MASTG Tests

About the MASTG Tests

The MASTG "Atomic Tests" are a new addition to the MAS project. They are a collection of small, individual tests that can be used to assess the security and privacy of a mobile application. Each test is designed to be simple and focused on a single issue. The goal is to make it easier for developers and security professionals to identify and fix issues in their mobile applications.

Tests are organized into categories based on the OWASP MASVS and have a weakness assigned from the OWASP MASWE.

Each test includes:

  • Overview: A brief description of the test.
  • Steps: A set of steps to follow to identify the weakness in a mobile application.
  • Observation: A description of the results of running the test against an application.
  • Evaluation: Specific instructions for evaluating the results of the test.

Each test comes with a collection of demos that demonstrate the weakness in a sample application. These demos are written in markdown and are located in the Demos section of the MASTG.

ID Title Platform Status
MASTG-TEST-0265 References to StrictMode APIs platform:android newstatus:new
MASTG-TEST-0049 Testing Emulator Detection platform:android update-pendingstatus:update-pending
MASTG-TEST-0247 References to APIs for Detecting Secure Screen Lock platform:android newstatus:new
MASTG-TEST-0264 Runtime Use of StrictMode APIs platform:android newstatus:new
MASTG-TEST-0249 Runtime Use of Secure Screen Lock Detection APIs platform:android newstatus:new
MASTG-TEST-0046 Testing Anti-Debugging Detection platform:android update-pendingstatus:update-pending
MASTG-TEST-0226 Debuggable Flag Enabled in the AndroidManifest platform:android newstatus:new
MASTG-TEST-0038 Making Sure that the App is Properly Signed platform:android deprecatedstatus:deprecated
MASTG-TEST-0051 Testing Obfuscation platform:android update-pendingstatus:update-pending
MASTG-TEST-0225 Usage of Insecure Signature Key Size platform:android newstatus:new
MASTG-TEST-0041 Testing for Debugging Code and Verbose Error Logging platform:android deprecatedstatus:deprecated
MASTG-TEST-0263 Logging of StrictMode Violations platform:android newstatus:new
MASTG-TEST-0048 Testing Reverse Engineering Tools Detection platform:android update-pendingstatus:update-pending
MASTG-TEST-0039 Testing whether the App is Debuggable platform:android deprecatedstatus:deprecated
MASTG-TEST-0040 Testing for Debugging Symbols platform:android update-pendingstatus:update-pending
MASTG-TEST-0227 Debugging Enabled for WebViews platform:android newstatus:new
MASTG-TEST-0224 Usage of Insecure Signature Version platform:android newstatus:new
MASTG-TEST-0045 Testing Root Detection platform:android update-pendingstatus:update-pending
MASTG-TEST-0050 Testing Runtime Integrity Checks platform:android update-pendingstatus:update-pending
MASTG-TEST-0047 Testing File Integrity Checks platform:android update-pendingstatus:update-pending
MASTG-TEST-0237 Cross-Platform Framework Configurations Allowing Cleartext Traffic platform:android placeholderstatus:placeholder
MASTG-TEST-0022 Testing Custom Certificate Stores and Certificate Pinning platform:android deprecatedstatus:deprecated
MASTG-TEST-0238 Runtime Use of Network APIs Transmitting Cleartext Traffic platform:android placeholderstatus:placeholder
MASTG-TEST-0019 Testing Data Encryption on the Network platform:android deprecatedstatus:deprecated
MASTG-TEST-0242 Missing Certificate Pinning in Network Security Configuration platform:android newstatus:new
MASTG-TEST-0023 Testing the Security Provider platform:android update-pendingstatus:update-pending
MASTG-TEST-0244 Missing Certificate Pinning in Network Traffic platform:network newstatus:new
MASTG-TEST-0233 Hardcoded HTTP URLs platform:android newstatus:new
MASTG-TEST-0236 Cleartext Traffic Observed on the Network platform:network newstatus:new
MASTG-TEST-0235 Android App Configurations Allowing Cleartext Traffic platform:android newstatus:new
MASTG-TEST-0234 SSLSockets not Properly Verifying Hostnames platform:android newstatus:new
MASTG-TEST-0021 Testing Endpoint Identify Verification platform:android update-pendingstatus:update-pending
MASTG-TEST-0020 Testing the TLS Settings platform:android deprecatedstatus:deprecated
MASTG-TEST-0217 Insecure TLS Protocols Explicitly Allowed in Code platform:android newstatus:new
MASTG-TEST-0243 Expired Certificate Pins in the Network Security Configuration platform:android newstatus:new
MASTG-TEST-0218 Insecure TLS Protocols in Network Traffic platform:network newstatus:new
MASTG-TEST-0239 Using low-level APIs (e.g. Socket) to set up a custom HTTP connection platform:android placeholderstatus:placeholder
MASTG-TEST-0017 Testing Confirm Credentials platform:android update-pendingstatus:update-pending
MASTG-TEST-0018 Testing Biometric Authentication platform:android update-pendingstatus:update-pending
MASTG-TEST-0206 Sensitive Data in Network Traffic Capture platform:android newstatus:new
MASTG-TEST-0254 Dangerous App Permissions platform:android newstatus:new
MASTG-TEST-0255 Permission Requests Not Minimized platform:android placeholderstatus:placeholder
MASTG-TEST-0256 Missing Permission Rationale platform:android placeholderstatus:placeholder
MASTG-TEST-0257 Not Resetting Unused Permissions platform:android placeholderstatus:placeholder
MASTG-TEST-0258 References to Keyboard Caching Attributes in UI Elements platform:android newstatus:new
MASTG-TEST-0250 References to Content Provider Access in WebViews platform:android newstatus:new
MASTG-TEST-0032 Testing WebView Protocol Handlers platform:android deprecatedstatus:deprecated
MASTG-TEST-0008 Checking for Sensitive Data Disclosure Through the User Interface platform:android update-pendingstatus:update-pending
MASTG-TEST-0253 Runtime Use of Local File Access APIs in WebViews platform:android newstatus:new
MASTG-TEST-0024 Testing for App Permissions platform:android deprecatedstatus:deprecated
MASTG-TEST-0251 Runtime Use of Content Provider Access APIs in WebViews platform:android newstatus:new
MASTG-TEST-0031 Testing JavaScript Execution in WebViews platform:android update-pendingstatus:update-pending
MASTG-TEST-0030 Testing for Vulnerable Implementation of PendingIntent platform:android update-pendingstatus:update-pending
MASTG-TEST-0037 Testing WebViews Cleanup platform:android update-pendingstatus:update-pending
MASTG-TEST-0028 Testing Deep Links platform:android update-pendingstatus:update-pending
MASTG-TEST-0035 Testing for Overlay Attacks platform:android update-pendingstatus:update-pending
MASTG-TEST-0010 Finding Sensitive Information in Auto-Generated Screenshots platform:android update-pendingstatus:update-pending
MASTG-TEST-0029 Testing for Sensitive Functionality Exposure Through IPC platform:android update-pendingstatus:update-pending
MASTG-TEST-0007 Determining Whether Sensitive Stored Data Has Been Exposed via IPC Mechanisms platform:android update-pendingstatus:update-pending
MASTG-TEST-0033 Testing for Java Objects Exposed Through WebViews platform:android update-pendingstatus:update-pending
MASTG-TEST-0252 References to Local File Access in WebViews platform:android newstatus:new
MASTG-TEST-0205 Non-random Sources Usage platform:android newstatus:new
MASTG-TEST-0013 Testing Symmetric Cryptography platform:android deprecatedstatus:deprecated
MASTG-TEST-0204 Insecure Random API Usage platform:android newstatus:new
MASTG-TEST-0208 Inappropriate Key Sizes platform:android newstatus:new
MASTG-TEST-0014 Testing the Configuration of Cryptographic Standard Algorithms platform:android update-pendingstatus:update-pending
MASTG-TEST-0015 Testing the Purposes of Keys platform:android update-pendingstatus:update-pending
MASTG-TEST-0221 Weak Symmetric Encryption Algorithms platform:android newstatus:new
MASTG-TEST-0212 Use of Hardcoded Cryptographic Keys in Code platform:android newstatus:new
MASTG-TEST-0232 Weak Symmetric Encryption Modes platform:android newstatus:new
MASTG-TEST-0016 Testing Random Number Generation platform:android deprecatedstatus:deprecated
MASTG-TEST-0011 Testing Memory for Sensitive Data platform:android update-pendingstatus:update-pending
MASTG-TEST-0216 Sensitive Data Not Excluded From Backup platform:android newstatus:new
MASTG-TEST-0262 References to Backup Configurations Not Excluding Sensitive Data platform:android newstatus:new
MASTG-TEST-0005 Determining Whether Sensitive Data Is Shared with Third Parties via Notifications platform:android update-pendingstatus:update-pending
MASTG-TEST-0202 References to APIs and Permissions for Accessing External Storage platform:android newstatus:new
MASTG-TEST-0004 Determining Whether Sensitive Data Is Shared with Third Parties via Embedded Services platform:android update-pendingstatus:update-pending
MASTG-TEST-0012 Testing the Device-Access-Security Policy platform:android deprecatedstatus:deprecated
MASTG-TEST-0003 Testing Logs for Sensitive Data platform:android deprecatedstatus:deprecated
MASTG-TEST-0009 Testing Backups for Sensitive Data platform:android deprecatedstatus:deprecated
MASTG-TEST-0203 Runtime Use of Logging APIs platform:android newstatus:new
MASTG-TEST-0200 Files Written to External Storage platform:android newstatus:new
MASTG-TEST-0231 References to Logging APIs platform:android newstatus:new
MASTG-TEST-0001 Testing Local Storage for Sensitive Data platform:android deprecatedstatus:deprecated
MASTG-TEST-0006 Determining Whether the Keyboard Cache Is Disabled for Text Input Fields platform:android deprecatedstatus:deprecated
MASTG-TEST-0201 Runtime Use of APIs to Access External Storage platform:android newstatus:new
MASTG-TEST-0207 Data Stored in the App Sandbox at Runtime platform:android newstatus:new
MASTG-TEST-0272 Identify Dependencies with Known Vulnerabilities in the Android Project platform:android newstatus:new
MASTG-TEST-0245 References to Platform Version APIs platform:android newstatus:new
MASTG-TEST-0042 Checking for Weaknesses in Third Party Libraries platform:android deprecatedstatus:deprecated
MASTG-TEST-0223 Stack Canaries Not Enabled platform:android newstatus:new
MASTG-TEST-0002 Testing Local Storage for Input Validation platform:android update-pendingstatus:update-pending
MASTG-TEST-0025 Testing for Injection Flaws platform:android update-pendingstatus:update-pending
MASTG-TEST-0044 Make Sure That Free Security Features Are Activated platform:android deprecatedstatus:deprecated
MASTG-TEST-0043 Memory Corruption Bugs platform:android update-pendingstatus:update-pending
MASTG-TEST-0026 Testing Implicit Intents platform:android update-pendingstatus:update-pending
MASTG-TEST-0222 Position Independent Code (PIC) Not Enabled platform:android newstatus:new
MASTG-TEST-0274 Dependencies with Known Vulnerabilities in the App's SBOM platform:android newstatus:new
MASTG-TEST-0027 Testing for URL Loading in WebViews platform:android update-pendingstatus:update-pending
MASTG-TEST-0036 Testing Enforced Updating platform:android update-pendingstatus:update-pending
MASTG-TEST-0034 Testing Object Persistence platform:android update-pendingstatus:update-pending
MASTG-TEST-0246 Runtime Use of Secure Screen Lock Detection APIs platform:ios newstatus:new
MASTG-TEST-0091 Testing Reverse Engineering Tools Detection platform:ios update-pendingstatus:update-pending
MASTG-TEST-0090 Testing File Integrity Checks platform:ios update-pendingstatus:update-pending
MASTG-TEST-0248 References to APIs for Detecting Secure Screen Lock platform:ios newstatus:new
MASTG-TEST-0083 Testing for Debugging Symbols platform:ios deprecatedstatus:deprecated
MASTG-TEST-0089 Testing Anti-Debugging Detection platform:ios update-pendingstatus:update-pending
MASTG-TEST-0261 Debuggable Entitlement Enabled in the entitlements.plist platform:ios newstatus:new
MASTG-TEST-0240 Jailbreak Detection in Code platform:ios newstatus:new
MASTG-TEST-0084 Testing for Debugging Code and Verbose Error Logging platform:ios update-pendingstatus:update-pending
MASTG-TEST-0081 Making Sure that the App Is Properly Signed platform:ios deprecatedstatus:deprecated
MASTG-TEST-0219 Testing for Debugging Symbols platform:ios newstatus:new
MASTG-TEST-0241 Runtime Use of Jailbreak Detection Techniques platform:ios newstatus:new
MASTG-TEST-0082 Testing whether the App is Debuggable platform:ios deprecatedstatus:deprecated
MASTG-TEST-0220 Usage of Outdated Code Signature Format platform:ios newstatus:new
MASTG-TEST-0092 Testing Emulator Detection platform:ios update-pendingstatus:update-pending
MASTG-TEST-0093 Testing Obfuscation platform:ios update-pendingstatus:update-pending
MASTG-TEST-0088 Testing Jailbreak Detection platform:ios deprecatedstatus:deprecated
MASTG-TEST-0068 Testing Custom Certificate Stores and Certificate Pinning platform:ios update-pendingstatus:update-pending
MASTG-TEST-0066 Testing the TLS Settings platform:ios update-pendingstatus:update-pending
MASTG-TEST-0065 Testing Data Encryption on the Network platform:ios update-pendingstatus:update-pending
MASTG-TEST-0067 Testing Endpoint Identity Verification platform:ios update-pendingstatus:update-pending
MASTG-TEST-0064 Testing Biometric Authentication platform:ios deprecatedstatus:deprecated
MASTG-TEST-0266 References to APIs for Event-Bound Biometric Authentication platform:ios newstatus:new
MASTG-TEST-0270 References to APIs Detecting Biometric Enrollment Changes platform:ios newstatus:new
MASTG-TEST-0267 Runtime Use Of Event-Bound Biometric Authentication platform:ios newstatus:new
MASTG-TEST-0268 References to APIs Allowing Fallback to Non-Biometric Authentication platform:ios newstatus:new
MASTG-TEST-0269 Runtime Use Of APIs Allowing Fallback to Non-Biometric Authentication platform:ios newstatus:new
MASTG-TEST-0271 Runtime Use Of APIs Detecting Biometric Enrollment Changes platform:ios newstatus:new
MASTG-TEST-0276 Use of the iOS General Pasteboard platform:ios newstatus:new
MASTG-TEST-0071 Testing UIActivity Sharing platform:ios update-pendingstatus:update-pending
MASTG-TEST-0075 Testing Custom URL Schemes platform:ios update-pendingstatus:update-pending
MASTG-TEST-0279 Pasteboard Contents Not Expiring platform:ios placeholderstatus:placeholder
MASTG-TEST-0057 Checking for Sensitive Data Disclosed Through the User Interface platform:ios update-pendingstatus:update-pending
MASTG-TEST-0070 Testing Universal Links platform:ios update-pendingstatus:update-pending
MASTG-TEST-0059 Testing Auto-Generated Screenshots for Sensitive Information platform:ios update-pendingstatus:update-pending
MASTG-TEST-0056 Determining Whether Sensitive Data Is Exposed via IPC Mechanisms platform:ios update-pendingstatus:update-pending
MASTG-TEST-0069 Testing App Permissions platform:ios update-pendingstatus:update-pending
MASTG-TEST-0072 Testing App Extensions platform:ios update-pendingstatus:update-pending
MASTG-TEST-0280 Pasteboard Contents Not Restricted to Local Device platform:ios placeholderstatus:placeholder
MASTG-TEST-0078 Determining Whether Native Methods Are Exposed Through WebViews platform:ios update-pendingstatus:update-pending
MASTG-TEST-0073 Testing UIPasteboard platform:ios deprecatedstatus:deprecated
MASTG-TEST-0278 Pasteboard Contents Not Cleared After Use platform:ios placeholderstatus:placeholder
MASTG-TEST-0277 Sensitive Data in the iOS General Pasteboard at Runtime platform:ios newstatus:new
MASTG-TEST-0077 Testing WebView Protocol Handlers platform:ios update-pendingstatus:update-pending
MASTG-TEST-0076 Testing iOS WebViews platform:ios update-pendingstatus:update-pending
MASTG-TEST-0211 Weak Hashing Algorithms platform:ios newstatus:new
MASTG-TEST-0209 Inappropriate Key Sizes platform:ios newstatus:new
MASTG-TEST-0061 Verifying the Configuration of Cryptographic Standard Algorithms platform:ios deprecatedstatus:deprecated
MASTG-TEST-0213 Use of Hardcoded Cryptographic Keys in Code platform:ios newstatus:new
MASTG-TEST-0062 Testing Key Management platform:ios deprecatedstatus:deprecated
MASTG-TEST-0210 Weak Encryption Algorithms platform:ios newstatus:new
MASTG-TEST-0063 Testing Random Number Generation platform:ios update-pendingstatus:update-pending
MASTG-TEST-0214 Hardcoded Cryptographic Keys in Files platform:ios newstatus:new
MASTG-TEST-0215 Sensitive Data Not Excluded From Backup platform:ios newstatus:new
MASTG-TEST-0053 Checking Logs for Sensitive Data platform:ios update-pendingstatus:update-pending
MASTG-TEST-0055 Finding Sensitive Data in the Keyboard Cache platform:ios update-pendingstatus:update-pending
MASTG-TEST-0060 Testing Memory for Sensitive Data platform:ios update-pendingstatus:update-pending
MASTG-TEST-0052 Testing Local Data Storage platform:ios update-pendingstatus:update-pending
MASTG-TEST-0058 Testing Backups for Sensitive Data platform:ios update-pendingstatus:update-pending
MASTG-TEST-0054 Determining Whether Sensitive Data Is Shared with Third Parties platform:ios update-pendingstatus:update-pending
MASTG-TEST-0087 Make Sure That Free Security Features Are Activated platform:ios deprecatedstatus:deprecated
MASTG-TEST-0273 Identify Dependencies with Known Vulnerabilities by Scanning Dependency Managers Artifacts platform:ios newstatus:new
MASTG-TEST-0229 Stack Canaries Not enabled platform:ios newstatus:new
MASTG-TEST-0079 Testing Object Persistence platform:ios update-pendingstatus:update-pending
MASTG-TEST-0230 Automatic Reference Counting (ARC) not enabled platform:ios newstatus:new
MASTG-TEST-0228 Position Independent Code (PIC) not Enabled platform:ios newstatus:new
MASTG-TEST-0086 Memory Corruption Bugs platform:ios update-pendingstatus:update-pending
MASTG-TEST-0085 Checking for Weaknesses in Third Party Libraries platform:ios deprecatedstatus:deprecated
MASTG-TEST-0080 Testing Enforced Updating platform:ios update-pendingstatus:update-pending
MASTG-TEST-0275 Dependencies with Known Vulnerabilities in the App's SBOM platform:ios newstatus:new