MASTG Tests (v2 Beta)
Content in BETA
This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).
About the MASTG Tests
The MASTG "Atomic Tests" are a new addition to the MAS project. They are a collection of small, individual tests that can be used to assess the security and privacy of a mobile application. Each test is designed to be simple and focused on a single issue. The goal is to make it easier for developers and security professionals to identify and fix issues in their mobile applications.
Tests are organized into categories based on the OWASP MASVS and have a weakness assigned from the OWASP MASWE.
Each test includes:
- Overview: A brief description of the test.
- Steps: A set of steps to follow to identify the weakness in a mobile application.
- Observation: A description of the results of running the test against an application.
- Evaluation: Specific instructions for evaluating the results of the test.
Each test comes with a collection of demos that demonstrate the weakness in a sample application. These demos are written in markdown and are located in the Demos section of the MASTG.
| ID | Title | Platform | Weakness | Type | Status |
|---|---|---|---|---|---|
| MASTG-TEST-0243 | Expired Certificate Pins in the Network Security Configuration | MASWE-0047 | ['static'] | ||
| MASTG-TEST-0217 | Insecure TLS Protocols Explicitly Allowed in Code | MASWE-0050 | ['static'] | ||
| MASTG-TEST-0244 | Missing Certificate Pinning in Network Traffic | MASWE-0047 | ['network'] | ||
| MASTG-TEST-0234 | SSLSockets not Properly Verifying Hostnames | MASWE-0052 | ['static'] | ||
| MASTG-TEST-0242 | Missing Certificate Pinning in Network Security Configuration | MASWE-0047 | ['static'] | ||
| MASTG-TEST-0236 | Cleartext Traffic Observed on the Network | MASWE-0050 | ['dynamic'] | ||
| MASTG-TEST-0239 | Using low-level APIs (e.g. Socket) to set up a custom HTTP connection | MASWE-0050 | ['static'] | ||
| MASTG-TEST-0238 | Runtime Use of Network APIs Transmitting Cleartext Traffic | MASWE-0050 | ['dynamic'] | ||
| MASTG-TEST-0235 | Android App Configurations Allowing Cleartext Traffic | MASWE-0050 | ['static'] | ||
| MASTG-TEST-0237 | Cross-Platform Framework Configurations Allowing Cleartext Traffic | MASWE-0050 | ['static'] | ||
| MASTG-TEST-0233 | Hardcoded HTTP URLs | MASWE-0050 | ['static'] | ||
| MASTG-TEST-0218 | Insecure TLS Protocols in Network Traffic | MASWE-0050 | ['network'] | ||
| MASTG-TEST-0264 | Runtime Use of StrictMode APIs | MASWE-0094 | ['dynamic'] | ||
| MASTG-TEST-0247 | References to APIs for Detecting Secure Screen Lock | MASWE-0008 | ['static'] | ||
| MASTG-TEST-0263 | Logging of StrictMode Violations | MASWE-0094 | ['dynamic'] | ||
| MASTG-TEST-0224 | Usage of Insecure Signature Version | MASWE-0104 | ['static'] | ||
| MASTG-TEST-0227 | Debugging Enabled for WebViews | MASWE-0067 | ['static'] | ||
| MASTG-TEST-0265 | References to StrictMode APIs | MASWE-0094 | ['static'] | ||
| MASTG-TEST-0249 | Runtime Use of Secure Screen Lock Detection APIs | MASWE-0008 | ['dynamic'] | ||
| MASTG-TEST-0225 | Usage of Insecure Signature Key Size | MASWE-0104 | ['static'] | ||
| MASTG-TEST-0226 | Debuggable Flag Enabled in the AndroidManifest | MASWE-0067 | ['static'] | ||
| MASTG-TEST-0212 | Use of Hardcoded Cryptographic Keys in Code | MASWE-0014 | ['static'] | ||
| MASTG-TEST-0221 | Weak Symmetric Encryption Algorithms | MASWE-0020 | ['static', 'dynamic'] | ||
| MASTG-TEST-0205 | Non-random Sources Usage | MASWE-0027 | ['static'] | ||
| MASTG-TEST-0208 | Inappropriate Key Sizes | MASWE-0009 | ['static'] | ||
| MASTG-TEST-0232 | Weak Symmetric Encryption Modes | MASWE-0020 | ['static', 'dynamic'] | ||
| MASTG-TEST-0204 | Insecure Random API Usage | MASWE-0027 | ['static'] | ||
| MASTG-TEST-0231 | References to Logging APIs | MASWE-0001 | ['static'] | ||
| MASTG-TEST-0203 | Runtime Use of Logging APIs | MASWE-0001 | ['dynamic'] | ||
| MASTG-TEST-0216 | Sensitive Data Not Excluded From Backup | MASWE-0004 | ['dynamic', 'filesystem'] | ||
| MASTG-TEST-0262 | References to Backup Configurations Not Excluding Sensitive Data | MASWE-0004 | ['static'] | ||
| MASTG-TEST-0200 | Files Written to External Storage | MASWE-0007 | ['dynamic'] | ||
| MASTG-TEST-0207 | Data Stored in the App Sandbox at Runtime | MASWE-0006 | ['dynamic', 'filesystem'] | ||
| MASTG-TEST-0201 | Runtime Use of APIs to Access External Storage | MASWE-0007 | ['dynamic'] | ||
| MASTG-TEST-0202 | References to APIs and Permissions for Accessing External Storage | MASWE-0007 | ['static'] | ||
| MASTG-TEST-0252 | References to Local File Access in WebViews | MASWE-0069 | ['static'] | ||
| MASTG-TEST-0250 | References to Content Provider Access in WebViews | MASWE-0069 | ['static'] | ||
| MASTG-TEST-0251 | Runtime Use of Content Provider Access APIs in WebViews | MASWE-0069 | ['dynamic'] | ||
| MASTG-TEST-0253 | Runtime Use of Local File Access APIs in WebViews | MASWE-0069 | ['dynamic'] | ||
| MASTG-TEST-0206 | Sensitive Data in Network Traffic Capture | MASWE-0108 | ['dynamic', 'network'] | ||
| MASTG-TEST-0258 | References to Keyboard Caching Attributes in UI Elements | MASWE-0053 | ['static'] | ||
| MASTG-TEST-0257 | Not Resetting Unused Permissions | MASWE-0117 | N/A | ||
| MASTG-TEST-0256 | Missing Permission Rationale | MASWE-0117 | N/A | ||
| MASTG-TEST-0254 | Dangerous App Permissions | MASWE-0117 | ['static'] | ||
| MASTG-TEST-0255 | Permission Requests Not Minimized | MASWE-0117 | N/A | ||
| MASTG-TEST-0223 | Stack Canaries Not Enabled | MASWE-0116 | ['static'] | ||
| MASTG-TEST-0245 | References to Platform Version APIs | MASWE-0077 | ['static'] | ||
| MASTG-TEST-0222 | Position Independent Code (PIC) Not Enabled | MASWE-0116 | ['static'] | ||
| MASTG-TEST-0246 | Runtime Use of Secure Screen Lock Detection APIs | MASWE-0008 | ['dynamic'] | ||
| MASTG-TEST-0220 | Usage of Outdated Code Signature Format | MASWE-0104 | ['static'] | ||
| MASTG-TEST-0219 | Testing for Debugging Symbols | MASWE-0093 | ['static'] | ||
| MASTG-TEST-0241 | Runtime Use of Jailbreak Detection Techniques | MASWE-0097 | ['dynamic'] | ||
| MASTG-TEST-0261 | Debuggable Entitlement Enabled in the entitlements.plist | MASWE-0067 | ['static'] | ||
| MASTG-TEST-0248 | References to APIs for Detecting Secure Screen Lock | MASWE-0008 | ['static'] | ||
| MASTG-TEST-0240 | Jailbreak Detection in Code | MASWE-0097 | ['dynamic'] | ||
| MASTG-TEST-0209 | Inappropriate Key Sizes | MASWE-0009 | ['static', 'dynamic'] | ||
| MASTG-TEST-0211 | Weak Hashing Algorithms | MASWE-0021 | ['static', 'dynamic'] | ||
| MASTG-TEST-0214 | Hardcoded Cryptographic Keys in Files | MASWE-0014 | ['static'] | ||
| MASTG-TEST-0210 | Weak Encryption Algorithms | MASWE-0020 | ['static', 'dynamic'] | ||
| MASTG-TEST-0213 | Use of Hardcoded Cryptographic Keys in Code | MASWE-0014 | ['static'] | ||
| MASTG-TEST-0215 | Sensitive Data Not Excluded From Backup | MASWE-0004 | ['static', 'filesystem'] | ||
| MASTG-TEST-0228 | Position Independent Code (PIC) not Enabled | MASWE-0116 | ['static'] | ||
| MASTG-TEST-0230 | Automatic Reference Counting (ARC) not enabled | MASWE-0116 | ['static'] | ||
| MASTG-TEST-0229 | Stack Canaries Not enabled | MASWE-0116 | ['static'] |