Testing Tools
About the MASTG Tools
The OWASP MASTG includes many tools to assist you in executing test cases, allowing you to perform static analysis, dynamic analysis, network interception, etc. These tools are intended to help you perform your own assessments, rather than provide a conclusive result on the security status of an app. It's important to review the output of these tools carefully, as it can contain both false positives and false negatives.
The goal of the MASTG is to be as accessible as possible. For this reason, we prioritize including tools that meet the following criteria:
- Open-source
- Free to use
- Capable of analyzing recent Android/iOS applications
- Regularly updated
- Strong community support
In instances where no suitable open-source alternative exists, we may include closed-source tools. However, any closed-source tools included must be free to use, as we aim to avoid featuring paid tools whenever possible. This also extends to freeware or community editions of commercial tools.
Our goal is to be vendor-neutral and to serve as a trusted learning resource, which is why we've avoid the inclusion of "automated mobile application security scanners" due to the competitive challenges they pose. Instead, we focus on tools that provide full code access and comprehensive testing, as they are better suited for educational purposes. Tools that lack this transparency, even if they offer a free version, typically do not meet the OWASP MAS project's inclusion criteria.
Important Disclaimer
These tools have been tested to work when added, but compatibility may vary depending on your OS version, the device you're testing, or whether you're using a rooted or jailbroken device. Tool functionality may also be affected by specific versions of the rooting/jailbreaking method or the tool itself. OWASP MASTG does not guarantee the functionality of the tools. If you encounter problems, try to search for solutions online or contact the tool owner (e.g. via GitHub Issues).
ID | Name | Platform |
---|---|---|
MASTG-TOOL-0118 | Sideloadly | |
MASTG-TOOL-0058 | MachoOView | |
MASTG-TOOL-0121 | objdump - iOS | |
MASTG-TOOL-0049 | Frida-cycript | |
MASTG-TOOL-0064 | Sileo | |
MASTG-TOOL-0114 | codesign | |
MASTG-TOOL-0055 | iProxy | |
MASTG-TOOL-0053 | iOSbackup | |
MASTG-TOOL-0065 | simctl | |
MASTG-TOOL-0046 | Cycript | |
MASTG-TOOL-0069 | Usbmuxd | |
MASTG-TOOL-0070 | Xcode | |
MASTG-TOOL-0063 | security | |
MASTG-TOOL-0045 | class-dump-dyld | |
MASTG-TOOL-0057 | lldb | |
MASTG-TOOL-0050 | Frida-ios-dump | |
MASTG-TOOL-0061 | Grapefruit | |
MASTG-TOOL-0071 | Xcode Command Line Tools | |
MASTG-TOOL-0072 | xcrun | |
MASTG-TOOL-0105 | ipsw | |
MASTG-TOOL-0062 | Plutil | |
MASTG-TOOL-0067 | swift-demangle | |
MASTG-TOOL-0066 | SSL Kill Switch 3 | |
MASTG-TOOL-0111 | ldid | |
MASTG-TOOL-0074 | objection for iOS | |
MASTG-TOOL-0044 | class-dump-z | |
MASTG-TOOL-0059 | optool | |
MASTG-TOOL-0039 | Frida for iOS | |
MASTG-TOOL-0054 | ios-deploy | |
MASTG-TOOL-0060 | otool | |
MASTG-TOOL-0047 | Cydia | |
MASTG-TOOL-0048 | dsdump | |
MASTG-TOOL-0122 | c++filt | |
MASTG-TOOL-0117 | fastlane | |
MASTG-TOOL-0042 | BinaryCookieReader | |
MASTG-TOOL-0040 | MobSF for iOS | |
MASTG-TOOL-0041 | nm - iOS | |
MASTG-TOOL-0056 | Keychain-Dumper | |
MASTG-TOOL-0068 | SwiftShield | |
MASTG-TOOL-0051 | gdb | |
MASTG-TOOL-0073 | radare2 for iOS | |
MASTG-TOOL-0102 | ios-app-signer | |
MASTG-TOOL-0043 | class-dump | |
MASTG-TOOL-0108 | Corellium | |
MASTG-TOOL-0033 | Ghidra | |
MASTG-TOOL-0106 | Fridump | |
MASTG-TOOL-0098 | iaito | |
MASTG-TOOL-0036 | r2frida | |
MASTG-TOOL-0037 | RMS Runtime Mobile Security | |
MASTG-TOOL-0032 | Frida CodeShare | |
MASTG-TOOL-0038 | objection | |
MASTG-TOOL-0104 | hermes-dec | |
MASTG-TOOL-0100 | reFlutter | |
MASTG-TOOL-0035 | MobSF | |
MASTG-TOOL-0101 | disable-flutter-tls-verification | |
MASTG-TOOL-0034 | LIEF | |
MASTG-TOOL-0110 | semgrep | |
MASTG-TOOL-0031 | Frida | |
MASTG-TOOL-0076 | bettercap | |
MASTG-TOOL-0115 | HTTP Toolkit | |
MASTG-TOOL-0097 | mitmproxy | |
MASTG-TOOL-0077 | Burp Suite | |
MASTG-TOOL-0075 | Android tcpdump | |
MASTG-TOOL-0078 | MITM Relay | |
MASTG-TOOL-0109 | Nope-Proxy | |
MASTG-TOOL-0080 | tcpdump | |
MASTG-TOOL-0079 | OWASP ZAP | |
MASTG-TOOL-0081 | Wireshark | |
MASTG-TOOL-0004 | adb | |
MASTG-TOOL-0021 | Magisk | |
MASTG-TOOL-0006 | Android SDK | |
MASTG-TOOL-0026 | Termux | |
MASTG-TOOL-0010 | APKLab | |
MASTG-TOOL-0005 | Android NDK | |
MASTG-TOOL-0016 | gplaycli | |
MASTG-TOOL-0123 | apksigner | |
MASTG-TOOL-0107 | JNITrace | |
MASTG-TOOL-0027 | Xposed | |
MASTG-TOOL-0019 | jdb | |
MASTG-TOOL-0003 | nm - Android | |
MASTG-TOOL-0020 | JustTrustMe | |
MASTG-TOOL-0009 | APKiD | |
MASTG-TOOL-0025 | SSLUnpinning | |
MASTG-TOOL-0125 | Apkleaks | |
MASTG-TOOL-0002 | MobSF for Android | |
MASTG-TOOL-0001 | Frida for Android | |
MASTG-TOOL-0014 | Bytecode Viewer | |
MASTG-TOOL-0099 | FlowDroid | |
MASTG-TOOL-0013 | Busybox | |
MASTG-TOOL-0012 | apkx | |
MASTG-TOOL-0011 | Apktool | |
MASTG-TOOL-0028 | radare2 for Android | |
MASTG-TOOL-0022 | Proguard | |
MASTG-TOOL-0017 | House | |
MASTG-TOOL-0024 | Scrcpy | |
MASTG-TOOL-0112 | pidcat | |
MASTG-TOOL-0023 | RootCloak Plus | |
MASTG-TOOL-0030 | Angr | |
MASTG-TOOL-0103 | uber-apk-signer | |
MASTG-TOOL-0018 | jadx | |
MASTG-TOOL-0008 | Android-SSL-TrustKiller | |
MASTG-TOOL-0116 | Blutter | |
MASTG-TOOL-0124 | aapt2 | |
MASTG-TOOL-0120 | proxyDroid | |
MASTG-TOOL-0015 | drozer | |
MASTG-TOOL-0007 | Android Studio | |
MASTG-TOOL-0029 | objection for Android |