OWASP AppSec EU 2026 Vienna: 25 Years of Application Security, the Birth of MAScon, and the Future of Mobile App Defense + Video

By /

Listen to this Post

Featured Image

Introduction:

As the application security landscape braces for the rapid evolution of mobile threats and AI-driven development, the OWASP Global AppSec EU 2026 conference in Vienna marks a pivotal moment—not only celebrating the foundation’s 25th anniversary but also debuting the first-ever OWASP MAScon, a dedicated track for mobile application security. Scheduled from June 22–26, 2026, at the Austria Center Vienna, this flagship event brings together over 800 cybersecurity experts, developers, and industry leaders to tackle the most pressing challenges in application security. With hands-on training sessions, cutting-edge talks on runtime instrumentation, and a spotlight on regulatory compliance like the EU Cyber Resilience Act, the conference serves as a critical knowledge hub for professionals aiming to embed security into every phase of the software development lifecycle.

Learning Objectives:

  • Master the practical application of OWASP SAMM to build and mature an application security program aligned with emerging regulations.
  • Understand advanced mobile application security techniques, including dynamic instrumentation with Frida and reverse engineering of multiplatform runtimes.
  • Analyze real-world mobile security incidents to extract actionable lessons on what fails in production and which secure practices hold up under attack.

You Should Know:

  1. OWASP Global AppSec EU 2026: A 25th Anniversary Milestone

The OWASP Global AppSec EU 2026 conference is more than just another security gathering—it is a celebration of 25 years of community-driven application security excellence. Taking place from June 22–26, 2026, at the legendary Austria Center Vienna, the event offers a reimagined experience with world-class keynotes, newly designed tracks, an interactive OWASP Project Demo Lab, and the debut of the mobile security specialty conference, MAScon.

The conference is structured into two main components: hands-on training from June 22–24 and the main conference tracks on June 25–26. Training sessions are available for one, two, or three days, covering topics ranging from OWASP SAMM implementation to AI security for developers. Attendees can earn CPE credits, participate in the Meet the Mentor Program, and engage in a Capture the Flag (CTF) challenge.

Keynote and Featured Talks: The conference features prominent industry voices, including Hannah Foxwell, Co-founder of BIMP, who will deliver a keynote on AI-driven developer velocity—exploring what works, what doesn’t, and how to stay secure at speed. Other sessions delve into DevSecOps pipeline security, API protection, cloud-1ative AppSec, and vulnerability management.

  1. MAScon: The First-Ever OWASP Mobile Application Security Conference

For the very first time, the OWASP MAS (Mobile Application Security) team is organizing OWASP MAScon, a dedicated event built around the people, research, and practical work that drive mobile app security forward. OWASP MAS has become a reference point for mobile security through projects like MASVS (Mobile Application Security Verification Standard), MASWE (Mobile Application Security Weakness Enumeration), and MASTG (Mobile Application Security Testing Guide). These resources shape how organizations assess mobile security, how testers run engagements, how developers build more securely, and how the industry talks about mobile risk.

Organized by Carlos Holguera and Sven Schleier, OWASP MAS Leaders, MAScon is designed as a compact, high-value program for practitioners who want substance, not fluff. The schedule brings together talks on offensive research, runtime internals, dynamic instrumentation, real-world incidents, and the evolving tooling around mobile application testing.

3. Deep Dive: Structured Mobile DAST with Frida

One of the most anticipated sessions is “Let’s get frooky, Structured Mobile DAST with Frida” presented by Carlos Holguera and Stefan Bernhardsgrütter. This session focuses on the practical challenges of mobile penetration testing and demonstrates how structured, Frida-powered instrumentation can help assess hardened applications at runtime.

Step‑by‑step guide: Setting Up Frida for Dynamic Mobile Analysis

Frida is a dynamic instrumentation toolkit that allows security researchers to inject JavaScript into native apps on Android, iOS, Windows, and macOS. Below is a practical guide to setting up Frida for mobile application testing:

On Linux/macOS:

 Install Frida via pip
pip3 install frida-tools

Verify installation
frida --version

List connected devices
frida-ls-devices

Spawn an application (Android example)
frida -U -f com.example.app --1o-pause

Attach to a running process
frida -U com.example.app

On Windows (using PowerShell as Administrator):

 Install Frida
pip install frida-tools

Verify installation
frida --version

List devices
frida-ls-devices

Spawn an application
frida -U -f com.example.app --1o-pause

Writing a Basic Frida Script:

// hook.js - Intercept and log all calls to the `getPassword` method
Java.perform(function() {
var targetClass = Java.use("com.example.app.LoginActivity");
targetClass.getPassword.implementation = function() {
var result = this.getPassword();
console.log("[] Password retrieved: " + result);
return result;
};
});

Inject the script:

frida -U -f com.example.app -l hook.js --1o-pause

Key takeaway: Frida enables real-time manipulation of application behavior, making it an indispensable tool for reverse engineering, bypassing certificate pinning, and testing runtime security controls.

4. Unveiling Multiplatform Mobile Runtimes

Sergi Alvarez (aka “pancake”) will present “Unveiling The Internals From Multiplatform Mobile Runtimes” , taking attendees into the internals of frameworks such as Flutter, React Native, and Unity. The session demonstrates how low-level reverse engineering techniques can recover code and data from release binaries, a critical skill for assessing the security of cross-platform applications.

Step‑by‑step guide: Basic Reverse Engineering of a Flutter App

Flutter apps compile to native ARM code, making traditional Java decompilation ineffective. Here’s a basic approach to reverse engineering Flutter apps:

  1. Extract the APK/IPA and locate the `libapp.so` file (contains the Dart code compiled to native).
  2. Use `blutter` (a Flutter reverse engineering tool) to reconstruct Dart symbols: 
    Clone blutter
git clone https://github.com/xxx/blutter
cd blutter
Run blutter on the extracted libapp.so
python3 blutter.py /path/to/libapp.so /output/dir
  3. Analyze the reconstructed Dart code for sensitive logic, API keys, or cryptographic implementations.
  4. Use Ghidra or IDA Pro to disassemble the native binary and cross-reference with blutter’s output.

Key takeaway: Understanding multiplatform runtime internals is essential for identifying vulnerabilities that may not be apparent through black-box testing alone.

5. Real-World Mobile App Security Incidents

Jan Seredynski will present “Recent Mobile App Security Incidents from Real World Cases” , walking through concrete incidents from real mobile applications and extracting practical lessons on what fails in production and which secure practices actually hold up. This session bridges the gap between theory and practice, offering invaluable insights for security engineers and developers alike.

Common Failure Patterns in Mobile App Security:

  • Hardcoded secrets in client-side code (API keys, encryption keys).
  • Weak certificate pinning implementations that can be bypassed.
  • Insecure data storage on the device (e.g., storing tokens in SharedPreferences without encryption).
  • Improper session management leading to token reuse or session fixation.
  • Lack of runtime self-protection against dynamic instrumentation and tampering.

Key takeaway: Real-world incidents reveal that the most critical failures often stem from basic security oversights rather than complex vulnerabilities.

  1. Hands-On Training: Building an AppSec Program with OWASP SAMM

On Tuesday, June 23, 2026, a 1-Day Training: Build your AppSec Program with OWASP SAMM will be conducted by trainer Aram Hovsepyan. This interactive training provides a deep understanding of OWASP SAMM and demonstrates how to apply it in real-world scenarios through expert-led sessions and hands-on exercises.

What You Will Learn:

  • How to embed security into every phase of the software development lifecycle.
  • How to assess and mature your organization’s application security practices.
  • How SAMM naturally prepares you for upcoming regulations such as the EU Cyber Resilience Act.

Step‑by‑step guide: Conducting a SAMM Assessment

  1. Define the scope – Identify which business functions and applications will be assessed.
  2. Select the SAMM practices – Choose from the 15 practices across 5 business functions (Governance, Design, Implementation, Verification, Operations).
  3. Conduct interviews – Gather evidence from stakeholders (developers, security teams, operations).
  4. Score each practice – Assign a maturity level (0–3) based on the evidence collected.
  5. Identify gaps – Compare current scores against target maturity levels.
  6. Create a roadmap – Prioritize initiatives to close the gaps and improve maturity over time.

Key takeaway: OWASP SAMM provides a structured, measurable approach to building and maturing an AppSec program that aligns with business objectives and regulatory requirements.

  1. 3-Day Training: AppSec and AI Security for Developers

For those seeking a deeper dive, a 3-Day Training: AppSec and AI Security for Developers with Jim Manico is available in a hybrid format. This training covers secure coding practices, AI security considerations, and how to integrate security into the development workflow.

Key Topics:

  • Secure coding in Java, .NET, and JavaScript.
  • AI/ML security risks (prompt injection, data poisoning, model theft).
  • Integrating security into CI/CD pipelines.
  • Threat modeling for AI-powered applications.

What Undercode Say:

  • Key Takeaway 1: The debut of MAScon signals a maturation of mobile application security as a distinct discipline, moving beyond generic AppSec to address the unique challenges of mobile platforms—including runtime instrumentation, multiplatform frameworks, and real-world incident analysis.
  • Key Takeaway 2: The convergence of OWASP SAMM training with regulatory pressures like the EU Cyber Resilience Act highlights the growing importance of structured security programs that are not only technically sound but also compliant with emerging legal frameworks.

The OWASP AppSec EU 2026 Vienna conference represents a critical inflection point for the application security community. The introduction of MAScon addresses a long-standing gap in mobile security education, providing practitioners with specialized knowledge that is increasingly essential as mobile applications become the primary interface for digital services. Meanwhile, the emphasis on OWASP SAMM and regulatory compliance reflects a broader shift toward security maturity models that bridge the gap between technical excellence and business accountability.

Prediction:

  • +1 The launch of MAScon will catalyze a new wave of mobile security research and tooling, driving innovation in dynamic instrumentation, runtime self-protection, and multiplatform security testing over the next 2–3 years.
  • +1 OWASP SAMM will become the de facto standard for AppSec program maturity assessment, particularly as the EU Cyber Resilience Act and similar regulations compel organizations to demonstrate due diligence in software security.
  • +1 The integration of AI security topics into OWASP training reflects a growing recognition that AI-powered development introduces novel attack surfaces, and we can expect OWASP to release dedicated AI security standards within 12–18 months.
  • -1 Despite these advancements, the gap between security research and industry adoption remains significant; many organizations will continue to struggle with basic security hygiene, as evidenced by the recurring failure patterns highlighted in real-world incident analyses.
  • -1 The rapid evolution of multiplatform mobile frameworks (Flutter, React Native) will outpace the development of standardized security testing methodologies, leaving a window of vulnerability for attackers to exploit.

▶️ Related Video (66% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Hexploit Meet – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: