MASTG Demos (v2 Beta)

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

About the MASTG Demos

Demos are write-ups that demonstrate the weakness in a sample application. They can be seen as a practical application of the tests.

Each demo contains the following information:

  • Overview: A brief description of the demo.
  • Sample: A code snippet that demonstrates the weakness.
  • Steps: The specific steps followed to identify the weakness in the sample code.
  • Observation: A description of the results of running the test against the code.
  • Evaluation: The evaluation of the results of the test explaining why it failed or passed.

All demos in the MASTG are written in markdown and are located in the demos directory.

Each demo directory contains the following files:

  • MASTG-DEMO-****.md: The markdown file containing the demo write-up.
  • MastgTest.kt: The Kotlin code snippet that demonstrates the weakness.
  • output.txt: The output of running the test against the code.
  • run.sh: The script that runs the test against the code.

Depending on the test, the demo may contain additional files, such as configuration files or additional code snippets, scripts (e.g. in Python), or output files. The samples are written in Kotlin or Swift, depending on the platform. In some cases, the samples will also include configuration files such as AndroidManifest.xml or Info.plist.

If the sample can be decompiled, the decompiled code is also provided in the demo. This is useful for understanding the code in the context of the application.

Demos are required to be fully self-contained and should not rely on external resources or dependencies. This ensures that the demos can be run independently and that the results are reproducible. They must be proven to work on the provided sample applications and must be tested thoroughly before being included in the MASTG.

MAS Test Apps

In order for our new demos to be reliable and consistent, we needed to make sure that the results were reproducible and could be tested and validated. This is where the new MASTestApps came in. They are two very simple apps that mirror each other on Android and iOS. Demos must be implemented using these apps. This helps the reviewer and serves as a playground to create and practice your MAS skills.

Simply clone the repository and follow the instructions to run the apps on your local machine. Use them to validate the demos before submitting them to the MASTG.

IMPORTANT DISCLAIMER

Please read this disclaimer carefully as it contains essential information regarding the use of the Mobile Application Security Testing Guide (MASTG).

  • Scope and Purpose of MASTG Artifacts: Each new release of the MASTG will include a collection of testing resources such as Static Application Security Testing (SAST) rules, Dynamic Application Security Testing (DAST) scripts, and other relevant artifacts. However, it's crucial to understand that these resources are not intended to provide a comprehensive solution for all your security testing needs.

  • Baseline: The resources provided in the MASTG serve as a baseline or starting point. They are designed to be used as references and learning tools in the field of mobile application security. While they offer valuable insights and guidelines, they should be used as a foundation upon which you can build and tailor your own specific automation and security testing processes.

  • No Guarantee of Complete Coverage: The OWASP Mobile Application Security (MAS) project, the entity behind the MASTG, explicitly does not assume responsibility or guarantee that the provided code and resources will identify all possible vulnerabilities in mobile applications. Security testing is a complex and evolving field, and the effectiveness of any set of tools or rules varies depending on numerous factors, including the specific context of the application being tested, the experience of the tester, and the changing landscape of security threats.

  • Potential for False Positives and Negatives: Users of the MASTG should be aware that the testing resources might generate a significant number of false positives (incorrectly identifying non-issues as vulnerabilities) and false negatives (failing to detect actual vulnerabilities). It is essential to approach the results with a critical and informed mindset, and supplement automated testing with manual review and analysis.

  • Continuous Learning and Adaptation: The field of mobile application security is continuously evolving. As such, the MASTG resources should be seen as a living body of knowledge, subject to updates and improvements. Users are encouraged to stay informed about the latest security trends and techniques and to actively contribute to the evolution of these resources.

By using the MASTG, you acknowledge and agree to these limitations. It's recommended to combine the use of MASTG resources with other security practices and tools to achieve a more comprehensive and effective security testing strategy for your mobile applications.

ID Title Platform Test
MASTG-DEMO-0011 Uses of Weak Key Size in SecKeyCreateRandomKey with r2 platform:ios MASTG-TEST-0209
MASTG-DEMO-0014 Use of Hardcoded ECDSA Private Key in CryptoKit with r2 platform:ios MASTG-TEST-0213
MASTG-DEMO-0018 Uses of Insecure Encryption Algorithms in CommonCrypto with r2 platform:ios MASTG-TEST-0210
MASTG-DEMO-0013 Use of Hardcoded RSA Private Key in SecKeyCreateWithData with r2 platform:ios MASTG-TEST-0213
MASTG-DEMO-0016 Uses of Insecure Hashing Algorithms in CryptoKit with r2 platform:ios MASTG-TEST-0211
MASTG-DEMO-0015 Uses of Insecure Hashing Algorithms in CommonCrypto with r2 platform:ios MASTG-TEST-0211
MASTG-DEMO-0019 Uses of isExcludedFromBackupKey with r2 platform:ios MASTG-TEST-0215
MASTG-DEMO-0009 Detecting Sensitive Data in Network Traffic platform:android MASTG-TEST-0206
MASTG-DEMO-0008 Uses of Non-random Sources platform:android MASTG-TEST-0205
MASTG-DEMO-0007 Common Uses of Insecure Random APIs platform:android MASTG-TEST-0204
MASTG-DEMO-0017 Use of Hardcoded AES Key in SecretKeySpec with semgrep platform:android MASTG-TEST-0212
MASTG-DEMO-0012 Weak Cryptographic Key Generation platform:android MASTG-TEST-0208
MASTG-DEMO-0005 App Writing to External Storage via the MediaStore API platform:android MASTG-TEST-0202
MASTG-DEMO-0003 App Writing to External Storage without Scoped Storage Restrictions platform:android MASTG-TEST-0202
MASTG-DEMO-0020 Uses of AutoBackup backup_rules.xml to Exclude Data From Backups platform:android MASTG-TEST-0216
MASTG-DEMO-0004 App Writing to External Storage with Scoped Storage Restrictions platform:android MASTG-TEST-0202
MASTG-DEMO-0010 File System Snapshots from Internal Storage platform:android MASTG-TEST-0207
MASTG-DEMO-0001 File System Snapshots from External Storage platform:android MASTG-TEST-0200
MASTG-DEMO-0002 External Storage APIs Tracing with Frida platform:android MASTG-TEST-0201
MASTG-DEMO-0006 Tracing Common Logging APIs Looking for Secrets platform:android MASTG-TEST-0203