MASTG Tests (v2 Beta)

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

About the MASTG Tests

The MASTG "Atomic Tests" are a new addition to the MAS project. They are a collection of small, individual tests that can be used to assess the security and privacy of a mobile application. Each test is designed to be simple and focused on a single issue. The goal is to make it easier for developers and security professionals to identify and fix issues in their mobile applications.

Tests are organized into categories based on the OWASP MASVS and have a weakness assigned from the OWASP MASWE.

Each test includes:

  • Overview: A brief description of the test.
  • Steps: A set of steps to follow to identify the weakness in a mobile application.
  • Observation: A description of the results of running the test against an application.
  • Evaluation: Specific instructions for evaluating the results of the test.

Each test comes with a collection of demos that demonstrate the weakness in a sample application. These demos are written in markdown and are located in the Demos section of the MASTG.

ID Title Platform Weakness Type Status
MASTG-TEST-0219 Testing for Debugging Symbols platform:ios MASWE-0093 ['static'] newstatus:new
MASTG-TEST-0220 Usage of Outdated Code Signature Format platform:ios MASWE-0104 ['static'] newstatus:new
MASTG-TEST-0211 Weak Hashing Algorithms platform:ios MASWE-0021 ['static', 'dynamic'] newstatus:new
MASTG-TEST-0214 Hardcoded Cryptographic Keys in Files platform:ios MASWE-0014 ['static'] newstatus:new
MASTG-TEST-0210 Weak Encryption Algorithms platform:ios MASWE-0020 ['static', 'dynamic'] newstatus:new
MASTG-TEST-0209 Inappropriate Key Sizes platform:ios MASWE-0009 ['static', 'dynamic'] newstatus:new
MASTG-TEST-0213 Use of Hardcoded Cryptographic Keys in Code platform:ios MASWE-0014 ['static'] newstatus:new
MASTG-TEST-0215 Sensitive Data Not Excluded From Backup platform:ios MASWE-0004 ['static', 'filesystem'] newstatus:new
MASTG-TEST-0229 Stack Canaries not enabled platform:ios MASWE-0116 ['static'] newstatus:new
MASTG-TEST-0230 Automatic Reference Counting (ARC) not enabled platform:ios MASWE-0116 ['static'] newstatus:new
MASTG-TEST-0228 Position Independent Code (PIC) not Enabled platform:ios MASWE-0116 ['static'] newstatus:new
MASTG-TEST-0225 Usage of Insecure Signature Key Size platform:android MASWE-0104 ['static'] newstatus:new
MASTG-TEST-0224 Usage of Insecure Signature Version platform:android MASWE-0104 ['static'] newstatus:new
MASTG-TEST-0226 Debuggable Flag Enabled in the AndroidManifest platform:android MASWE-0067 ['static'] newstatus:new
MASTG-TEST-0227 Debugging Enabled for WebViews platform:android MASWE-0067 ['static'] newstatus:new
MASTG-TEST-0206 Sensitive Data in Network Traffic Capture platform:android MASWE-0108 ['dynamic', 'network'] newstatus:new
MASTG-TEST-0221 Weak Encryption Algorithms platform:android MASWE-0020 ['static', 'dynamic'] newstatus:new
MASTG-TEST-0205 Non-random Sources Usage platform:android MASWE-0027 ['static'] newstatus:new
MASTG-TEST-0212 Use of Hardcoded Cryptographic Keys in Code platform:android MASWE-0014 ['static'] newstatus:new
MASTG-TEST-0204 Insecure Random API Usage platform:android MASWE-0027 ['static'] newstatus:new
MASTG-TEST-0208 Inappropriate Key Sizes platform:android MASWE-0009 ['static'] newstatus:new
MASTG-TEST-0232 Weak Encryption Modes platform:android MASWE-0020 ['static', 'dynamic'] newstatus:new
MASTG-TEST-0202 References to APIs and Permissions for Accessing External Storage platform:android MASWE-0007 ['static'] newstatus:new
MASTG-TEST-0203 Runtime Use of Logging APIs platform:android MASWE-0001 ['dynamic'] newstatus:new
MASTG-TEST-0207 Data Stored in the App Sandbox at Runtime platform:android MASWE-0006 ['dynamic', 'filesystem'] newstatus:new
MASTG-TEST-0200 Files Written to External Storage platform:android MASWE-0007 ['dynamic'] newstatus:new
MASTG-TEST-0231 References to Logging APIs platform:android MASWE-0001 ['static'] newstatus:new
MASTG-TEST-0201 Runtime Use of APIs to Access External Storage platform:android MASWE-0007 ['dynamic'] newstatus:new
MASTG-TEST-0216 Sensitive Data Not Excluded From Backup platform:android MASWE-0004 ['dynamic', 'filesystem'] newstatus:new
MASTG-TEST-0237 Cross-Platform Framework Configurations Allowing Cleartext Traffic platform:android MASWE-0050 ['static'] draftstatus:draft
MASTG-TEST-0239 Using low-level APIs (e.g. Socket) to set up a custom HTTP connection platform:android MASWE-0050 ['static'] draftstatus:draft
MASTG-TEST-0234 SSLSockets not Properly Verifying Hostnames platform:android MASWE-0052 ['static'] newstatus:new
MASTG-TEST-0233 Hardcoded HTTP URLs platform:android MASWE-0050 ['static'] newstatus:new
MASTG-TEST-0238 Runtime Use of Network APIs Transmitting Cleartext Traffic platform:android MASWE-0050 ['dynamic'] draftstatus:draft
MASTG-TEST-0217 Insecure TLS Protocols Explicitly Allowed in Code platform:android MASWE-0050 ['static'] newstatus:new
MASTG-TEST-0235 Android App Configurations Allowing Cleartext Traffic platform:android MASWE-0050 ['static'] newstatus:new
MASTG-TEST-0218 Insecure TLS Protocols in Network Traffic platform:network MASWE-0050 ['network'] newstatus:new
MASTG-TEST-0236 Cleartext Traffic Observed on the Network platform:network MASWE-0050 ['dynamic'] newstatus:new
MASTG-TEST-0223 Stack Canaries Not Enabled platform:android MASWE-0116 ['static'] newstatus:new
MASTG-TEST-0222 Position Independent Code (PIC) Not Enabled platform:android MASWE-0116 ['static'] newstatus:new