Open-Source Mobile App Security Testing: MobSF, QARK and the MASTG Toolchain (2026)

Open-source tooling can scan a mobile app for security flaws at zero licence cost, but it cannot tell you which of those flaws are real. That gap is the single most important thing to understand before building a mobile security testing process around MobSF, QARK and the rest of the OWASP Mobile Application Security Testing Guide (MASTG) toolchain. These tools perform static and dynamic analysis across Android and iOS binaries and return a long list of potential issues, and OWASP is explicit that the list is assistive rather than conclusive: its tools "are intended to help you perform your own assessments, rather than provide a conclusive result on the security status of an app," and the output "can contain both false positives and false negatives" (OWASP MASTG). This is the open-source slice of the broader complete guide to mobile app testing; here is what the free toolchain covers, and where the work that produces a trustworthy assessment actually begins.

What open-source tools cover mobile app security testing?

A small, stable toolchain does most of the automated work. MobSF is the all-in-one scanner, QARK handles Android-specific static review, and a set of recon and runtime tools (jadx, apktool, Frida and objection) supports the manual analysis that the scanners cannot do. OWASP curates these under the MASTG and frames them as instruments for an assessor rather than replacements for one. The shape of the toolchain is worth seeing in a single view before going deeper.

The split matters. MobSF and QARK generate findings, while jadx, apktool, Frida and objection are what a tester uses to confirm or refute those findings by hand.

What is MobSF, and what does it actually do?

MobSF is the broadest single free tool, and it runs both halves of the analysis. The project describes itself as "an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework" (MobSF), and OWASP records it as "capable of performing static and dynamic analysis" (OWASP MASTG). Its static analyser "supports popular mobile app binaries like APK, IPA, APPX and source code," and the "Dynamic Analyzer supports both Android and iOS applications" (MobSF). In practice you can drop in an APK or IPA and get a structured report in minutes, covering the manifest, permissions, hardcoded secrets, insecure storage patterns and more. What MobSF does not do is decide which entries in that report matter, which is exactly what the assistive-not-conclusive warning is about.

What is QARK, and is it still maintained?

QARK is LinkedIn's Android-only static tool, and it is still available, though quiet. It "is designed to look for several security related Android application vulnerabilities, either in source code or packaged APKs" (QARK), and it "automates the use of multiple decompilers, leveraging their combined outputs, to produce superior results, when decompiling APKs" (QARK). On maintenance, be precise rather than dismissive: the repository is not archived, but its most recent code push was January 2024, so treat it as stable but low-activity, not abandoned. It remains useful for Android source and APK review, and it does nothing for iOS, where MobSF or the runtime tools take over.

Which tools handle recon, decompilation and runtime testing?

The scanners find candidates; a different set of tools lets you read the code and watch the app run. apktool "is used to unpack Android app packages (APKs)" and decode resources that a plain unzip leaves unreadable (OWASP MASTG), and jadx is "an open-source Dex and Java decompiler" that turns that package back into readable Java (OWASP MASTG). For the dynamic side, Frida is "a free and open source dynamic code instrumentation toolkit" that "lets you execute snippets of JavaScript into native apps on Android and iOS" (OWASP MASTG), and objection wraps Frida as a "runtime mobile exploration toolkit" whose "main goal is to allow security testing on non-rooted devices" by sideloading a repackaged app (OWASP MASTG). Whether a given finding is static or dynamic is a separate question, covered in our guide to SAST versus DAST for mobile apps; here the point is only that the toolchain spans both halves.

How bad is the false-positive problem with these tools?

Bad enough that OWASP tells you, in writing, to review every result. Automated static analysers "may produce many false positives, particularly if they are not configured for the target environment" (OWASP MASTG), and the underlying reason is context: "Automated testing tools' lack of sensitivity to app context is a challenge. These tools may identify a potential issue that's irrelevant," so "a security professional must therefore always review the results" (OWASP MASTG). One honest caveat belongs here: no primary source publishes a reliable false-positive rate for MobSF or QARK specifically, so treat any precise percentage you see quoted elsewhere with suspicion. The defensible position is the one OWASP states and no more, that "automated analysis tools can be used to speed up the review process" (OWASP MASTG) without removing the review.

If the tools are free, what is left to pay for?

The verification and the mapping, which together are most of the actual assessment. Once a scan returns its list, someone has to confirm each finding against the running app, discard the false positives, decide which real issues carry genuine risk, and map what survives onto a recognised standard. OWASP frames this as skilled work: "manual code review is very good for identifying vulnerabilities in the business logic, standards violations, and design flaws, especially when the code is technically secure but logically flawed," and it "requires an expert code reviewer who is proficient in both the language and the frameworks used for the mobile app" (OWASP MASTG). That triage layer, not the scan, is where a mobile security assessment is won or lost, and it is the core of Vervali's mobile application testing service: the tools are the cheap, automatable first pass, and the verification is the part that needs a person who knows the platform.

How do these tools map to the OWASP MASVS standard?

A finding only becomes an assessment once it is mapped to a control group and ranked by risk. The Mobile Application Security Verification Standard (MASVS) "is designed to be used as a metric, guidance, and baseline for mobile app security verification," and it is "divided into various groups that represent the most critical areas of the mobile attack surface": MASVS-STORAGE, MASVS-CRYPTO, MASVS-AUTH, MASVS-NETWORK, MASVS-PLATFORM, MASVS-CODE, MASVS-RESILIENCE and MASVS-PRIVACY (OWASP MASVS). MobSF and QARK do not report against those groups for you; they report raw issues. Turning "the app writes sensitive data to external storage" into "a MASVS-STORAGE gap of this severity" is the mapping step, and it is what separates a scan dump from a report a security or compliance team can act on.

The verdict: the scan is free, the assessment is not

The open-source mobile security toolchain is genuinely good and genuinely free. MobSF, QARK and the MASTG recon and runtime tools will scan an Android or iOS app and surface a broad set of candidate issues at no licence cost, and any serious mobile testing process should use them. What they will not do is the part that matters most: confirm which findings are real, filter the false positives OWASP warns are inevitable, map the survivors to MASVS, and rank them by risk. Treat the tools as step one of three. Run the scan, then verify, then map and prioritise, and judge any mobile security programme, in-house or outsourced, by how seriously it takes the two steps the tools cannot do.

Sources

1. OWASP MASTG, Testing Tools index (tools are assistive, not conclusive; false positives and false negatives). https://mas.owasp.org/MASTG/tools/
2. OWASP MASTG, Mobile App Security Testing (false positives, "always review the results", automation speeds up review). https://mas.owasp.org/MASTG/0x04b-Mobile-App-Security-Testing/
3. OWASP MASTG, Tampering and Reverse Engineering (value of manual review; expert reviewer needed). https://mas.owasp.org/MASTG/0x04c-Tampering-and-Reverse-Engineering/
4. OWASP MASTG, MobSF tool page (MASTG-TOOL-0035). https://mas.owasp.org/MASTG/tools/generic/MASTG-TOOL-0035/
5. OWASP MASTG, apktool tool page (MASTG-TOOL-0011). https://mas.owasp.org/MASTG/tools/android/MASTG-TOOL-0011/
6. OWASP MASTG, jadx tool page (MASTG-TOOL-0018). https://mas.owasp.org/MASTG/tools/android/MASTG-TOOL-0018/
7. OWASP MASTG, Frida tool page (MASTG-TOOL-0031). https://mas.owasp.org/MASTG/tools/generic/MASTG-TOOL-0031/
8. OWASP MASTG, objection tool page (MASTG-TOOL-0038). https://mas.owasp.org/MASTG/tools/generic/MASTG-TOOL-0038/
9. OWASP MASVS, Using the MASVS (baseline; eight control groups). https://mas.owasp.org/MASVS/03-Using_the_MASVS/
10. MobSF, GitHub repository README. https://github.com/MobSF/Mobile-Security-Framework-MobSF
11. QARK, GitHub repository README. https://github.com/linkedin/qark