// Comparison

The Mobile Application Hacker's Handbook vs Threat Modeling: Which Should You Read?

Two cybersecurity books on AppSec, compared honestly: who each is for, what each does best, and which to read first.

Intermediate

3/52015

The Mobile Application Hacker's Handbook

Dominic Chell, Tyrone Erasmus, Shaun Colley, Ollie Whitehouse

Chell, Erasmus, Colley, and Whitehouse's reference on iOS and Android application security from the early-mid 2010s — runtime hooking, transport security, IPC abuse, and the platform-specific surface of mobile pentesting.

Intermediate

5/52014

Threat Modeling

Designing for Security

Adam Shostack

Adam Shostack's practitioner-oriented introduction to threat modeling: STRIDE, attack trees, and how to fit the practice into a real software-development lifecycle.

Read this if

Mobile pentesters who want the structural foundations of the discipline — what surface exists, where bugs typically live, how the platforms differ in their defaults. The taxonomy and methodology chapters age more slowly than the specific tooling.

Anyone who designs systems and wants to ship fewer bugs in production. Threat modeling is the highest-leverage security practice for developers; this is the book that finally made it teachable.

Skip this if

Readers needing current technique on App Attest, DeviceCheck, biometric-bound keys, modern pinning bypass, recent runtime instrumentation (Frida-class), or the cross-platform reality (React Native, Flutter, Capacitor). The 2015 publication shows on every chapter.

Readers wanting a quick checklist or a one-pager. Shostack is comprehensive: STRIDE, attack trees, data-flow diagrams, the kill chain, all with extended worked examples. Skim-reading is a waste of the book.

Key takeaways

The platform-defaults-and-pitfalls structure is durable: each platform's security model is still best understood through the same lens the book uses.
IPC, deep-link, and inter-app surface remain the highest-yield mobile attack surfaces, even though the specific APIs have changed.
Pair every chapter with current OWASP MASTG / MASVS material; the conceptual map is the book's value, the specific tooling is not.

STRIDE is a forcing function for systematic thinking, not a complete model; the book teaches you when to use it and when to switch frames (attack trees, attacker personas, kill chains).
Most "threat modeling tools" are spreadsheet-with-diagrams; the actual lift is the conversation those tools structure, not the document.
Threat modeling fits inside agile and works at PR-review timescale once you've done it three or four times; the book makes the case repeatedly with examples.

How they compare

We rate Threat Modeling higher (5/5 against 3/5 for The Mobile Application Hacker's Handbook). For most readers, that means Threat Modeling is the primary pick and The Mobile Application Hacker's Handbook is a useful follow-up.

Both books target intermediate-level readers, so the choice is about topic, not difficulty.

The Mobile Application Hacker's Handbook and Threat Modeling both cover AppSec, so reading them in sequence reinforces the same material from different angles.

Keep reading