Mobile Application Security Weakness Enumeration (MASWE)

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

About the MASWE

The Mobile Application Security Weakness Enumeration (MASWE) is a list of common security and privacy weaknesses in mobile applications. It is intended to be used as a reference for developers, security researchers, and security professionals. It acts as the bridge between the MASVS and the MASTG.

For its definition we draw inspiration from the Common Weakness Enumeration (CWE), which is a community-developed list of common software security weaknesses. The MASWE is intended to be a complementary list to the CWE, focusing specifically on security weaknesses in mobile applications.

A weakness is a security or privacy issue that can be introduced into a mobile application. Weaknesses are categorized by the MASVS categories and controls. For example, a weakness related to the use of insecure random number generators is categorized under the MASVS-CRYPTO-1 control.

Each weakness contains the following information:

  • Overview: A brief description of the weakness.
  • Impact: The potential impact of the weakness on the security or privacy of the application.
  • Modes of Introduction: The ways in which the weakness can be introduced into an application.
  • Mitigations: Recommendations for mitigating the weakness.

"Weakness vs Vulnerability": It is important to note that a weakness is not a vulnerability, but it can lead to the introduction of vulnerabilities. According to the CWE, a weakness is a condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities. Whereas a vulnerability is a flaw in a software, firmware, hardware, or service component resulting from a weakness that can be exploited, causing a negative impact to the confidentiality, integrity, or availability of an impacted component or components.

ID Title Platform MASVS v2 ID L1 L2 R P Status
MASWE-0108 Sensitive Data in Network Traffic platform:android platform:ios MASVS-PRIVACY-1 profile:P newstatus:new
MASWE-0006 Sensitive Data Stored Unencrypted in Private Storage Locations platform:android platform:ios MASVS-STORAGE-1 profile:L2 newstatus:new
MASWE-0001 Insertion of Sensitive Data into Logs platform:android platform:ios MASVS-STORAGE-2 profile:L1 profile:L2 profile:P newstatus:new
MASWE-0007 Sensitive Data Stored Unencrypted in Shared Storage Requiring No User Interaction platform:android MASVS-STORAGE-1 profile:L1 profile:L2 newstatus:new
MASWE-0004 Sensitive Data Not Excluded From Backup platform:android platform:ios MASVS-STORAGE-2 profile:L1 profile:L2 profile:P draftstatus:draft
MASWE-0008 Device Access Security Policy Not Enforced platform:android platform:ios MASVS-STORAGE-1 profile:L2 draftstatus:draft
MASWE-0003 Backup Unencrypted platform:android MASVS-STORAGE-2 profile:L2 draftstatus:draft
MASWE-0002 Sensitive Data Stored With Insufficient Access Restrictions in Internal Locations platform:android MASVS-STORAGE-2 profile:L1 profile:L2 draftstatus:draft
MASWE-0005 Sensitive Data Hardcoded in the App Package platform:android platform:ios MASVS-STORAGE-1 profile:L1 profile:L2 newstatus:new
MASWE-0100 Device Attestation Not Implemented platform:android platform:ios MASVS-RESILIENCE-1 profile:R draftstatus:draft
MASWE-0104 App Integrity Not Verified platform:android platform:ios MASVS-RESILIENCE-2 profile:R draftstatus:draft
MASWE-0091 Anti-Deobfuscation Techniques Not Implemented platform:android platform:ios MASVS-RESILIENCE-3 profile:R draftstatus:draft
MASWE-0107 Runtime Code Integrity Not Verified platform:android platform:ios MASVS-RESILIENCE-2 profile:R draftstatus:draft
MASWE-0101 Debugger Detection Not Implemented platform:android platform:ios MASVS-RESILIENCE-4 profile:R draftstatus:draft
MASWE-0090 Resource Obfuscation Not Implemented platform:android platform:ios MASVS-RESILIENCE-3 profile:R draftstatus:draft
MASWE-0105 Integrity of App Resources Not Verified platform:android platform:ios MASVS-RESILIENCE-2 profile:R draftstatus:draft
MASWE-0098 App Virtualization Environment Detection Not Implemented platform:android platform:ios MASVS-RESILIENCE-1 profile:R draftstatus:draft
MASWE-0095 Code That Disables Security Controls Not Removed platform:android platform:ios MASVS-RESILIENCE-3 profile:R draftstatus:draft
MASWE-0102 Dynamic Analysis Tools Detection Not Implemented platform:android platform:ios MASVS-RESILIENCE-4 profile:R draftstatus:draft
MASWE-0103 RASP Techniques Not Implemented platform:android platform:ios MASVS-RESILIENCE-4 profile:R draftstatus:draft
MASWE-0096 Data Sent Unencrypted Over Encrypted Connections platform:android platform:ios MASVS-RESILIENCE-3 profile:R draftstatus:draft
MASWE-0099 Emulator Detection Not Implemented platform:android platform:ios MASVS-RESILIENCE-1 profile:R draftstatus:draft
MASWE-0089 Code Obfuscation Not Implemented platform:android platform:ios MASVS-RESILIENCE-3 profile:R draftstatus:draft
MASWE-0093 Debugging Symbols Not Removed platform:android platform:ios MASVS-RESILIENCE-3 profile:R draftstatus:draft
MASWE-0092 Static Analysis Tools Not Prevented platform:android platform:ios MASVS-RESILIENCE-3 profile:R draftstatus:draft
MASWE-0106 Official Store Verification Not Implemented platform:android platform:ios MASVS-RESILIENCE-2 profile:R draftstatus:draft
MASWE-0094 Non-Production Resources Not Removed platform:android platform:ios MASVS-RESILIENCE-3 profile:R draftstatus:draft
MASWE-0097 Root/Jailbreak Detection Not Implemented platform:android platform:ios MASVS-RESILIENCE-1 profile:R draftstatus:draft
MASWE-0034 Insecure Implementation of Confirm Credentials platform:android MASVS-AUTH-1 profile:L2 draftstatus:draft
MASWE-0033 Authentication or Authorization Protocol Security Best Practices Not Followed platform:android platform:ios MASVS-AUTH-1 profile:L2 draftstatus:draft
MASWE-0036 Authentication Material Stored Unencrypted on the Device platform:android platform:ios MASVS-AUTH-1 profile:L1 profile:L2 draftstatus:draft
MASWE-0035 Passwordless Authentication Not Implemented platform:android platform:ios MASVS-AUTH-1 profile:L2 draftstatus:draft
MASWE-0040 Insecure Authentication in WebViews platform:android platform:ios MASVS-AUTH-1 profile:L1 profile:L2 draftstatus:draft
MASWE-0031 Insecure use of Android Protected Confirmation platform:android MASVS-AUTH-3 profile:L2 draftstatus:draft
MASWE-0043 App Custom PIN Not Bound to Platform KeyStore platform:android platform:ios MASVS-AUTH-2 profile:L2 draftstatus:draft
MASWE-0039 Shared Web Credentials and Website-association Not Implemented platform:android platform:ios MASVS-AUTH-1 profile:L2 draftstatus:draft
MASWE-0038 Authentication Tokens Not Validated platform:android platform:ios MASVS-AUTH-1 profile:L1 profile:L2 draftstatus:draft
MASWE-0030 Re-Authenticates Not Triggered On Contextual State Changes platform:android platform:ios MASVS-AUTH-3 profile:L2 draftstatus:draft
MASWE-0044 Biometric Authentication is Event-bound platform:android platform:ios MASVS-AUTH-2 profile:L2 draftstatus:draft
MASWE-0045 Fallback to Non-biometric Credentials Allowed for Sensitive Transactions platform:android platform:ios MASVS-AUTH-2 profile:L2 draftstatus:draft
MASWE-0046 Crypto Keys Not Invalidated on New Biometric Enrollment platform:android platform:ios MASVS-AUTH-2 profile:L2 draftstatus:draft
MASWE-0041 Authentication Enforced Only Locally Instead of on the Server-side platform:android platform:ios MASVS-AUTH-2 profile:L1 profile:L2 draftstatus:draft
MASWE-0032 Platform-provided Authentication APIs Not Used platform:android platform:ios MASVS-AUTH-1 profile:L2 draftstatus:draft
MASWE-0029 Step-Up Authentication Not Implemented After Login platform:android platform:ios MASVS-AUTH-3 profile:L2 draftstatus:draft
MASWE-0042 Authorization Enforced Only Locally Instead of on the Server-side platform:android platform:ios MASVS-AUTH-2 profile:L1 profile:L2 draftstatus:draft
MASWE-0028 MFA Implementation Best Practices Not Followed platform:android platform:ios MASVS-AUTH-3 profile:L2 draftstatus:draft
MASWE-0037 Authentication Material Sent over Insecure Connections platform:android platform:ios MASVS-AUTH-1 profile:L1 profile:L2 draftstatus:draft
MASWE-0047 Insecure Identity Pinning platform:android platform:ios MASVS-NETWORK-2 profile:L2 draftstatus:draft
MASWE-0048 Insecure Non-HTTP Traffic platform:android platform:ios MASVS-NETWORK-1 profile:L1 profile:L2 draftstatus:draft
MASWE-0051 Unprotected Open Ports platform:android platform:ios MASVS-NETWORK-1 profile:L2 draftstatus:draft
MASWE-0049 Proved Networking APIs Not used platform:android platform:ios MASVS-NETWORK-1 profile:L2 draftstatus:draft
MASWE-0052 Insecure Certificate Validation platform:android platform:ios MASVS-NETWORK-1 profile:L1 profile:L2 draftstatus:draft
MASWE-0050 Cleartext Traffic platform:android platform:ios MASVS-NETWORK-1 profile:L1 profile:L2 draftstatus:draft
MASWE-0066 Insecure Intents platform:android MASVS-PLATFORM-1 profile:L1 profile:L2 draftstatus:draft
MASWE-0064 Insecure Content Providers platform:android MASVS-PLATFORM-1 profile:L1 profile:L2 draftstatus:draft
MASWE-0054 Sensitive Data Leaked via Notifications platform:android platform:ios MASVS-PLATFORM-3 profile:L2 draftstatus:draft
MASWE-0053 Sensitive Data Leaked via the User Interface platform:android platform:ios MASVS-PLATFORM-3 profile:L2 draftstatus:draft
MASWE-0071 WebViews Loading Content from Untrusted Sources platform:android platform:ios MASVS-PLATFORM-2 profile:L1 profile:L2 draftstatus:draft
MASWE-0069 WebViews Allows Access to Local Resources platform:android platform:ios MASVS-PLATFORM-2 profile:L1 profile:L2 draftstatus:draft
MASWE-0068 JavaScript Bridges in WebViews platform:android platform:ios MASVS-PLATFORM-2 profile:L1 profile:L2 draftstatus:draft
MASWE-0072 Universal XSS platform:android platform:ios MASVS-PLATFORM-2 profile:L1 profile:L2 draftstatus:draft
MASWE-0063 Insecure Broadcast Receivers platform:android MASVS-PLATFORM-1 profile:L1 profile:L2 draftstatus:draft
MASWE-0073 Insecure WebResourceResponse Implementations platform:android platform:ios MASVS-PLATFORM-2 profile:L2 draftstatus:draft
MASWE-0065 Sensitive Data Permanently Shared with Other Apps platform:android MASVS-PLATFORM-1 profile:L1 profile:L2 draftstatus:draft
MASWE-0055 Sensitive Data Leaked via Screenshots platform:android platform:ios MASVS-PLATFORM-3 profile:L2 draftstatus:draft
MASWE-0060 Insecure Use of UIActivity platform:ios MASVS-PLATFORM-1 profile:L1 profile:L2 draftstatus:draft
MASWE-0067 Debuggable Flag Not Disabled platform:android platform:ios MASVS-PLATFORM-1 profile:R draftstatus:draft
MASWE-0059 Use Of Unauthenticated Platform IPC platform:android platform:ios MASVS-PLATFORM-1 profile:L1 profile:L2 draftstatus:draft
MASWE-0056 Tapjacking Attacks platform:android platform:ios MASVS-PLATFORM-3 profile:L2 draftstatus:draft
MASWE-0070 JavaScript Loaded from Untrusted Sources platform:android platform:ios MASVS-PLATFORM-2 profile:L1 profile:L2 draftstatus:draft
MASWE-0057 StrandHogg Attack / Task Affinity Vulnerability platform:android MASVS-PLATFORM-3 profile:L1 profile:L2 draftstatus:draft
MASWE-0061 Insecure Use of App Extensions platform:ios MASVS-PLATFORM-1 profile:L1 profile:L2 draftstatus:draft
MASWE-0074 Web Content Debugging Enabled platform:android platform:ios MASVS-PLATFORM-2 profile:L2 draftstatus:draft
MASWE-0062 Insecure Services platform:android MASVS-PLATFORM-1 profile:L1 profile:L2 draftstatus:draft
MASWE-0058 Insecure Deep Links platform:android platform:ios MASVS-PLATFORM-1 profile:L1 profile:L2 draftstatus:draft
MASWE-0081 Unsafe Handling Of Data From External Interfaces platform:android platform:ios MASVS-CODE-4 profile:L1 profile:L2 draftstatus:draft
MASWE-0087 Insecure Parsing and Escaping platform:android platform:ios MASVS-CODE-4 profile:L2 draftstatus:draft
MASWE-0088 Insecure Object Deserialization platform:android platform:ios MASVS-CODE-4 profile:L2 draftstatus:draft
MASWE-0080 Unsafe Handling of Data from Backups platform:android platform:ios MASVS-CODE-4 profile:L1 profile:L2 draftstatus:draft
MASWE-0083 Unsafe Handling of Data From The User Interface platform:android platform:ios MASVS-CODE-4 profile:L1 profile:L2 draftstatus:draft
MASWE-0084 Unsafe Handling of Data from IPC platform:android platform:ios MASVS-CODE-4 profile:L1 profile:L2 draftstatus:draft
MASWE-0085 Unsafe Dynamic Code Loading platform:android platform:ios MASVS-CODE-4 profile:L2 draftstatus:draft
MASWE-0086 SQL Injection platform:android platform:ios MASVS-CODE-4 profile:L1 profile:L2 draftstatus:draft
MASWE-0076 Dependencies with Known Vulnerabilities platform:android platform:ios MASVS-CODE-3 profile:L1 profile:L2 draftstatus:draft
MASWE-0082 Unsafe Handling of Data From Local Storage platform:android platform:ios MASVS-CODE-4 profile:L1 profile:L2 draftstatus:draft
MASWE-0075 Enforced Updating Not Implemented platform:android platform:ios MASVS-CODE-2 profile:L2 draftstatus:draft
MASWE-0077 Running on a recent Platform Version Not Ensured platform:android platform:ios MASVS-CODE-1 profile:L2 draftstatus:draft
MASWE-0078 Latest Platform Version Not Targeted platform:android platform:ios MASVS-CODE-1 profile:L2 draftstatus:draft
MASWE-0079 Unsafe Handling of Data from the Network platform:android platform:ios MASVS-CODE-4 profile:L1 profile:L2 draftstatus:draft
MASWE-0017 Cryptographic Keys Not Properly Protected on Export platform:android platform:ios MASVS-CRYPTO-2 profile:L2 draftstatus:draft
MASWE-0011 Cryptographic Key Rotation Not Implemented platform:android platform:ios MASVS-CRYPTO-2 profile:L2 draftstatus:draft
MASWE-0024 Weak Message Authentication Codes (MAC) platform:android platform:ios MASVS-CRYPTO-1 profile:L1 profile:L2 draftstatus:draft
MASWE-0026 Improper Verification of Cryptographic Signature platform:android platform:ios MASVS-CRYPTO-1 profile:L1 profile:L2 draftstatus:draft
MASWE-0014 Cryptographic Keys Not Properly Protected at Rest platform:android platform:ios MASVS-CRYPTO-2 profile:L1 profile:L2 draftstatus:draft
MASWE-0015 Deprecated Android KeyStore Implementations platform:android MASVS-CRYPTO-2 profile:L2 draftstatus:draft
MASWE-0009 Weak Cryptographic Key Generation platform:android platform:ios MASVS-CRYPTO-2 profile:L1 profile:L2 newstatus:new
MASWE-0019 Potentially Weak Cryptography Implementations platform:android platform:ios MASVS-CRYPTO-1 profile:L2 draftstatus:draft
MASWE-0021 Weak Hashing platform:android platform:ios MASVS-CRYPTO-1 profile:L1 profile:L2 draftstatus:draft
MASWE-0012 Insecure or Wrong Usage of Cryptographic Key platform:android platform:ios MASVS-CRYPTO-2 profile:L2 draftstatus:draft
MASWE-0022 Predictable Initialization Vectors (IVs) platform:android platform:ios MASVS-CRYPTO-1 profile:L1 profile:L2 draftstatus:draft
MASWE-0013 Hardcoded Cryptographic Keys in Use platform:android platform:ios MASVS-CRYPTO-2 profile:L1 profile:L2 draftstatus:draft
MASWE-0010 Weak Cryptographic Key Derivation platform:android platform:ios MASVS-CRYPTO-2 profile:L1 profile:L2 draftstatus:draft
MASWE-0025 Weak Signature platform:android platform:ios MASVS-CRYPTO-1 profile:L1 profile:L2 draftstatus:draft
MASWE-0016 Unsafe Handling of Imported Cryptographic Keys platform:android platform:ios MASVS-CRYPTO-2 profile:L2 draftstatus:draft
MASWE-0018 Cryptographic Keys Access Not Restricted platform:android platform:ios MASVS-CRYPTO-2 profile:L2 draftstatus:draft
MASWE-0027 Cryptographically Weak Pseudo-Random Number Generator (PRNG) platform:android platform:ios MASVS-CRYPTO-1 profile:L1 profile:L2 newstatus:new
MASWE-0020 Weak Encryption platform:android platform:ios MASVS-CRYPTO-1 profile:L1 profile:L2 draftstatus:draft
MASWE-0023 Weak Padding platform:android platform:ios MASVS-CRYPTO-1 profile:L1 profile:L2 draftstatus:draft