes. MASVS control coverage is measurable and objective, making it the most reliable basis for vendor evaluation. This matters especially as agentic testing tools enter the market, where MASVS compliance will distinguish comprehensive mobile application security testing from automated surface scanning.

How does NowSecure support MASTG v2?

The NowSecure Platform maps findings directly to MASTG tests and MASWE weaknesses, produces audit-ready reports traceable to MASVS controls, and supports CI/CD integration for continuous automated mobile security assessment at enterprise scale. Request a demo to see it in action.