// Comparison

Designing Secure Software vs The Mobile Application Hacker's Handbook: Which Should You Read?

Two cybersecurity books on AppSec, compared honestly: who each is for, what each does best, and which to read first.

Intermediate

5/52021

A Guide for Developers

Loren Kohnfelder

Loren Kohnfelder, the original PKI author, on how to weave security thinking through requirements, design, implementation and operations rather than bolt it on at the end.

Intermediate

3/52015

The Mobile Application Hacker's Handbook

Dominic Chell, Tyrone Erasmus, Shaun Colley, Ollie Whitehouse

Chell, Erasmus, Colley, and Whitehouse's reference on iOS and Android application security from the early-mid 2010s — runtime hooking, transport security, IPC abuse, and the platform-specific surface of mobile pentesting.

Read this if

Senior developers and architects who already write code well and now want to design systems that don't ship CVEs. Kohnfelder is the author who literally wrote the X.509 paper; the book is a career's worth of design wisdom in 312 pages.

Mobile pentesters who want the structural foundations of the discipline — what surface exists, where bugs typically live, how the platforms differ in their defaults. The taxonomy and methodology chapters age more slowly than the specific tooling.

Skip this if

Beginners or readers wanting hands-on tooling. The book is design-level: principles, patterns, and case studies. Pair with implementation-level books for the line-of-code view.

Readers needing current technique on App Attest, DeviceCheck, biometric-bound keys, modern pinning bypass, recent runtime instrumentation (Frida-class), or the cross-platform reality (React Native, Flutter, Capacitor). The 2015 publication shows on every chapter.

Key takeaways

Secure-by-design is mostly avoided pitfalls; the book's enumeration of common-but-fatal mistakes is the cleanest mental checklist a designer can carry.
Trust boundaries are the single most useful concept in secure design; the book teaches you to see them in any architecture.
Most security debates inside engineering organizations resolve to a handful of repeated trade-offs (defense in depth vs. simplicity, blocking vs. logging, fail-open vs. fail-closed); the book names them and provides the language for the conversation.

The platform-defaults-and-pitfalls structure is durable: each platform's security model is still best understood through the same lens the book uses.
IPC, deep-link, and inter-app surface remain the highest-yield mobile attack surfaces, even though the specific APIs have changed.
Pair every chapter with current OWASP MASTG / MASVS material; the conceptual map is the book's value, the specific tooling is not.

How they compare

We rate Designing Secure Software higher (5/5 against 3/5 for The Mobile Application Hacker's Handbook). For most readers, that means Designing Secure Software is the primary pick and The Mobile Application Hacker's Handbook is a useful follow-up.

Both books target intermediate-level readers, so the choice is about topic, not difficulty.

Designing Secure Software and The Mobile Application Hacker's Handbook both cover AppSec, so reading them in sequence reinforces the same material from different angles.

Keep reading

Designing Secure Software

→ Alternatives to Designing Secure Software → What to read after Designing Secure Software