Skip to content

Testing Tools

The OWASP MASTG includes many tools to assist you in executing test cases, allowing you to perform static analysis, dynamic analysis, dynamic instrumentation, etc. These tools are meant to help you conduct your own assessments, rather than provide a conclusive result on an application's security status. It's essential to carefully review the tools' output, as it can contain both false positives and false negatives.

The goal of the MASTG is to be as accessible as possible. For this reason, we prioritize including tools that meet the following criteria:

  • Open-source
  • Free to use
  • Capable of analyzing recent Android/iOS applications
  • Regularly updated
  • Strong community support

In instances where no suitable open-source alternative exists, we may include closed-source tools. However, any closed-source tools included must be free to use, as we aim to avoid featuring paid tools whenever possible. This also extends to freeware or community editions of commercial tools.

Our goal is to be vendor-neutral and to serve as a trusted learning resource, so the specific category of "automated mobile application security scanners" presents a unique challenge. For this reason, we have historically avoided including such tools due to the competitive disadvantages they can create among vendors. In contrast, we prioritize tools like MobSF that provide full access to their code and a comprehensive set of tests, making them excellent for educational purposes. Tools that lack this level of transparency, even if they offer a free version, generally do not meet the inclusion criteria of the OWASP MAS project.

Disclaimer: Each tool included in the MASTG examples was verified to be functional at the time it was added. However, the tools may not work properly depending on the OS version of both your host computer and your test device. The functionality of the tools can also be affected by whether you're using a rooted or jailbroken device, the specific version of the rooting or jailbreaking method, and/or the tool version itself. The OWASP MASTG does not assume any responsibility for the operational status of these tools. If you encounter a broken tool or example, we recommend searching online for a solution or contacting the tool's provider directly. If the tool has a GitHub page, you may also open an issue there.

Generic Tools

ID Name Platform
MASTG-TOOL-0038 objection generic
MASTG-TOOL-0035 MobSF generic
MASTG-TOOL-0098 iaito generic
MASTG-TOOL-0037 RMS Runtime Mobile Security generic
MASTG-TOOL-0032 Frida CodeShare generic
MASTG-TOOL-0034 LIEF generic
MASTG-TOOL-0031 Frida generic
MASTG-TOOL-0036 r2frida generic
MASTG-TOOL-0033 Ghidra generic

Android Tools

ID Name Platform
MASTG-TOOL-0013 Busybox android
MASTG-TOOL-0027 Xposed android
MASTG-TOOL-0012 apkx android
MASTG-TOOL-0002 MobSF for Android android
MASTG-TOOL-0004 adb android
MASTG-TOOL-0005 Android NDK android
MASTG-TOOL-0028 radare2 for Android android
MASTG-TOOL-0003 nm - Android android
MASTG-TOOL-0022 Proguard android
MASTG-TOOL-0025 SSLUnpinning android
MASTG-TOOL-0018 jadx android
MASTG-TOOL-0017 House android
MASTG-TOOL-0001 Frida for Android android
MASTG-TOOL-0016 gplaycli android
MASTG-TOOL-0010 APKLab android
MASTG-TOOL-0029 objection for Android android
MASTG-TOOL-0006 Android SDK android
MASTG-TOOL-0021 Magisk android
MASTG-TOOL-0099 FlowDroid android
MASTG-TOOL-0015 Drozer android
MASTG-TOOL-0023 RootCloak Plus android
MASTG-TOOL-0019 jdb android
MASTG-TOOL-0009 APKiD android
MASTG-TOOL-0026 Termux android
MASTG-TOOL-0024 Scrcpy android
MASTG-TOOL-0007 Android Studio android
MASTG-TOOL-0008 Android-SSL-TrustKiller android
MASTG-TOOL-0020 JustTrustMe android
MASTG-TOOL-0030 Angr android
MASTG-TOOL-0014 Bytecode Viewer android
MASTG-TOOL-0011 Apktool android

Ios Tools

ID Name Platform
MASTG-TOOL-0049 Frida-cycript ios
MASTG-TOOL-0042 BinaryCookieReader ios
MASTG-TOOL-0063 security ios
MASTG-TOOL-0072 xcrun ios
MASTG-TOOL-0051 gdb ios
MASTG-TOOL-0041 nm - iOS ios
MASTG-TOOL-0040 MobSF for iOS ios
MASTG-TOOL-0047 Cydia ios
MASTG-TOOL-0057 lldb ios
MASTG-TOOL-0060 otool ios
MASTG-TOOL-0054 ios-deploy ios
MASTG-TOOL-0074 objection for iOS ios
MASTG-TOOL-0039 Frida for iOS ios
MASTG-TOOL-0056 Keychain-Dumper ios
MASTG-TOOL-0059 optool ios
MASTG-TOOL-0062 Plutil ios
MASTG-TOOL-0048 dsdump ios
MASTG-TOOL-0050 Frida-ios-dump ios
MASTG-TOOL-0044 class-dump-z ios
MASTG-TOOL-0053 iOSbackup ios
MASTG-TOOL-0046 Cycript ios
MASTG-TOOL-0068 SwiftShield ios
MASTG-TOOL-0069 Usbmuxd ios
MASTG-TOOL-0045 class-dump-dyld ios
MASTG-TOOL-0073 radare2 for iOS ios
MASTG-TOOL-0102 ios-app-signer ios
MASTG-TOOL-0061 Grapefruit ios
MASTG-TOOL-0043 class-dump ios
MASTG-TOOL-0064 Sileo ios
MASTG-TOOL-0055 iProxy ios
MASTG-TOOL-0070 Xcode ios
MASTG-TOOL-0067 swift-demangle ios
MASTG-TOOL-0065 simctl ios
MASTG-TOOL-0066 SSL Kill Switch 3 ios
MASTG-TOOL-0058 MachoOView ios
MASTG-TOOL-0101 codesign ios
MASTG-TOOL-0071 Xcode Command Line Tools ios

Network Tools

ID Name Platform
MASTG-TOOL-0075 Android tcpdump network
MASTG-TOOL-0097 mitmproxy network
MASTG-TOOL-0077 Burp Suite network
MASTG-TOOL-0080 tcpdump network
MASTG-TOOL-0081 Wireshark network
MASTG-TOOL-0078 MITM Relay network
MASTG-TOOL-0076 bettercap network