MASTG-DEMO-0090
Uses of BiometricPrompt with Event-Bound Authentication with semgrep
platform:android
MASTG-TEST-0327
current status:current
MASTG-DEMO-0089
Uses of BiometricPrompt with Device Credential Fallback with semgrep
platform:android
MASTG-TEST-0326
current status:current
MASTG-DEMO-0093
Uses of Extended Validity Duration in setUserAuthenticationParameters with semgrep
platform:android
MASTG-TEST-0330
current status:current
MASTG-DEMO-0092
Uses of BiometricPrompt without Explicit User Confirmation with semgrep
platform:android
MASTG-TEST-0329
current status:current
MASTG-DEMO-0091
Uses of setInvalidatedByBiometricEnrollment with semgrep
platform:android
MASTG-TEST-0328
current status:current
MASTG-DEMO-0116
Native Anti-Debugging Checks with TracerPid and ptrace
platform:android
MASTG-TEST-0352
current status:current
MASTG-DEMO-0108
Bypassing Frida Detection in /proc/self/maps to Extract Sensitive Data
platform:android
MASTG-TEST-0341
current status:current
MASTG-DEMO-0027
Runtime Use of KeyguardManager.isDeviceSecure and BiometricManager.canAuthenticate APIs with Frida
platform:android
MASTG-TEST-0249
current status:current
MASTG-DEMO-0088
Runtime Detection of Root Detection Mechanisms
platform:android
MASTG-TEST-0325
current status:current
MASTG-DEMO-0028
Uses of KeyguardManager.isDeviceSecure and BiometricManager.canAuthenticate with semgrep
platform:android
MASTG-TEST-0247
current status:current
MASTG-DEMO-0107
Detecting Frida hooks and terminating the application on response
platform:android
MASTG-TEST-0341
current status:current
MASTG-DEMO-0101
References to Storage Integrity Check APIs with semgrep
platform:android
MASTG-TEST-0338
current status:current
MASTG-DEMO-0037
App Leaking Information about Unclosed SQL Cursor via StrictMode
platform:android
MASTG-TEST-0263
current status:current
MASTG-DEMO-0132
Root Detection Logic in Java/Kotlin Layer Only Protected by Identifier Renaming
platform:android
MASTG-TEST-0368
current status:current
MASTG-DEMO-0114
Detecting Emulator Detection Checks with Frida
platform:android
MASTG-TEST-0351
current status:current
MASTG-DEMO-0133
Root Detection Logic in Native Layer with Insufficient Obfuscation
platform:android
MASTG-TEST-0369
current status:current
MASTG-DEMO-0115
JDWP Debugging Checks in App Code
platform:android
MASTG-TEST-0352
current status:current
MASTG-DEMO-0087
Uses of Root Detection Techniques with Semgrep
platform:android
MASTG-TEST-0324
current status:current
MASTG-DEMO-0106
Extracting Sensitive Data from Cipher.doFinal via Frida Hooking
platform:android
MASTG-TEST-0341
current status:current
MASTG-DEMO-0038
Detecting StrictMode Uses with Frida
platform:android
MASTG-TEST-0264
current status:current
MASTG-DEMO-0039
Detecting StrictMode PenaltyLog Usage with Semgrep
platform:android
MASTG-TEST-0265
current status:current
MASTG-DEMO-0081
Sensitive User Data Sent to Firebase Analytics with Frida
platform:android
MASTG-TEST-0319
current status:current
MASTG-DEMO-0033
Dangerous Permissions in the AndroidManifest with semgrep
platform:android
MASTG-TEST-0254
current status:current
MASTG-DEMO-0009
Detecting Undeclared PII in Network Traffic
platform:android
MASTG-TEST-0206
current status:current
MASTG-DEMO-0072
Runtime Use of Asymmetric Key Pairs Used For Multiple Purposes With Frida
platform:android
MASTG-TEST-0308
current status:current
MASTG-DEMO-0012
Cryptographic Key Generation With Insufficient Key Length
platform:android
MASTG-TEST-0208
current status:current
MASTG-DEMO-0017
Use of Hardcoded AES Key in SecretKeySpec with semgrep
platform:android
MASTG-TEST-0212
current status:current
MASTG-DEMO-0071
References to Asymmetric Key Pairs Used For Multiple Purposes with Semgrep
platform:android
MASTG-TEST-0307
current status:current
MASTG-DEMO-0008
Uses of Non-random Sources
platform:android
MASTG-TEST-0205
current status:current
MASTG-DEMO-0007
Common Uses of Insecure Random APIs
platform:android
MASTG-TEST-0204
current status:current
MASTG-DEMO-0075
Uses of Explicit Security Providers in Cryptographic APIs with semgrep
platform:android
MASTG-TEST-0312
current status:current
MASTG-DEMO-0022
Uses of Broken Symmetric Encryption Algorithms in Cipher with semgrep
platform:android
MASTG-TEST-0221
current status:current
MASTG-DEMO-0058
Using KeyGenParameterSpec with a Broken ECB Block Mode
platform:android
MASTG-TEST-0350
current status:current
MASTG-DEMO-0023
Uses of Broken Encryption Modes in Cipher with semgrep
platform:android
MASTG-TEST-0232
current status:current
MASTG-DEMO-0035
Data Exclusion using backup_rules.xml with adb backup
platform:android
MASTG-TEST-0216
current status:current
MASTG-DEMO-0010
File System Snapshots from Internal Storage
platform:android
MASTG-TEST-0207
current status:current
MASTG-DEMO-0060
App Writing Sensitive Data to Sandbox using EncryptedSharedPreferences
platform:android
MASTG-TEST-0287
current status:current
MASTG-DEMO-0005
App Writing to External Storage via the MediaStore API
platform:android
MASTG-TEST-0202
current status:current
MASTG-DEMO-0034
Backup and Restore App Data with semgrep
platform:android
MASTG-TEST-0262
current status:current
MASTG-DEMO-0068
Sensitive Data in Unencrypted SQLite
platform:android
MASTG-TEST-0304
placeholder status:placeholder
MASTG-DEMO-0004
App Writing to External Storage with Scoped Storage Restrictions
platform:android
MASTG-TEST-0202
current status:current
MASTG-DEMO-0006
Tracing Common Logging APIs Looking for Secrets
platform:android
MASTG-TEST-0203
current status:current
MASTG-DEMO-0059
Using SharedPreferences to Write Sensitive Data Unencrypted to the App Sandbox
platform:android
MASTG-TEST-0287
current status:current
MASTG-DEMO-0070
Sensitive Data Stored Unencrypted via Room Database
platform:android
MASTG-TEST-0306
placeholder status:placeholder
MASTG-DEMO-0003
App Writing to External Storage without Scoped Storage Restrictions
platform:android
MASTG-TEST-0202
current status:current
MASTG-DEMO-0064
Uses of Caching UI Elements with semgrep
platform:android
MASTG-TEST-0258
current status:current
MASTG-DEMO-0069
Sensitive Data Stored Unencrypted via DataStore
platform:android
MASTG-TEST-0305
placeholder status:placeholder
MASTG-DEMO-0020
Data Exclusion using backup_rules.xml with Backup Manager
platform:android
MASTG-TEST-0216
current status:current
MASTG-DEMO-0001
File System Snapshots from External Storage
platform:android
MASTG-TEST-0200
current status:current
MASTG-DEMO-0002
External Storage APIs Tracing with Frida
platform:android
MASTG-TEST-0201
current status:current
MASTG-DEMO-0136
Internal Activity Communication via Implicit Intent
platform:android
MASTG-TEST-0372
current status:current
MASTG-DEMO-0139
Path Traversal via Malicious ContentProvider Filename
platform:android
MASTG-TEST-0375
current status:current
MASTG-DEMO-0140
Attacker App Registering for Internal Implicit Intent
platform:android
MASTG-TEST-0372
current status:current
MASTG-DEMO-0050
Identifying Insecure Dependencies in Android Studio
platform:android
MASTG-TEST-0272
current status:current
MASTG-DEMO-0102
SQL Injection via URI Path and Selection in Android Content Providers
platform:android
MASTG-TEST-0339
current status:current
MASTG-DEMO-0025
Uses of Build.VERSION.SDK_INT with semgrep
platform:android
MASTG-TEST-0245
current status:current
MASTG-DEMO-0100
Object Deserialization Using Serializable with semgrep
platform:android
MASTG-TEST-0337
current status:current
MASTG-DEMO-0156
SafeBrowsing Disabled Detection with semgrep
platform:android
MASTG-TEST-0399
current status:current
MASTG-DEMO-0141
Attacker App Returning Malicious ContentProvider Filename
platform:android
MASTG-TEST-0375
current status:current
MASTG-DEMO-0051
Identifying Insecure Dependencies through SBOM Creation
platform:android
MASTG-TEST-0272
current status:current
MASTG-DEMO-0158
Runtime Use of WebViewClient URL Loading Handlers with Frida
platform:android
MASTG-TEST-0400
current status:current
MASTG-DEMO-0157
Uses of WebViewClient URL Loading Handlers with semgrep
platform:android
MASTG-TEST-0398
current status:current
MASTG-DEMO-0138
Leaking Sensitive Information via Implicit Intents
platform:android
MASTG-TEST-0374
current status:current
MASTG-DEMO-0040
Debuggable Flag Enabled in the AndroidManifest with semgrep
platform:android
MASTG-TEST-0226
current status:current
MASTG-DEMO-0032
Uses of WebViews Allowing Local File Access with semgrep
platform:android
MASTG-TEST-0252
current status:current
MASTG-DEMO-0105
Activity-Level Overlay Protection Using setHideOverlayWindows
platform:android
MASTG-TEST-0340
current status:current
MASTG-DEMO-0082
WebView WebStorage Cleanup
platform:android
MASTG-TEST-0320
current status:current
MASTG-DEMO-0130
Sensitive Action Exposed Through an Unprotected Manifest-Declared Broadcast Receiver
platform:android
MASTG-TEST-0366
current status:current
MASTG-DEMO-0152
Custom URL Scheme Handler Without Input Validation with semgrep
platform:android
MASTG-TEST-0394
current status:current
MASTG-DEMO-0151
Deep Link Intent Filter Missing android:autoVerify with semgrep
platform:android
MASTG-TEST-0393
current status:current
MASTG-DEMO-0079
App Exposing Access and Verification Codes in Text Input Fields
platform:android
MASTG-TEST-0316
current status:current
MASTG-DEMO-0123
Exfiltration of Private Files via FileProvider URI Grant Oversharing
platform:android
MASTG-TEST-0357
current status:current
MASTG-DEMO-0097
Sensitive Data and Functionality Exposed Through WebView JavaScript Bridges
platform:android
MASTG-TEST-0334
current status:current
MASTG-DEMO-0121
Unauthorized Access to Database Records through Exported Content Provider
platform:android
MASTG-TEST-0356
current status:current
MASTG-DEMO-0061
Uses of FLAG_SECURE with semgrep
platform:android
MASTG-TEST-0291
current status:current
MASTG-DEMO-0147
Uses of Insecure PendingIntent
platform:android
MASTG-TEST-0381
current status:current
MASTG-DEMO-0120
Uses of Unauthorized Access to Exported Content Providers
platform:android
MASTG-TEST-0355
current status:current
MASTG-DEMO-0122
Oversharing via FileProvider with Unrestricted Path Configuration
platform:android
MASTG-TEST-0357
current status:current
MASTG-DEMO-0128
Sensitive Data Exposed Through an Unprotected Activity
platform:android
MASTG-TEST-0364
current status:current
MASTG-DEMO-0103
Missing Overlay Protection on a Sensitive View
platform:android
MASTG-TEST-0340
current status:current
MASTG-DEMO-0078
App Leaking Sensitive Data via Notifications
platform:android
MASTG-TEST-0315
current status:current
MASTG-DEMO-0029
Uses of WebViews Allowing Content Access with semgrep
platform:android
MASTG-TEST-0250
current status:current
MASTG-DEMO-0063
Incorrectly Preventing Screenshots with SecureFlagPolicy in Compose Dialogs with semgrep
platform:android
MASTG-TEST-0293
placeholder status:placeholder
MASTG-DEMO-0129
Sensitive Action Exposed Through an Unprotected Service
platform:android
MASTG-TEST-0365
current status:current
MASTG-DEMO-0031
Uses of WebViews Allowing Local File Access with Frida
platform:android
MASTG-TEST-0253
current status:current
MASTG-DEMO-0104
App Requesting SYSTEM_ALERT_WINDOW Permission
platform:android
MASTG-TEST-0340
current status:current
MASTG-DEMO-0030
Uses of WebViews Allowing Content Access with Frida
platform:android
MASTG-TEST-0251
current status:current
MASTG-DEMO-0062
Enabling Screenshots in Recents via setRecentsScreenshotEnabled with semgrep
platform:android
MASTG-TEST-0292
placeholder status:placeholder
MASTG-DEMO-0057
Network Security Configuration Allows User-Added Certificates
platform:android
MASTG-TEST-0286
current status:current
MASTG-DEMO-0048
SSLSocket Connection to Wrong Host Server Allowed by Lack of HostnameVerifier
platform:android
MASTG-TEST-0234
current status:current
MASTG-DEMO-0055
Use of the HostnameVerifier that Allows Any Hostname
platform:android
MASTG-TEST-0283
current status:current
MASTG-DEMO-0049
SSLSocket Connection to Wrong Host Server Blocked by HostnameVerifier
platform:android
MASTG-TEST-0234
current status:current
MASTG-DEMO-0054
Use of a TrustManager that Does Not Validate Certificate Chains
platform:android
MASTG-TEST-0282
current status:current
MASTG-DEMO-0056
WebView Ignoring TLS Errors in onReceivedSslError
platform:android
MASTG-TEST-0284
current status:current
MASTG-DEMO-0041
Uses of LAContext.evaluatePolicy with r2
platform:ios
MASTG-TEST-0266
current status:current
MASTG-DEMO-0045
Uses of kSecAccessControlBiometryCurrentSet with r2
platform:ios
MASTG-TEST-0270
current status:current
MASTG-DEMO-0043
Uses of kSecAccessControlUserPresence with r2
platform:ios
MASTG-TEST-0268
current status:current
MASTG-DEMO-0042
Runtime Use of LAContext.evaluatePolicy with Frida
platform:ios
MASTG-TEST-0267
current status:current
MASTG-DEMO-0044
Runtime Use of kSecAccessControlUserPresence with Frida
platform:ios
MASTG-TEST-0269
current status:current
MASTG-DEMO-0047
Runtime Use of the Keychain Not Requiring User Presence with Frida
platform:ios
MASTG-TEST-0266
placeholder status:placeholder
MASTG-DEMO-0046
Runtime Use of kSecAccessControlBiometryCurrentSet with Frida
platform:ios
MASTG-TEST-0271
current status:current
MASTG-DEMO-0036
Debuggable Entitlement Enabled in the entitlements.plist with rabin2
platform:ios
MASTG-TEST-0261
current status:current
MASTG-DEMO-0124
Logging APIs Exposing Implementation Details with r2
platform:ios
MASTG-TEST-0358
current status:current
MASTG-DEMO-0119
Bypassing Frida D-Bus Port Detection to Extract Sensitive Data
platform:ios
MASTG-TEST-0354
current status:current
MASTG-DEMO-0131
Detecting Virtual Device Detection Checks with Frida
platform:ios
MASTG-TEST-0367
current status:current
MASTG-DEMO-0026
Runtime Use of LAContext.canEvaluatePolicy with Frida
platform:ios
MASTG-TEST-0246
current status:current
MASTG-DEMO-0117
Extracting Sensitive Data from CCCrypt via Frida Hooking
platform:ios
MASTG-TEST-0354
current status:current
MASTG-DEMO-0024
Uses of LAContext.canEvaluatePolicy with r2
platform:ios
MASTG-TEST-0248
current status:current
MASTG-DEMO-0118
Detecting Frida Hooks Before Sensitive Cryptographic Operations
platform:ios
MASTG-TEST-0354
current status:current
MASTG-DEMO-0150
References to Storage Integrity Check APIs with radare2
platform:ios
MASTG-TEST-0387
current status:current
MASTG-DEMO-0125
Implementation Details Exposed in App Logs
platform:ios
MASTG-TEST-0359
current status:current
MASTG-DEMO-0021
Uses of Jailbreak Detection Techniques with r2
platform:ios
MASTG-TEST-0240
current status:current
MASTG-DEMO-0126
Runtime Location Capture with a Deceptive Purpose String
platform:ios
MASTG-TEST-0361
current status:current
MASTG-DEMO-0127
Unjustified Capability Exposure due to Excessive Entitlements
platform:ios
MASTG-TEST-0363
current status:current
MASTG-DEMO-0074
Uses of Insecure Random Number Generation with frida-trace
platform:ios
MASTG-TEST-0349
current status:current
MASTG-DEMO-0014
Use of Hardcoded ECDSA Private Key in CryptoKit with r2
platform:ios
MASTG-TEST-0213
current status:current
MASTG-DEMO-0016
Uses of Broken Hashing Algorithms in CryptoKit with r2
platform:ios
MASTG-TEST-0211
current status:current
MASTG-DEMO-0013
Use of Hardcoded RSA Private Key in SecKeyCreateWithData with r2
platform:ios
MASTG-TEST-0213
current status:current
MASTG-DEMO-0011
Uses of Insufficient Key Size in SecKeyCreateRandomKey with r2
platform:ios
MASTG-TEST-0209
current status:current
MASTG-DEMO-0015
Uses of Broken Hashing Algorithms in CommonCrypto with r2
platform:ios
MASTG-TEST-0211
current status:current
MASTG-DEMO-0073
Uses of Insecure Random Number Generation with r2
platform:ios
MASTG-TEST-0311
current status:current
MASTG-DEMO-0018
Uses of Broken Encryption Algorithms in CommonCrypto with r2
platform:ios
MASTG-TEST-0210
current status:current
MASTG-DEMO-0080
Uses of Broken Encryption Modes in CommonCrypto with r2
platform:ios
MASTG-TEST-0317
current status:current
MASTG-DEMO-0019
Uses of isExcludedFromBackupKey with r2
platform:ios
MASTG-TEST-0215
current status:current
MASTG-DEMO-0067
Runtime Tracking of Files Eligible for Backup with Frida
platform:ios
MASTG-TEST-0298
current status:current
MASTG-DEMO-0065
Uses of Logging APIs with r2
platform:ios
MASTG-TEST-0297
current status:current
MASTG-DEMO-0066
Sensitive Data Logging with idevicesyslog
platform:ios
MASTG-TEST-0296
current status:current
MASTG-DEMO-0076
Keyboard Caching Not Prevented for Sensitive Data with r2
platform:ios
MASTG-TEST-0313
current status:current
MASTG-DEMO-0077
Runtime Monitoring of Text Fields Eligible for Keyboard Caching with Frida
platform:ios
MASTG-TEST-0314
current status:current
MASTG-DEMO-0149
References to Object Deserialization of a URL Scheme Payload with r2
platform:ios
MASTG-TEST-0386
draft
MASTG-DEMO-0052
Scanning Package Manager Artifacts for Insecure iOS Dependencies
platform:ios
MASTG-TEST-0273
current status:current
MASTG-DEMO-0053
Identifying Insecure Dependencies in SwiftPM through SBOM creation
platform:ios
MASTG-TEST-0275
current status:current
MASTG-DEMO-0099
Runtime Monitoring of WebView File Access with Frida
platform:ios
MASTG-TEST-0336
current status:current
MASTG-DEMO-0143
Sensitive Data Returned to Page JavaScript via evaluateJavaScript in a WKScriptMessageHandler
platform:ios
MASTG-TEST-0377
current status:current
MASTG-DEMO-0096
HTML Injection in a Local WebView Leading to Local File Access
platform:ios
MASTG-TEST-0333
current status:current
MASTG-DEMO-0098
References to File Access in WebViews with radare2
platform:ios
MASTG-TEST-0335
current status:current
MASTG-DEMO-0146
Sensitive Data Written into WebView DOM via evaluateJavaScript
platform:ios
MASTG-TEST-0380
current status:current
MASTG-DEMO-0094
Use of the Deprecated UIWebView
platform:ios
MASTG-TEST-0331
current status:current
MASTG-DEMO-0144
Password Field Rendered in WebView DOM Without Native Overlay
platform:ios
MASTG-TEST-0378
current status:current
MASTG-DEMO-0145
DOM Inspection Using evaluateJavaScript Without Content World Isolation
platform:ios
MASTG-TEST-0379
current status:current
MASTG-DEMO-0095
Attacker-Controlled Input in a WebView Leading to Unintended Navigation
platform:ios
MASTG-TEST-0332
current status:current
MASTG-DEMO-0113
Runtime Monitoring of Text Input Fields Not Hiding Sensitive Data
platform:ios
MASTG-TEST-0347
current status:current
MASTG-DEMO-0112
Text Input Fields Not Hiding Sensitive Data
platform:ios
MASTG-TEST-0346
current status:current
MASTG-DEMO-0134
Custom URL Scheme Handler Without Input Validation
platform:ios
MASTG-TEST-0370
current status:current
MASTG-DEMO-0142
Sensitive Data and Functionality Exposed Through a WKWebView Native Bridge
platform:ios
MASTG-TEST-0376
current status:current
MASTG-DEMO-0153
Universal Link Handler Without Input Validation
platform:ios
MASTG-TEST-0395
current status:current
MASTG-DEMO-0135
Custom URL Scheme Handler with Source Validation
platform:ios
MASTG-TEST-0371
current status:current
MASTG-DEMO-0155
WKNavigationDelegate Accepting Any Server Certificate
platform:ios
MASTG-TEST-0397
current status:current
MASTG-DEMO-0110
URLSession Minimum TLS Version Lowered in Code
platform:ios
MASTG-TEST-0343
current status:current
MASTG-DEMO-0148
Missing Certificate Pinning in ATS
platform:ios
MASTG-TEST-0385
current status:current
MASTG-DEMO-0085
Uses of Network Framework Bypassing ATS
platform:ios
MASTG-TEST-0323
current status:current
MASTG-DEMO-0109
ATS TLS Policy Exceptions in Info.plist
platform:ios
MASTG-TEST-0342
current status:current
MASTG-DEMO-0083
Insecure ATS Configuration Allowing Cleartext Traffic
platform:ios
MASTG-TEST-0322
current status:current
MASTG-DEMO-0086
Uses of BSD Sockets Bypassing ATS
platform:ios
MASTG-TEST-0323
current status:current
MASTG-DEMO-0154
URLSessionDelegate Accepting Any Server Certificate
platform:ios
MASTG-TEST-0396
current status:current
MASTG-DEMO-0111
Network.framework TLS Minimum Version Lowered via sec_protocol_options
platform:ios
MASTG-TEST-0344
current status:current
MASTG-DEMO-0084
Hardcoded HTTP URLs in iOS Binary
platform:ios
MASTG-TEST-0321
current status:current