// Comparison

Real-World Cryptography vs The Mobile Application Hacker's Handbook: Which Should You Read?

Two cybersecurity books on AppSec, compared honestly: who each is for, what each does best, and which to read first.

Intermediate

5/52021

David Wong

David Wong's hands-on tour of the cryptographic primitives, protocols and pitfalls that show up in actual production systems, with deliberate attention to TLS, Noise, modern AEAD, and post-quantum.

Intermediate

3/52015

The Mobile Application Hacker's Handbook

Dominic Chell, Tyrone Erasmus, Shaun Colley, Ollie Whitehouse

Chell, Erasmus, Colley, and Whitehouse's reference on iOS and Android application security from the early-mid 2010s — runtime hooking, transport security, IPC abuse, and the platform-specific surface of mobile pentesting.

Read this if

Working engineers who need to make crypto decisions in real systems: AEAD ciphers, key exchange, signatures, password hashing, PKI, end-to-end encryption, post-quantum migration. The new modern default and the book we recommend first to almost anyone touching cryptography in production.

Mobile pentesters who want the structural foundations of the discipline — what surface exists, where bugs typically live, how the platforms differ in their defaults. The taxonomy and methodology chapters age more slowly than the specific tooling.

Skip this if

Cryptography researchers or readers wanting full mathematical proofs. The math is bounded to what an engineer needs to evaluate choices, not full constructions. For the next layer of depth read Serious Cryptography after this.

Readers needing current technique on App Attest, DeviceCheck, biometric-bound keys, modern pinning bypass, recent runtime instrumentation (Frida-class), or the cross-platform reality (React Native, Flutter, Capacitor). The 2015 publication shows on every chapter.

Key takeaways

Most crypto vulnerabilities are misuse, not broken primitives; Wong's framing of "what to use, what to avoid" is the cleanest in print.
TLS 1.3, Noise, and Signal-style protocols compose primitives in patterns engineers should recognise on sight, this book teaches the patterns.
Post-quantum cryptography is no longer optional reading; the book introduces the lattice and hash-based constructions you'll be deploying within a few years.

The platform-defaults-and-pitfalls structure is durable: each platform's security model is still best understood through the same lens the book uses.
IPC, deep-link, and inter-app surface remain the highest-yield mobile attack surfaces, even though the specific APIs have changed.
Pair every chapter with current OWASP MASTG / MASVS material; the conceptual map is the book's value, the specific tooling is not.

How they compare

We rate Real-World Cryptography higher (5/5 against 3/5 for The Mobile Application Hacker's Handbook). For most readers, that means Real-World Cryptography is the primary pick and The Mobile Application Hacker's Handbook is a useful follow-up.

Both books target intermediate-level readers, so the choice is about topic, not difficulty.

Real-World Cryptography and The Mobile Application Hacker's Handbook both cover AppSec, so reading them in sequence reinforces the same material from different angles.

Keep reading

Real-World Cryptography

→ Alternatives to Real-World Cryptography → What to read after Real-World Cryptography