MASWE-0095: Code That Disables Security Controls Not Removed

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Placeholder Weakness

This weakness hasn't been created yet and it's a placeholder. But you can check its status or start working on it yourself. If the issue has not yet been assigned, you can request to be assigned to it and submit a PR with the new content for that weakness by following our guidelines.

Check our GitHub Issues for MASWE-0095

Initial Description or Hints

The app contains leftover debugging logic or test code (CWE-489) that was not removed before release, which can disable critical protections like TLS certificate validation. It may also include hidden settings or functions that allow bypassing security controls (CWE-912), making the app vulnerable to manipulation.

Relevant Topics

• backdoors
• hidden settings to e.g. disable TLS verification

MASTG v1 Coverage

• MASTG-TEST-0041 - Testing for Debugging Code and Verbose Error Logging (android)
• MASTG-TEST-0084 - Testing for Debugging Code and Verbose Error Logging (ios)