MASTG Tests (v2 Beta)
Content in BETA
This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).
About the MASTG Tests
The MASTG "Atomic Tests" are a new addition to the MAS project. They are a collection of small, individual tests that can be used to assess the security and privacy of a mobile application. Each test is designed to be simple and focused on a single issue. The goal is to make it easier for developers and security professionals to identify and fix issues in their mobile applications.
Tests are organized into categories based on the OWASP MASVS and have a weakness assigned from the OWASP MASWE.
Each test includes:
- Overview: A brief description of the test.
- Steps: A set of steps to follow to identify the weakness in a mobile application.
- Observation: A description of the results of running the test against an application.
- Evaluation: Specific instructions for evaluating the results of the test.
Each test comes with a collection of demos that demonstrate the weakness in a sample application. These demos are written in markdown and are located in the Demos section of the MASTG.
| ID | Title | Platform | Weakness | Type | Status |
|---|---|---|---|---|---|
| MASTG-TEST-0218 | Insecure TLS Protocols in Network Traffic | MASWE-0050 | ['network'] | ||
| MASTG-TEST-0233 | Hardcoded HTTP URLs | MASWE-0050 | ['static'] | ||
| MASTG-TEST-0239 | Using low-level APIs (e.g. Socket) to set up a custom HTTP connection | MASWE-0050 | ['static'] | ||
| MASTG-TEST-0236 | Cleartext Traffic Observed on the Network | MASWE-0050 | ['dynamic'] | ||
| MASTG-TEST-0235 | Android App Configurations Allowing Cleartext Traffic | MASWE-0050 | ['static'] | ||
| MASTG-TEST-0238 | Runtime Use of Network APIs Transmitting Cleartext Traffic | MASWE-0050 | ['dynamic'] | ||
| MASTG-TEST-0237 | Cross-Platform Framework Configurations Allowing Cleartext Traffic | MASWE-0050 | ['static'] | ||
| MASTG-TEST-0234 | SSLSockets not Properly Verifying Hostnames | MASWE-0052 | ['static'] | ||
| MASTG-TEST-0217 | Insecure TLS Protocols Explicitly Allowed in Code | MASWE-0050 | ['static'] | ||
| MASTG-TEST-0206 | Sensitive Data in Network Traffic Capture | MASWE-0108 | ['dynamic', 'network'] | ||
| MASTG-TEST-0201 | Runtime Use of APIs to Access External Storage | MASWE-0007 | ['dynamic'] | ||
| MASTG-TEST-0200 | Files Written to External Storage | MASWE-0007 | ['dynamic'] | ||
| MASTG-TEST-0202 | References to APIs and Permissions for Accessing External Storage | MASWE-0007 | ['static'] | ||
| MASTG-TEST-0216 | Sensitive Data Not Excluded From Backup | MASWE-0004 | ['dynamic', 'filesystem'] | ||
| MASTG-TEST-0207 | Data Stored in the App Sandbox at Runtime | MASWE-0006 | ['dynamic', 'filesystem'] | ||
| MASTG-TEST-0203 | Runtime Use of Logging APIs | MASWE-0001 | ['dynamic'] | ||
| MASTG-TEST-0231 | References to Logging APIs | MASWE-0001 | ['static'] | ||
| MASTG-TEST-0224 | Usage of Insecure Signature Version | MASWE-0104 | ['static'] | ||
| MASTG-TEST-0226 | Debuggable Flag Enabled in the AndroidManifest | MASWE-0067 | ['static'] | ||
| MASTG-TEST-0225 | Usage of Insecure Signature Key Size | MASWE-0104 | ['static'] | ||
| MASTG-TEST-0227 | Debugging Enabled for WebViews | MASWE-0067 | ['static'] | ||
| MASTG-TEST-0222 | Position Independent Code (PIC) Not Enabled | MASWE-0116 | ['static'] | ||
| MASTG-TEST-0223 | Stack Canaries Not Enabled | MASWE-0116 | ['static'] | ||
| MASTG-TEST-0221 | Weak Encryption Algorithms | MASWE-0020 | ['static', 'dynamic'] | ||
| MASTG-TEST-0212 | Use of Hardcoded Cryptographic Keys in Code | MASWE-0014 | ['static'] | ||
| MASTG-TEST-0204 | Insecure Random API Usage | MASWE-0027 | ['static'] | ||
| MASTG-TEST-0205 | Non-random Sources Usage | MASWE-0027 | ['static'] | ||
| MASTG-TEST-0208 | Inappropriate Key Sizes | MASWE-0009 | ['static'] | ||
| MASTG-TEST-0232 | Weak Encryption Modes | MASWE-0020 | ['static', 'dynamic'] | ||
| MASTG-TEST-0215 | Sensitive Data Not Excluded From Backup | MASWE-0004 | ['static', 'filesystem'] | ||
| MASTG-TEST-0220 | Usage of Outdated Code Signature Format | MASWE-0104 | ['static'] | ||
| MASTG-TEST-0240 | Jailbreak Detection in Code | MASWE-0097 | ['dynamic'] | ||
| MASTG-TEST-0241 | Runtime Use of Jailbreak Detection Techniques | MASWE-0097 | ['dynamic'] | ||
| MASTG-TEST-0219 | Testing for Debugging Symbols | MASWE-0093 | ['static'] | ||
| MASTG-TEST-0229 | Stack Canaries not enabled | MASWE-0116 | ['static'] | ||
| MASTG-TEST-0230 | Automatic Reference Counting (ARC) not enabled | MASWE-0116 | ['static'] | ||
| MASTG-TEST-0228 | Position Independent Code (PIC) not Enabled | MASWE-0116 | ['static'] | ||
| MASTG-TEST-0210 | Weak Encryption Algorithms | MASWE-0020 | ['static', 'dynamic'] | ||
| MASTG-TEST-0213 | Use of Hardcoded Cryptographic Keys in Code | MASWE-0014 | ['static'] | ||
| MASTG-TEST-0214 | Hardcoded Cryptographic Keys in Files | MASWE-0014 | ['static'] | ||
| MASTG-TEST-0209 | Inappropriate Key Sizes | MASWE-0009 | ['static', 'dynamic'] | ||
| MASTG-TEST-0211 | Weak Hashing Algorithms | MASWE-0021 | ['static', 'dynamic'] |