Enhancing Mobile Security Testing: An Analysis of MASVS and MASTG in Android and iOS Environments with Automated Testing Insights

Mobile applications are central to modern digital life, enabling critical services such as communication, healthcare, banking, and commerce. Their widespread adoption, however, has also made them lucrative targets for malicious actors, with vulnerabilities ranging from insecure data storage and weak authentica- tion to reverse engineering and insecure communication channels. To address these threats, the Mobile Application Security Verification Standard (MASVS) and the Mobile Application Security Testing Guide (MASTG), developed by OWASP, provide structured frameworks for secure development and systematic testing of mobile applications. Despite their value, applying MASVS and MASTG in practice remains chal- lenging. Manual testing is resource-intensive, error-prone, and difficult to scale, while full automation is hindered by the architectural and ecosystem differences between Android and iOS. Android’s open-source model supports extensive automation but suffers from fragmentation and malware risks, whereas iOS en- forces stricter controls that improve baseline security but restrict automation due to code signing, sandboxing, and closed-source binaries. This thesis investigates these challenges and proposes the Mobile Atomic Tools (MAT) framework, a modular, scalable solution for automated mobile se- curity testing. MAT employs an MQTT/RabbitMQ-based command-and-control layer, Python-based device communication helpers (ADB, SSH, Frida), and platform- specific atomic test modules to operationalize MASVS and MASTG requirements. A remote macOS worker design was introduced to accommodate iOS-specific constraints while preserving unified workflows. The system is containerized with Docker, orchestrated via Kubernetes, and integrated with a Java backend and Vue.js frontend to support both on-demand and CI/CD-triggered testing. The evaluation demonstrates that MAT satisfies key requirements for mod- ularity, scalability, and resilience, enabling automated testing pipelines for An- droid and partially automated workflows for iOS. Limitations remain in areas such as iOS provisioning, device coverage, interoperability of results, and formal MASVS traceability. Nevertheless, the framework offers a robust foundation for continuous and automated mobile application security testing. By bridging the gap between theoretical standards and practical implemen- tation, this research contributes a blueprint for applying MASVS and MASTG in automated settings. It highlights the potential of automation to enhance secu- rity testing efficiency and coverage, while also underscoring the unique barriers posed by different mobile ecosystems. Future work includes strengthening iOS automation, extending device coverage, formalizing compliance reporting, and enhancing observability and control-plane security.