OWASP Mobile Application Security
MASTG-TECH-0015: Dynamic Analysis on Android
Initializing search
OWASP/owasp-mastg
OWASP Mobile Application Security
MASWE (Beta)
MASTG
MASVS
MAS Checklist
MAS Crackmes
News
🎙 Talks
⭐ Contribute
💙 Donate
💬 Connect with Us
OWASP Mobile Application Security
OWASP/owasp-mastg
OWASP Mobile Application Security
MASWE (Beta)
MASWE (Beta)
MASVS-STORAGE
MASVS-STORAGE
MASWE-0001: Insertion of Sensitive Data into Logs
MASWE-0002: Sensitive Data Stored With Insufficient Access Restrictions in Internal Locations
MASWE-0003: Backup Unencrypted
MASWE-0004: Sensitive Data Not Excluded From Backup
MASWE-0006: Sensitive Data Stored Unencrypted in Private Storage Locations
MASWE-0007: Sensitive Data Stored Unencrypted in Shared Storage Requiring No User Interaction
MASVS-CRYPTO
MASVS-CRYPTO
MASWE-0009: Weak Cryptographic Key Generation
MASWE-0010: Weak Cryptographic Key Derivation
MASWE-0011: Cryptographic Key Rotation Not Implemented
MASWE-0012: Insecure or Wrong Usage of Cryptographic Key
MASWE-0013: Hardcoded Cryptographic Keys in Use
MASWE-0014: Cryptographic Keys Not Properly Protected at Rest
MASWE-0015: Deprecated Android KeyStore Implementations
MASWE-0016: Unsafe Handling of Imported Cryptographic Keys
MASWE-0017: Cryptographic Keys Not Properly Protected on Export
MASWE-0018: Cryptographic Keys Access Not Restricted
MASWE-0019: Potentially Weak Cryptography Implementations
MASWE-0020: Weak Encryption
MASWE-0021: Weak Hashing
MASWE-0022: Predictable Initialization Vectors (IVs)
MASWE-0023: Weak Padding
MASWE-0024: Weak Message Authentication Codes (MAC)
MASWE-0025: Weak Signature
MASWE-0026: Improper Verification of Cryptographic Signature
MASWE-0027: Cryptographically Weak Pseudo-Random Number Generator (PRNG)
MASVS-AUTH
MASVS-AUTH
MASWE-0005: API Keys Hardcoded in the App Package
MASWE-0028: MFA Implementation Best Practices Not Followed
MASWE-0029: Step-Up Authentication Not Implemented After Login
MASWE-0030: Re-Authenticates Not Triggered On Contextual State Changes
MASWE-0031: Insecure use of Android Protected Confirmation
MASWE-0032: Platform-provided Authentication APIs Not Used
MASWE-0033: Authentication or Authorization Protocol Security Best Practices Not Followed
MASWE-0034: Insecure Implementation of Confirm Credentials
MASWE-0035: Passwordless Authentication Not Implemented
MASWE-0036: Authentication Material Stored Unencrypted on the Device
MASWE-0037: Authentication Material Sent over Insecure Connections
MASWE-0038: Authentication Tokens Not Validated
MASWE-0039: Shared Web Credentials and Website-association Not Implemented
MASWE-0040: Insecure Authentication in WebViews
MASWE-0041: Authentication Enforced Only Locally Instead of on the Server-side
MASWE-0042: Authorization Enforced Only Locally Instead of on the Server-side
MASWE-0043: App Custom PIN Not Bound to Platform KeyStore
MASWE-0044: Biometric Authentication Can Be Bypassed
MASWE-0045: Fallback to Non-biometric Credentials Allowed for Sensitive Transactions
MASWE-0046: Crypto Keys Not Invalidated on New Biometric Enrollment
MASVS-NETWORK
MASVS-NETWORK
MASWE-0047: Insecure Identity Pinning
MASWE-0048: Insecure Machine-to-Machine Communication
MASWE-0049: Proven Networking APIs Not used
MASWE-0050: Cleartext Traffic
MASWE-0051: Unprotected Open Ports
MASWE-0052: Insecure Certificate Validation
MASVS-PLATFORM
MASVS-PLATFORM
MASWE-0053: Sensitive Data Leaked via the User Interface
MASWE-0054: Sensitive Data Leaked via Notifications
MASWE-0055: Sensitive Data Leaked via Screenshots
MASWE-0056: Tapjacking Attacks
MASWE-0057: StrandHogg Attack / Task Affinity Vulnerability
MASWE-0058: Insecure Deep Links
MASWE-0059: Use Of Unauthenticated Platform IPC
MASWE-0060: Insecure Use of UIActivity
MASWE-0061: Insecure Use of App Extensions
MASWE-0062: Insecure Services
MASWE-0063: Insecure Broadcast Receivers
MASWE-0064: Insecure Content Providers
MASWE-0065: Sensitive Data Permanently Shared with Other Apps
MASWE-0066: Insecure Intents
MASWE-0067: Debuggable Flag Not Disabled
MASWE-0068: JavaScript Bridges in WebViews
MASWE-0069: WebViews Allows Access to Local Resources
MASWE-0070: JavaScript Loaded from Untrusted Sources
MASWE-0071: WebViews Loading Content from Untrusted Sources
MASWE-0072: Universal XSS
MASWE-0073: Insecure WebResourceResponse Implementations
MASWE-0074: Web Content Debugging Enabled
MASVS-CODE
MASVS-CODE
MASWE-0075: Enforced Updating Not Implemented
MASWE-0076: Dependencies with Known Vulnerabilities
MASWE-0077: Running on a recent Platform Version Not Ensured
MASWE-0078: Latest Platform Version Not Targeted
MASWE-0079: Unsafe Handling of Data from the Network
MASWE-0080: Unsafe Handling of Data from Backups
MASWE-0081: Unsafe Handling Of Data From External Interfaces
MASWE-0082: Unsafe Handling of Data From Local Storage
MASWE-0083: Unsafe Handling of Data From The User Interface
MASWE-0084: Unsafe Handling of Data from IPC
MASWE-0085: Unsafe Dynamic Code Loading
MASWE-0086: SQL Injection
MASWE-0087: Insecure Parsing and Escaping
MASWE-0088: Insecure Object Deserialization
MASWE-0116: Compiler Provided Security Features Not Used
MASVS-RESILIENCE
MASVS-RESILIENCE
MASWE-0008: Missing Device Secure Lock Verification Implementation
MASWE-0089: Code Obfuscation Not Implemented
MASWE-0090: Resource Obfuscation Not Implemented
MASWE-0091: Anti-Deobfuscation Techniques Not Implemented
MASWE-0092: Static Analysis Tools Not Prevented
MASWE-0093: Debugging Symbols Not Removed
MASWE-0094: Non-Production Resources Not Removed
MASWE-0095: Code That Disables Security Controls Not Removed
MASWE-0096: Data Sent Unencrypted Over Encrypted Connections
MASWE-0097: Root/Jailbreak Detection Not Implemented
MASWE-0098: App Virtualization Environment Detection Not Implemented
MASWE-0099: Emulator Detection Not Implemented
MASWE-0100: Device Attestation Not Implemented
MASWE-0101: Debugger Detection Not Implemented
MASWE-0102: Dynamic Analysis Tools Detection Not Implemented
MASWE-0103: RASP Techniques Not Implemented
MASWE-0104: App Integrity Not Verified
MASWE-0105: Integrity of App Resources Not Verified
MASWE-0106: Official Store Verification Not Implemented
MASWE-0107: Runtime Code Integrity Not Verified
MASVS-PRIVACY
MASVS-PRIVACY
MASWE-0108: Sensitive Data in Network Traffic
MASWE-0109: Lack of Anonymization or Pseudonymisation Measures
MASWE-0110: Use of Unique Identifiers for User Tracking
MASWE-0111: Inadequate Privacy Policy
MASWE-0112: Inadequate Data Collection Declarations
MASWE-0113: Lack of Proper Data Management Controls
MASWE-0114: Inadequate Data Visibility Controls
MASWE-0115: Inadequate or Ambiguous User Consent Mechanisms
MASWE-0117: Inadequate Permission Management
MASTG
MASTG
Intro
Intro
Foreword
Frontispiece
OWASP MASVS and MASTG Adoption
Acknowledgments
Suggested Reading
General Concepts
General Concepts
Mobile Application Taxonomy
Mobile Application Security Testing
Mobile App Tampering and Reverse Engineering
Mobile App Authentication Architectures
Mobile App Network Communication
Mobile App Cryptography
Mobile App Code Quality
Mobile App User Privacy Protection
Android Security Testing
Android Security Testing
Android Platform Overview
Android Security Testing
Android Data Storage
Android Cryptographic APIs
Android Local Authentication
Android Network Communication
Android Platform APIs
Android Code Quality and Build Settings
Android Anti-Reversing Defenses
iOS Security Testing
iOS Security Testing
iOS Platform Overview
iOS Security Testing
iOS Data Storage
iOS Cryptographic APIs
iOS Local Authentication
iOS Network Communication
iOS Platform APIs
iOS Code Quality and Build Settings
iOS Anti-Reversing Defenses
Best Practices
Best Practices
MASTG-BEST-0001: Use Secure Random Number Generator APIs
MASTG-BEST-0002: Remove Logging Code
MASTG-BEST-0003: Comply with Privacy Regulations and Best Practices
MASTG-BEST-0004: Exclude Sensitive Data from Backups
MASTG-BEST-0005: Use Secure Encryption Modes
MASTG-BEST-0006: Use Up-to-Date APK Signing Schemes
MASTG-BEST-0007: Debuggable Flag Disabled in the AndroidManifest
MASTG-BEST-0008: Debugging Disabled for WebViews
MASTG-BEST-0009: Use Secure Encryption Algorithms
MASTG-BEST-0010: Use Up-to-Date minSdkVersion
MASTG-BEST-0011: Securely Load File Content in a WebView
MASTG-BEST-0012: Disable JavaScript in WebViews
MASTG-BEST-0013: Disable Content Provider Access in WebViews
Tests
Tests
Android
Android
MASVS-STORAGE
MASVS-STORAGE
MASTG-TEST-0001: Testing Local Storage for Sensitive Data
MASTG-TEST-0003: Testing Logs for Sensitive Data
MASTG-TEST-0004: Determining Whether Sensitive Data Is Shared with Third Parties via Embedded Services
MASTG-TEST-0005: Determining Whether Sensitive Data Is Shared with Third Parties via Notifications
MASTG-TEST-0006: Determining Whether the Keyboard Cache Is Disabled for Text Input Fields
MASTG-TEST-0009: Testing Backups for Sensitive Data
MASTG-TEST-0011: Testing Memory for Sensitive Data
MASTG-TEST-0012: Testing the Device-Access-Security Policy
MASTG-TEST-0200: Files Written to External Storage
MASTG-TEST-0201: Runtime Use of APIs to Access External Storage
MASTG-TEST-0202: References to APIs and Permissions for Accessing External Storage
MASTG-TEST-0203: Runtime Use of Logging APIs
MASTG-TEST-0207: Data Stored in the App Sandbox at Runtime
MASTG-TEST-0216: Sensitive Data Not Excluded From Backup
MASTG-TEST-0231: References to Logging APIs
MASTG-TEST-0262: References to Backup Configurations Not Excluding Sensitive Data
MASVS-CRYPTO
MASVS-CRYPTO
MASTG-TEST-0013: Testing Symmetric Cryptography
MASTG-TEST-0014: Testing the Configuration of Cryptographic Standard Algorithms
MASTG-TEST-0015: Testing the Purposes of Keys
MASTG-TEST-0016: Testing Random Number Generation
MASTG-TEST-0204: Insecure Random API Usage
MASTG-TEST-0205: Non-random Sources Usage
MASTG-TEST-0208: Inappropriate Key Sizes
MASTG-TEST-0212: Use of Hardcoded Cryptographic Keys in Code
MASTG-TEST-0221: Weak Symmetric Encryption Algorithms
MASTG-TEST-0232: Weak Symmetric Encryption Modes
MASVS-AUTH
MASVS-AUTH
MASTG-TEST-0017: Testing Confirm Credentials
MASTG-TEST-0018: Testing Biometric Authentication
MASVS-NETWORK
MASVS-NETWORK
MASTG-TEST-0019: Testing Data Encryption on the Network
MASTG-TEST-0020: Testing the TLS Settings
MASTG-TEST-0021: Testing Endpoint Identify Verification
MASTG-TEST-0022: Testing Custom Certificate Stores and Certificate Pinning
MASTG-TEST-0023: Testing the Security Provider
MASTG-TEST-0217: Insecure TLS Protocols Explicitly Allowed in Code
MASTG-TEST-0218: Insecure TLS Protocols in Network Traffic
MASTG-TEST-0233: Hardcoded HTTP URLs
MASTG-TEST-0234: SSLSockets not Properly Verifying Hostnames
MASTG-TEST-0235: Android App Configurations Allowing Cleartext Traffic
MASTG-TEST-0236: Cleartext Traffic Observed on the Network
MASTG-TEST-0237: Cross-Platform Framework Configurations Allowing Cleartext Traffic
MASTG-TEST-0238: Runtime Use of Network APIs Transmitting Cleartext Traffic
MASTG-TEST-0239: Using low-level APIs (e.g. Socket) to set up a custom HTTP connection
MASTG-TEST-0242: Missing Certificate Pinning in Network Security Configuration
MASTG-TEST-0243: Expired Certificate Pins in the Network Security Configuration
MASTG-TEST-0244: Missing Certificate Pinning in Network Traffic
MASVS-PLATFORM
MASVS-PLATFORM
MASTG-TEST-0007: Determining Whether Sensitive Stored Data Has Been Exposed via IPC Mechanisms
MASTG-TEST-0008: Checking for Sensitive Data Disclosure Through the User Interface
MASTG-TEST-0010: Finding Sensitive Information in Auto-Generated Screenshots
MASTG-TEST-0024: Testing for App Permissions
MASTG-TEST-0028: Testing Deep Links
MASTG-TEST-0029: Testing for Sensitive Functionality Exposure Through IPC
MASTG-TEST-0030: Testing for Vulnerable Implementation of PendingIntent
MASTG-TEST-0031: Testing JavaScript Execution in WebViews
MASTG-TEST-0032: Testing WebView Protocol Handlers
MASTG-TEST-0033: Testing for Java Objects Exposed Through WebViews
MASTG-TEST-0035: Testing for Overlay Attacks
MASTG-TEST-0037: Testing WebViews Cleanup
MASTG-TEST-0250: References to Content Provider Access in WebViews
MASTG-TEST-0251: Runtime Use of Content Provider Access APIs in WebViews
MASTG-TEST-0252: References to Local File Access in WebViews
MASTG-TEST-0253: Runtime Use of Local File Access APIs in WebViews
MASTG-TEST-0258: References to Keyboard Caching Attributes in UI Elements
MASVS-CODE
MASVS-CODE
MASTG-TEST-0002: Testing Local Storage for Input Validation
MASTG-TEST-0025: Testing for Injection Flaws
MASTG-TEST-0026: Testing Implicit Intents
MASTG-TEST-0027: Testing for URL Loading in WebViews
MASTG-TEST-0034: Testing Object Persistence
MASTG-TEST-0036: Testing Enforced Updating
MASTG-TEST-0042: Checking for Weaknesses in Third Party Libraries
MASTG-TEST-0043: Memory Corruption Bugs
MASTG-TEST-0044: Make Sure That Free Security Features Are Activated
MASTG-TEST-0222: Position Independent Code (PIC) Not Enabled
MASTG-TEST-0223: Stack Canaries Not Enabled
MASTG-TEST-0245: References to Platform Version APIs
MASTG-TEST-0272: Identify Dependencies with Known Vulnerabilities in the Android Project
MASTG-TEST-0274: Dependencies with Known Vulnerabilities in the App's SBOM
MASVS-RESILIENCE
MASVS-RESILIENCE
MASTG-TEST-0038: Making Sure that the App is Properly Signed
MASTG-TEST-0039: Testing whether the App is Debuggable
MASTG-TEST-0040: Testing for Debugging Symbols
MASTG-TEST-0041: Testing for Debugging Code and Verbose Error Logging
MASTG-TEST-0045: Testing Root Detection
MASTG-TEST-0046: Testing Anti-Debugging Detection
MASTG-TEST-0047: Testing File Integrity Checks
MASTG-TEST-0048: Testing Reverse Engineering Tools Detection
MASTG-TEST-0049: Testing Emulator Detection
MASTG-TEST-0050: Testing Runtime Integrity Checks
MASTG-TEST-0051: Testing Obfuscation
MASTG-TEST-0224: Usage of Insecure Signature Version
MASTG-TEST-0225: Usage of Insecure Signature Key Size
MASTG-TEST-0226: Debuggable Flag Enabled in the AndroidManifest
MASTG-TEST-0227: Debugging Enabled for WebViews
MASTG-TEST-0247: References to APIs for Detecting Secure Screen Lock
MASTG-TEST-0249: Runtime Use of Secure Screen Lock Detection APIs
MASTG-TEST-0263: Logging of StrictMode Violations
MASTG-TEST-0264: Runtime Use of StrictMode APIs
MASTG-TEST-0265: References to StrictMode APIs
MASVS-PRIVACY
MASVS-PRIVACY
MASTG-TEST-0206: Sensitive Data in Network Traffic Capture
MASTG-TEST-0254: Dangerous App Permissions
MASTG-TEST-0255: Permission Requests Not Minimized
MASTG-TEST-0256: Missing Permission Rationale
MASTG-TEST-0257: Not Resetting Unused Permissions
iOS
iOS
MASVS-STORAGE
MASVS-STORAGE
MASTG-TEST-0052: Testing Local Data Storage
MASTG-TEST-0053: Checking Logs for Sensitive Data
MASTG-TEST-0054: Determining Whether Sensitive Data Is Shared with Third Parties
MASTG-TEST-0055: Finding Sensitive Data in the Keyboard Cache
MASTG-TEST-0058: Testing Backups for Sensitive Data
MASTG-TEST-0060: Testing Memory for Sensitive Data
MASTG-TEST-0215: Sensitive Data Not Excluded From Backup
MASVS-CRYPTO
MASVS-CRYPTO
MASTG-TEST-0061: Verifying the Configuration of Cryptographic Standard Algorithms
MASTG-TEST-0062: Testing Key Management
MASTG-TEST-0063: Testing Random Number Generation
MASTG-TEST-0209: Inappropriate Key Sizes
MASTG-TEST-0210: Weak Encryption Algorithms
MASTG-TEST-0211: Weak Hashing Algorithms
MASTG-TEST-0213: Use of Hardcoded Cryptographic Keys in Code
MASTG-TEST-0214: Hardcoded Cryptographic Keys in Files
MASVS-AUTH
MASVS-AUTH
MASTG-TEST-0064: Testing Biometric Authentication
MASTG-TEST-0266: References to APIs for Event-Bound Biometric Authentication
MASTG-TEST-0267: Runtime Use Of Event-Bound Biometric Authentication
MASTG-TEST-0268: References to APIs Allowing Fallback to Non-Biometric Authentication
MASTG-TEST-0269: Runtime Use Of APIs Allowing Fallback to Non-Biometric Authentication
MASTG-TEST-0270: References to APIs Detecting Biometric Enrollment Changes
MASTG-TEST-0271: Runtime Use Of APIs Detecting Biometric Enrollment Changes
MASVS-NETWORK
MASVS-NETWORK
MASTG-TEST-0065: Testing Data Encryption on the Network
MASTG-TEST-0066: Testing the TLS Settings
MASTG-TEST-0067: Testing Endpoint Identity Verification
MASTG-TEST-0068: Testing Custom Certificate Stores and Certificate Pinning
MASVS-PLATFORM
MASVS-PLATFORM
MASTG-TEST-0056: Determining Whether Sensitive Data Is Exposed via IPC Mechanisms
MASTG-TEST-0057: Checking for Sensitive Data Disclosed Through the User Interface
MASTG-TEST-0059: Testing Auto-Generated Screenshots for Sensitive Information
MASTG-TEST-0069: Testing App Permissions
MASTG-TEST-0070: Testing Universal Links
MASTG-TEST-0071: Testing UIActivity Sharing
MASTG-TEST-0072: Testing App Extensions
MASTG-TEST-0073: Testing UIPasteboard
MASTG-TEST-0075: Testing Custom URL Schemes
MASTG-TEST-0076: Testing iOS WebViews
MASTG-TEST-0077: Testing WebView Protocol Handlers
MASTG-TEST-0078: Determining Whether Native Methods Are Exposed Through WebViews
MASTG-TEST-0276: Use of the iOS General Pasteboard
MASTG-TEST-0277: Sensitive Data in the iOS General Pasteboard at Runtime
MASTG-TEST-0278: Pasteboard Contents Not Cleared After Use
MASTG-TEST-0279: Pasteboard Contents Not Expiring
MASTG-TEST-0280: Pasteboard Contents Not Restricted to Local Device
MASVS-CODE
MASVS-CODE
MASTG-TEST-0079: Testing Object Persistence
MASTG-TEST-0080: Testing Enforced Updating
MASTG-TEST-0085: Checking for Weaknesses in Third Party Libraries
MASTG-TEST-0086: Memory Corruption Bugs
MASTG-TEST-0087: Make Sure That Free Security Features Are Activated
MASTG-TEST-0228: Position Independent Code (PIC) not Enabled
MASTG-TEST-0229: Stack Canaries Not enabled
MASTG-TEST-0230: Automatic Reference Counting (ARC) not enabled
MASTG-TEST-0273: Identify Dependencies with Known Vulnerabilities by Scanning Dependency Managers Artifacts
MASTG-TEST-0275: Dependencies with Known Vulnerabilities in the App's SBOM
MASVS-RESILIENCE
MASVS-RESILIENCE
MASTG-TEST-0081: Making Sure that the App Is Properly Signed
MASTG-TEST-0082: Testing whether the App is Debuggable
MASTG-TEST-0083: Testing for Debugging Symbols
MASTG-TEST-0084: Testing for Debugging Code and Verbose Error Logging
MASTG-TEST-0088: Testing Jailbreak Detection
MASTG-TEST-0089: Testing Anti-Debugging Detection
MASTG-TEST-0090: Testing File Integrity Checks
MASTG-TEST-0091: Testing Reverse Engineering Tools Detection
MASTG-TEST-0092: Testing Emulator Detection
MASTG-TEST-0093: Testing Obfuscation
MASTG-TEST-0219: Testing for Debugging Symbols
MASTG-TEST-0220: Usage of Outdated Code Signature Format
MASTG-TEST-0240: Jailbreak Detection in Code
MASTG-TEST-0241: Runtime Use of Jailbreak Detection Techniques
MASTG-TEST-0246: Runtime Use of Secure Screen Lock Detection APIs
MASTG-TEST-0248: References to APIs for Detecting Secure Screen Lock
MASTG-TEST-0261: Debuggable Entitlement Enabled in the entitlements.plist
MASVS-PRIVACY
MASVS-PRIVACY
MASTG-TEST-0281: Undeclared Known Tracking Domains
Demos
Demos
Android
Android
MASVS-STORAGE
MASVS-STORAGE
MASTG-DEMO-0001: File System Snapshots from External Storage
MASTG-DEMO-0002: External Storage APIs Tracing with Frida
MASTG-DEMO-0003: App Writing to External Storage without Scoped Storage Restrictions
MASTG-DEMO-0004: App Writing to External Storage with Scoped Storage Restrictions
MASTG-DEMO-0005: App Writing to External Storage via the MediaStore API
MASTG-DEMO-0006: Tracing Common Logging APIs Looking for Secrets
MASTG-DEMO-0010: File System Snapshots from Internal Storage
MASTG-DEMO-0020: Data Exclusion using backup_rules.xml with Backup Manager
MASTG-DEMO-0024: Uses of Caching UI Elements with semgrep
MASTG-DEMO-0034: Backup and Restore App Data with semgrep
MASTG-DEMO-0035: Data Exclusion using backup_rules.xml with adb backup
MASVS-CRYPTO
MASVS-CRYPTO
MASTG-DEMO-0007: Common Uses of Insecure Random APIs
MASTG-DEMO-0008: Uses of Non-random Sources
MASTG-DEMO-0012: Weak Cryptographic Key Generation
MASTG-DEMO-0017: Use of Hardcoded AES Key in SecretKeySpec with semgrep
MASTG-DEMO-0022: Uses of Insecure Symmetric Encryption Algorithms in Cipher with semgrep
MASTG-DEMO-0023: Uses of Insecure Encryption Modes in Cipher with semgrep
MASVS-NETWORK
MASVS-NETWORK
MASTG-DEMO-0048: SSLSocket Connection to Wrong Host Server Allowed by Lack of HostnameVerifier
MASTG-DEMO-0049: SSLSocket Connection to Wrong Host Server Blocked by HostnameVerifier
MASVS-PLATFORM
MASVS-PLATFORM
MASTG-DEMO-0029: Uses of WebViews Allowing Content Access with semgrep
MASTG-DEMO-0030: Uses of WebViews Allowing Content Access with Frida
MASTG-DEMO-0031: Uses of WebViews Allowing Local File Access with Frida
MASTG-DEMO-0032: Uses of WebViews Allowing Local File Access with semgrep
MASTG-DEMO-0040: Debuggable Flag Enabled in the AndroidManifest with semgrep
MASVS-CODE
MASVS-CODE
MASTG-DEMO-0025: Uses of Build.VERSION.SDK_INT with semgrep
MASTG-DEMO-0050: Identifying Insecure Dependencies in Android Studio
MASTG-DEMO-0051: Identifying Insecure Dependencies through SBOM Creation
MASVS-RESILIENCE
MASVS-RESILIENCE
MASTG-DEMO-0027: Runtime Use of KeyguardManager.isDeviceSecure and BiometricManager.canAuthenticate APIs with Frida
MASTG-DEMO-0028: Uses of KeyguardManager.isDeviceSecure and BiometricManager.canAuthenticate with semgrep
MASTG-DEMO-0037: App Leaking Information about Unclosed SQL Cursor via StrictMode
MASTG-DEMO-0038: Detecting StrictMode Uses with Frida
MASTG-DEMO-0039: Detecting StrictMode PenaltyLog Usage with Semgrep
MASVS-PRIVACY
MASVS-PRIVACY
MASTG-DEMO-0009: Detecting Sensitive Data in Network Traffic
MASTG-DEMO-0033: Dangerous Permissions in the AndroidManifest with semgrep
iOS
iOS
MASVS-STORAGE
MASVS-STORAGE
MASTG-DEMO-0019: Uses of isExcludedFromBackupKey with r2
MASVS-CRYPTO
MASVS-CRYPTO
MASTG-DEMO-0011: Uses of Weak Key Size in SecKeyCreateRandomKey with r2
MASTG-DEMO-0013: Use of Hardcoded RSA Private Key in SecKeyCreateWithData with r2
MASTG-DEMO-0014: Use of Hardcoded ECDSA Private Key in CryptoKit with r2
MASTG-DEMO-0015: Uses of Insecure Hashing Algorithms in CommonCrypto with r2
MASTG-DEMO-0016: Uses of Insecure Hashing Algorithms in CryptoKit with r2
MASTG-DEMO-0018: Uses of Insecure Encryption Algorithms in CommonCrypto with r2
MASVS-AUTH
MASVS-AUTH
MASTG-DEMO-0041: Uses of LAContext.evaluatePolicy with r2
MASTG-DEMO-0042: Runtime Use of LAContext.evaluatePolicy with Frida
MASTG-DEMO-0043: Uses of kSecAccessControlUserPresence with r2
MASTG-DEMO-0044: Runtime Use of kSecAccessControlUserPresence with Frida
MASTG-DEMO-0045: Uses of kSecAccessControlBiometryCurrentSet with r2
MASTG-DEMO-0046: Runtime Use of kSecAccessControlBiometryCurrentSet with Frida
MASTG-DEMO-0047: Runtime Use of the Keychain Not Requiring User Presence with Frida
MASVS-RESILIENCE
MASVS-RESILIENCE
MASTG-DEMO-0021: Uses of Jailbreak Detection Techniques with r2
MASTG-DEMO-0024: Uses of LAContext.canEvaluatePolicy with r2
MASTG-DEMO-0026: Runtime Use of LAContext.canEvaluatePolicy with Frida
MASTG-DEMO-0036: Debuggable Entitlement Enabled in the entitlements.plist with rabin2
Techniques
Techniques
Generic
Generic
MASTG-TECH-0047: Reverse Engineering
MASTG-TECH-0048: Static Analysis
MASTG-TECH-0049: Dynamic Analysis
MASTG-TECH-0050: Binary Analysis
MASTG-TECH-0051: Tampering and Runtime Instrumentation
MASTG-TECH-0119: Intercepting HTTP Traffic by Hooking Network APIs at the Application Layer
MASTG-TECH-0120: Intercepting HTTP Traffic Using an Interception Proxy
MASTG-TECH-0121: Intercepting Non-HTTP Traffic Using an Interception Proxy
MASTG-TECH-0122: Passive Eavesdropping
MASTG-TECH-0123: Achieving a MITM Position via ARP Spoofing
MASTG-TECH-0124: Achieving a MITM Position Using a Rogue Access Point
MASTG-TECH-0125: Intercepting Xamarin Traffic
Android
Android
MASTG-TECH-0001: Accessing the Device Shell
MASTG-TECH-0002: Host-Device Data Transfer
MASTG-TECH-0003: Obtaining and Extracting Apps
MASTG-TECH-0004: Repackaging Apps
MASTG-TECH-0005: Installing Apps
MASTG-TECH-0006: Listing Installed Apps
MASTG-TECH-0007: Exploring the App Package
MASTG-TECH-0008: Accessing App Data Directories
MASTG-TECH-0009: Monitoring System Logs
MASTG-TECH-0010: Basic Network Monitoring/Sniffing
MASTG-TECH-0011: Setting Up an Interception Proxy
MASTG-TECH-0012: Bypassing Certificate Pinning
MASTG-TECH-0013: Reverse Engineering Android Apps
MASTG-TECH-0014: Static Analysis on Android
MASTG-TECH-0015: Dynamic Analysis on Android
MASTG-TECH-0016: Disassembling Code to Smali
MASTG-TECH-0017: Decompiling Java Code
MASTG-TECH-0018: Disassembling Native Code
MASTG-TECH-0019: Retrieving Strings
MASTG-TECH-0020: Retrieving Cross References
MASTG-TECH-0021: Information Gathering - API Usage
MASTG-TECH-0022: Information Gathering - Network Communication
MASTG-TECH-0023: Reviewing Decompiled Java Code
MASTG-TECH-0024: Reviewing Disassembled Native Code
MASTG-TECH-0025: Automated Static Analysis
MASTG-TECH-0026: Dynamic Analysis on Non-Rooted Devices
MASTG-TECH-0027: Get Open Files
MASTG-TECH-0028: Get Open Connections
MASTG-TECH-0029: Get Loaded Native Libraries
MASTG-TECH-0030: Sandbox Inspection
MASTG-TECH-0031: Debugging
MASTG-TECH-0032: Execution Tracing
MASTG-TECH-0033: Method Tracing
MASTG-TECH-0034: Native Code Tracing
MASTG-TECH-0035: JNI Tracing
MASTG-TECH-0036: Emulation-based Analysis
MASTG-TECH-0037: Symbolic Execution
MASTG-TECH-0038: Patching
MASTG-TECH-0039: Repackaging & Re-Signing
MASTG-TECH-0040: Waiting for the Debugger
MASTG-TECH-0041: Library Injection
MASTG-TECH-0042: Getting Loaded Classes and Methods Dynamically
MASTG-TECH-0043: Method Hooking
MASTG-TECH-0044: Process Exploration
MASTG-TECH-0045: Runtime Reverse Engineering
MASTG-TECH-0100: Logging Sensitive Data from Network Traffic
MASTG-TECH-0108: Taint Analysis
MASTG-TECH-0109: Intercepting Flutter HTTPS Traffic
MASTG-TECH-0112: Reverse Engineering Flutter Applications
MASTG-TECH-0115: Obtaining Compiler-Provided Security Features
MASTG-TECH-0116: Obtaining Information about the APK Signature
MASTG-TECH-0117: Obtaining Information from the AndroidManifest
MASTG-TECH-0126: Obtaining App Permissions
MASTG-TECH-0127: Inspecting an App's Backup Data
MASTG-TECH-0128: Performing a Backup and Restore of App Data
MASTG-TECH-0129: Verifying Android Dependencies at Runtime
MASTG-TECH-0130: Software Composition Analysis (SCA) of Android Dependencies by Creating a SBOM
MASTG-TECH-0131: Software Composition Analysis (SCA) of Android Dependencies at Build Time
iOS
iOS
MASTG-TECH-0052: Accessing the Device Shell
MASTG-TECH-0053: Host-Device Data Transfer
MASTG-TECH-0054: Obtaining and Extracting Apps
MASTG-TECH-0055: Launching a Repackaged App in Debug Mode
MASTG-TECH-0056: Installing Apps
MASTG-TECH-0057: Listing Installed Apps
MASTG-TECH-0058: Exploring the App Package
MASTG-TECH-0059: Accessing App Data Directories
MASTG-TECH-0060: Monitoring System Logs
MASTG-TECH-0061: Dumping KeyChain Data
MASTG-TECH-0062: Basic Network Monitoring/Sniffing
MASTG-TECH-0063: Setting up an Interception Proxy
MASTG-TECH-0064: Bypassing Certificate Pinning
MASTG-TECH-0065: Reverse Engineering iOS Apps
MASTG-TECH-0066: Static Analysis on iOS
MASTG-TECH-0067: Dynamic Analysis on iOS
MASTG-TECH-0068: Disassembling Native Code
MASTG-TECH-0069: Decompiling Native Code
MASTG-TECH-0070: Extracting Information from the Application Binary
MASTG-TECH-0071: Retrieving Strings
MASTG-TECH-0072: Retrieving Cross References
MASTG-TECH-0073: Information Gathering - API Usage
MASTG-TECH-0074: Information Gathering - Network Communication
MASTG-TECH-0075: Reviewing Decompiled Objective-C and Swift Code
MASTG-TECH-0076: Reviewing Disassembled Objective-C and Swift Code
MASTG-TECH-0077: Reviewing Disassembled Native Code
MASTG-TECH-0078: Automated Static Analysis
MASTG-TECH-0079: Obtaining a Developer Provisioning Profile
MASTG-TECH-0080: Get Open Files
MASTG-TECH-0081: Get Open Connections
MASTG-TECH-0082: Get Shared Libraries
MASTG-TECH-0083: Sandbox Inspection
MASTG-TECH-0084: Debugging
MASTG-TECH-0085: Execution Tracing
MASTG-TECH-0086: Method Tracing
MASTG-TECH-0087: Native Code Tracing
MASTG-TECH-0088: Emulation-based Analysis
MASTG-TECH-0089: Symbolic Execution
MASTG-TECH-0090: Injecting Frida Gadget into an IPA Automatically
MASTG-TECH-0091: Injecting Libraries into an IPA Manually
MASTG-TECH-0092: Signing IPA files
MASTG-TECH-0093: Waiting for the debugger
MASTG-TECH-0094: Getting Loaded Classes and Methods dynamically
MASTG-TECH-0095: Method Hooking
MASTG-TECH-0096: Process Exploration
MASTG-TECH-0097: Runtime Reverse Engineering
MASTG-TECH-0098: Patching React Native Apps
MASTG-TECH-0110: Intercepting Flutter HTTPS Traffic
MASTG-TECH-0111: Extracting Entitlements from MachO Binaries
MASTG-TECH-0112: Obtaining the Code Signature Format Version
MASTG-TECH-0113: Obtaining Debugging Symbols
MASTG-TECH-0114: Demangling Symbols
MASTG-TECH-0118: Obtaining Compiler-Provided Security Features
MASTG-TECH-0119: Bypassing Biometric Authentication
MASTG-TECH-0132: Software Composition Analysis (SCA) of iOS Dependencies by Creating a SBOM
MASTG-TECH-0133: Software Composition Analysis (SCA) of iOS Dependencies by Scanning Package Manager Artifacts
MASTG-TECH-0134: Monitoring the Pasteboard
Tools
Tools
Generic
Generic
MASTG-TOOL-0031: Frida
MASTG-TOOL-0032: Frida CodeShare
MASTG-TOOL-0033: Ghidra
MASTG-TOOL-0034: LIEF
MASTG-TOOL-0035: MobSF
MASTG-TOOL-0036: r2frida
MASTG-TOOL-0037: RMS Runtime Mobile Security
MASTG-TOOL-0038: objection
MASTG-TOOL-0098: iaito
MASTG-TOOL-0100: reFlutter
MASTG-TOOL-0101: disable-flutter-tls-verification
MASTG-TOOL-0104: hermes-dec
MASTG-TOOL-0106: Fridump
MASTG-TOOL-0108: Corellium
MASTG-TOOL-0110: semgrep
MASTG-TOOL-0129: rabin2
MASTG-TOOL-0131: dependency-check
MASTG-TOOL-0132: dependency-track
MASTG-TOOL-0133: Visual Studio Code (vscode)
MASTG-TOOL-0134: cdxgen
Android
Android
MASTG-TOOL-0001: Frida for Android
MASTG-TOOL-0002: MobSF for Android
MASTG-TOOL-0003: nm - Android
MASTG-TOOL-0004: adb
MASTG-TOOL-0005: Android NDK
MASTG-TOOL-0006: Android SDK
MASTG-TOOL-0007: Android Studio
MASTG-TOOL-0008: Android-SSL-TrustKiller
MASTG-TOOL-0009: APKiD
MASTG-TOOL-0010: APKLab
MASTG-TOOL-0011: Apktool
MASTG-TOOL-0012: apkx
MASTG-TOOL-0013: Busybox
MASTG-TOOL-0014: Bytecode Viewer
MASTG-TOOL-0015: drozer
MASTG-TOOL-0016: gplaycli
MASTG-TOOL-0017: House
MASTG-TOOL-0018: jadx
MASTG-TOOL-0019: jdb
MASTG-TOOL-0020: JustTrustMe
MASTG-TOOL-0021: Magisk
MASTG-TOOL-0022: Proguard
MASTG-TOOL-0023: RootCloak Plus
MASTG-TOOL-0024: Scrcpy
MASTG-TOOL-0025: SSLUnpinning
MASTG-TOOL-0026: Termux
MASTG-TOOL-0027: Xposed
MASTG-TOOL-0028: radare2 for Android
MASTG-TOOL-0029: objection for Android
MASTG-TOOL-0030: Angr
MASTG-TOOL-0099: FlowDroid
MASTG-TOOL-0103: uber-apk-signer
MASTG-TOOL-0107: JNITrace
MASTG-TOOL-0112: pidcat
MASTG-TOOL-0116: Blutter
MASTG-TOOL-0120: ProxyDroid
MASTG-TOOL-0123: apksigner
MASTG-TOOL-0124: aapt2
MASTG-TOOL-0125: Apkleaks
MASTG-TOOL-0130: blint
iOS
iOS
MASTG-TOOL-0039: Frida for iOS
MASTG-TOOL-0040: MobSF for iOS
MASTG-TOOL-0041: nm - iOS
MASTG-TOOL-0042: BinaryCookieReader
MASTG-TOOL-0043: class-dump
MASTG-TOOL-0044: class-dump-z
MASTG-TOOL-0045: class-dump-dyld
MASTG-TOOL-0046: Cycript
MASTG-TOOL-0047: Cydia
MASTG-TOOL-0048: dsdump
MASTG-TOOL-0049: Frida-cycript
MASTG-TOOL-0050: Frida-ios-dump
MASTG-TOOL-0051: gdb
MASTG-TOOL-0053: iOSbackup
MASTG-TOOL-0054: ios-deploy
MASTG-TOOL-0055: iproxy
MASTG-TOOL-0056: Keychain-Dumper
MASTG-TOOL-0057: lldb
MASTG-TOOL-0058: MachoOView
MASTG-TOOL-0059: optool
MASTG-TOOL-0060: otool
MASTG-TOOL-0061: Grapefruit
MASTG-TOOL-0062: Plutil
MASTG-TOOL-0063: security
MASTG-TOOL-0064: Sileo
MASTG-TOOL-0065: simctl
MASTG-TOOL-0066: SSL Kill Switch 3
MASTG-TOOL-0067: swift-demangle
MASTG-TOOL-0068: SwiftShield
MASTG-TOOL-0069: Usbmuxd
MASTG-TOOL-0070: Xcode
MASTG-TOOL-0071: Xcode Command Line Tools
MASTG-TOOL-0072: xcrun
MASTG-TOOL-0073: radare2 for iOS
MASTG-TOOL-0074: objection for iOS
MASTG-TOOL-0102: ios-app-signer
MASTG-TOOL-0105: ipsw
MASTG-TOOL-0111: ldid
MASTG-TOOL-0114: codesign
MASTG-TOOL-0117: fastlane
MASTG-TOOL-0118: Sideloadly
MASTG-TOOL-0121: objdump - iOS
MASTG-TOOL-0122: c++filt
MASTG-TOOL-0126: libimobiledevice suite
MASTG-TOOL-0127: AppSync Unified
MASTG-TOOL-0128: Filza
Network
Network
MASTG-TOOL-0075: Android tcpdump
MASTG-TOOL-0076: bettercap
MASTG-TOOL-0077: Burp Suite
MASTG-TOOL-0078: MITM Relay
MASTG-TOOL-0079: ZAP
MASTG-TOOL-0080: tcpdump
MASTG-TOOL-0081: Wireshark
MASTG-TOOL-0097: mitmproxy
MASTG-TOOL-0109: Nope-Proxy
MASTG-TOOL-0115: HTTP Toolkit
Apps
Apps
Android
Android
MASTG-APP-0001: AndroGoat
MASTG-APP-0002: Android License Validator
MASTG-APP-0003: Android UnCrackable L1
MASTG-APP-0004: Android UnCrackable L2
MASTG-APP-0005: Android UnCrackable L3
MASTG-APP-0006: Digitalbank
MASTG-APP-0007: DIVA Android
MASTG-APP-0008: DodoVulnerableBank
MASTG-APP-0009: DVHMA
MASTG-APP-0010: InsecureBankv2
MASTG-APP-0011: MASTG Hacking Playground (Java)
MASTG-APP-0012: MASTG Hacking Playground (Kotlin)
MASTG-APP-0013: OVAA
MASTG-APP-0014: InsecureShop
MASTG-APP-0015: Android UnCrackable L4
MASTG-APP-0016: Finstergram
MASTG-APP-0017: Disable-flutter-tls-verification
iOS
iOS
MASTG-APP-0023: DVIA
MASTG-APP-0024: DVIA-v2
MASTG-APP-0025: iOS UnCrackable L1
MASTG-APP-0026: iOS UnCrackable L2
MASTG-APP-0027: Disable-flutter-tls-verification
MASTG-APP-0028: iGoat-Swift
MASVS
MASVS
Intro
Intro
Foreword
About the Standard
The Mobile Application Security Verification Standard
Assessment and Certification
MASVS-STORAGE: Storage
MASVS-STORAGE-1
MASVS-STORAGE-2
MASVS-CRYPTO: Cryptography
MASVS-CRYPTO-1
MASVS-CRYPTO-2
MASVS-AUTH: Authentication and Authorization
MASVS-AUTH-1
MASVS-AUTH-2
MASVS-AUTH-3
MASVS-NETWORK: Network Communication
MASVS-NETWORK-1
MASVS-NETWORK-2
MASVS-PLATFORM: Platform Interaction
MASVS-PLATFORM-1
MASVS-PLATFORM-2
MASVS-PLATFORM-3
MASVS-CODE: Code Quality
MASVS-CODE-1
MASVS-CODE-2
MASVS-CODE-3
MASVS-CODE-4
MASVS-RESILIENCE: Resilience Against Reverse Engineering and Tampering
MASVS-RESILIENCE-1
MASVS-RESILIENCE-2
MASVS-RESILIENCE-3
MASVS-RESILIENCE-4
MASVS-PRIVACY: Privacy
MASVS-PRIVACY-1
MASVS-PRIVACY-2
MASVS-PRIVACY-3
MASVS-PRIVACY-4
MAS Checklist
MAS Checklist
MASVS-STORAGE
MASVS-CRYPTO
MASVS-AUTH
MASVS-NETWORK
MASVS-PLATFORM
MASVS-CODE
MASVS-RESILIENCE
MASVS-PRIVACY
MAS Crackmes
MAS Crackmes
Android Crackmes
iOS Crackmes
News
News
Archive
Archive
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
🎙 Talks
⭐ Contribute
⭐ Contribute
How Can You Contribute?
Getting Started
Pull Requests & Reviews
Add a New Language
Style Guide
Add a Crackme
How to Run the OWASP MAS Website Locally
💙 Donate
💙 Donate
Donations
How to Donate
Donation Packages
💬 Connect with Us
android
MASTG-TECH-0015: Dynamic Analysis on Android
TBD
Back to top