MASTG Tests (v2 Beta)

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

About the MASTG Tests

The MASTG "Atomic Tests" are a new addition to the MAS project. They are a collection of small, individual tests that can be used to assess the security and privacy of a mobile application. Each test is designed to be simple and focused on a single issue. The goal is to make it easier for developers and security professionals to identify and fix issues in their mobile applications.

Tests are organized into categories based on the OWASP MASVS and have a weakness assigned from the OWASP MASWE.

Each test includes:

  • Overview: A brief description of the test.
  • Steps: A set of steps to follow to identify the weakness in a mobile application.
  • Observation: A description of the results of running the test against an application.
  • Evaluation: Specific instructions for evaluating the results of the test.

Each test comes with a collection of demos that demonstrate the weakness in a sample application. These demos are written in markdown and are located in the Demos section of the MASTG.

ID Title Platform Weakness Type Status
MASTG-TEST-0209 Inappropriate Key Sizes platform:ios MASWE-0009 static, dynamic newstatus:new
MASTG-TEST-0213 Use of Hardcoded Cryptographic Keys in Code platform:ios MASWE-0014 static newstatus:new
MASTG-TEST-0214 Hardcoded Cryptographic Keys in Files platform:ios MASWE-0014 static newstatus:new
MASTG-TEST-0211 Weak Hashing Algorithms platform:ios MASWE-0021 static, dynamic newstatus:new
MASTG-TEST-0210 Weak Encryption Algorithms platform:ios MASWE-0020 static, dynamic newstatus:new
MASTG-TEST-0230 Automatic Reference Counting (ARC) not enabled platform:ios MASWE-0116 static newstatus:new
MASTG-TEST-0229 Stack Canaries Not enabled platform:ios MASWE-0116 static newstatus:new
MASTG-TEST-0228 Position Independent Code (PIC) not Enabled platform:ios MASWE-0116 static newstatus:new
MASTG-TEST-0246 Runtime Use of Secure Screen Lock Detection APIs platform:ios MASWE-0008 dynamic newstatus:new
MASTG-TEST-0248 References to APIs for Detecting Secure Screen Lock platform:ios MASWE-0008 static newstatus:new
MASTG-TEST-0220 Usage of Outdated Code Signature Format platform:ios MASWE-0104 static newstatus:new
MASTG-TEST-0261 Debuggable Entitlement Enabled in the entitlements.plist platform:ios MASWE-0067 static newstatus:new
MASTG-TEST-0240 Jailbreak Detection in Code platform:ios MASWE-0097 dynamic newstatus:new
MASTG-TEST-0219 Testing for Debugging Symbols platform:ios MASWE-0093 static newstatus:new
MASTG-TEST-0241 Runtime Use of Jailbreak Detection Techniques platform:ios MASWE-0097 dynamic newstatus:new
MASTG-TEST-0215 Sensitive Data Not Excluded From Backup platform:ios MASWE-0004 static, filesystem newstatus:new
MASTG-TEST-0232 Weak Symmetric Encryption Modes platform:android MASWE-0020 static, dynamic newstatus:new
MASTG-TEST-0221 Weak Symmetric Encryption Algorithms platform:android MASWE-0020 static, dynamic newstatus:new
MASTG-TEST-0204 Insecure Random API Usage platform:android MASWE-0027 static newstatus:new
MASTG-TEST-0212 Use of Hardcoded Cryptographic Keys in Code platform:android MASWE-0014 static newstatus:new
MASTG-TEST-0208 Inappropriate Key Sizes platform:android MASWE-0009 static newstatus:new
MASTG-TEST-0205 Non-random Sources Usage platform:android MASWE-0027 static newstatus:new
MASTG-TEST-0222 Position Independent Code (PIC) Not Enabled platform:android MASWE-0116 static newstatus:new
MASTG-TEST-0223 Stack Canaries Not Enabled platform:android MASWE-0116 static newstatus:new
MASTG-TEST-0245 References to Platform Version APIs platform:android MASWE-0077 static newstatus:new
MASTG-TEST-0250 References to Content Provider Access in WebViews platform:android MASWE-0069 static newstatus:new
MASTG-TEST-0x33 @MASTG-TEST-0x33 platform:android MASWE-0069 static newstatus:new
MASTG-TEST-0253 Runtime Use of Local File Access APIs in WebViews platform:android MASWE-0069 dynamic newstatus:new
MASTG-TEST-0251 Runtime Use of Content Provider Access APIs in WebViews platform:android MASWE-0069 dynamic newstatus:new
MASTG-TEST-0256 Missing Permission Rationale platform:android MASWE-0117 draftstatus:draft
MASTG-TEST-0258 References to Keyboard Caching Attributes in UI Elements platform:android MASWE-0053 static newstatus:new
MASTG-TEST-0206 Sensitive Data in Network Traffic Capture platform:android MASWE-0108 dynamic, network newstatus:new
MASTG-TEST-0255 Permission Requests Not Minimized platform:android MASWE-0117 draftstatus:draft
MASTG-TEST-0254 Dangerous App Permissions platform:android MASWE-0117 static newstatus:new
MASTG-TEST-0257 Not Resetting Unused Permissions platform:android MASWE-0117 draftstatus:draft
MASTG-TEST-0263 Logging of StrictMode Violations platform:android MASWE-0094 dynamic newstatus:new
MASTG-TEST-0247 References to APIs for Detecting Secure Screen Lock platform:android MASWE-0008 static newstatus:new
MASTG-TEST-0249 Runtime Use of Secure Screen Lock Detection APIs platform:android MASWE-0008 dynamic newstatus:new
MASTG-TEST-0227 Debugging Enabled for WebViews platform:android MASWE-0067 static newstatus:new
MASTG-TEST-0224 Usage of Insecure Signature Version platform:android MASWE-0104 static newstatus:new
MASTG-TEST-0226 Debuggable Flag Enabled in the AndroidManifest platform:android MASWE-0067 static newstatus:new
MASTG-TEST-0225 Usage of Insecure Signature Key Size platform:android MASWE-0104 static newstatus:new
MASTG-TEST-0264 Runtime Use of StrictMode APIs platform:android MASWE-0094 dynamic draftstatus:draft
MASTG-TEST-0265 References to StrictMode APIs platform:android MASWE-0094 static draftstatus:draft
MASTG-TEST-0201 Runtime Use of APIs to Access External Storage platform:android MASWE-0007 dynamic newstatus:new
MASTG-TEST-0202 References to APIs and Permissions for Accessing External Storage platform:android MASWE-0007 static newstatus:new
MASTG-TEST-0262 References to Backup Configurations Not Excluding Sensitive Data platform:android MASWE-0004 static newstatus:new
MASTG-TEST-0231 References to Logging APIs platform:android MASWE-0001 static newstatus:new
MASTG-TEST-0200 Files Written to External Storage platform:android MASWE-0007 dynamic newstatus:new
MASTG-TEST-0203 Runtime Use of Logging APIs platform:android MASWE-0001 dynamic newstatus:new
MASTG-TEST-0216 Sensitive Data Not Excluded From Backup platform:android MASWE-0004 dynamic, filesystem newstatus:new
MASTG-TEST-0207 Data Stored in the App Sandbox at Runtime platform:android MASWE-0006 dynamic, filesystem newstatus:new
MASTG-TEST-0235 Android App Configurations Allowing Cleartext Traffic platform:android MASWE-0050 static newstatus:new
MASTG-TEST-0238 Runtime Use of Network APIs Transmitting Cleartext Traffic platform:android MASWE-0050 dynamic draftstatus:draft
MASTG-TEST-0244 Missing Certificate Pinning in Network Traffic platform:network MASWE-0047 network newstatus:new
MASTG-TEST-0243 Expired Certificate Pins in the Network Security Configuration platform:android MASWE-0047 static newstatus:new
MASTG-TEST-0233 Hardcoded HTTP URLs platform:android MASWE-0050 static newstatus:new
MASTG-TEST-0242 Missing Certificate Pinning in Network Security Configuration platform:android MASWE-0047 static newstatus:new
MASTG-TEST-0239 Using low-level APIs (e.g. Socket) to set up a custom HTTP connection platform:android MASWE-0050 static draftstatus:draft
MASTG-TEST-0234 SSLSockets not Properly Verifying Hostnames platform:android MASWE-0052 static newstatus:new
MASTG-TEST-0217 Insecure TLS Protocols Explicitly Allowed in Code platform:android MASWE-0050 static newstatus:new
MASTG-TEST-0218 Insecure TLS Protocols in Network Traffic platform:network MASWE-0050 network newstatus:new
MASTG-TEST-0236 Cleartext Traffic Observed on the Network platform:network MASWE-0050 dynamic newstatus:new
MASTG-TEST-0237 Cross-Platform Framework Configurations Allowing Cleartext Traffic platform:android MASWE-0050 static draftstatus:draft