logo
OWASP Mobile Application Security
MSTG Project joins Hacktoberfest
Initializing search
    OWASP/owasp-mastg
    • OWASP Mobile Application Security
    • MASWE (Beta)
    • MASTG
    • MASVS
    • MAS Checklist
    • MAS Crackmes
    • News
    • 🎙 Talks
    • ⭐ Contribute
    • 💙 Donate
    • 💬 Connect with Us
    OWASP/owasp-mastg
    • OWASP Mobile Application Security
    • MASWE (Beta)
        • MASWE-0001: Insertion of Sensitive Data into Logs
        • MASWE-0002: Sensitive Data Stored With Insufficient Access Restrictions in Internal Locations
        • MASWE-0003: Backup Unencrypted
        • MASWE-0004: Sensitive Data Not Excluded From Backup
        • MASWE-0006: Sensitive Data Stored Unencrypted in Private Storage Locations
        • MASWE-0007: Sensitive Data Stored Unencrypted in Shared Storage Requiring No User Interaction
        • MASWE-0009: Weak Cryptographic Key Generation
        • MASWE-0010: Weak Cryptographic Key Derivation
        • MASWE-0011: Cryptographic Key Rotation Not Implemented
        • MASWE-0012: Insecure or Wrong Usage of Cryptographic Key
        • MASWE-0013: Hardcoded Cryptographic Keys in Use
        • MASWE-0014: Cryptographic Keys Not Properly Protected at Rest
        • MASWE-0015: Deprecated Android KeyStore Implementations
        • MASWE-0016: Unsafe Handling of Imported Cryptographic Keys
        • MASWE-0017: Cryptographic Keys Not Properly Protected on Export
        • MASWE-0018: Cryptographic Keys Access Not Restricted
        • MASWE-0019: Potentially Weak Cryptography Implementations
        • MASWE-0020: Weak Encryption
        • MASWE-0021: Weak Hashing
        • MASWE-0022: Predictable Initialization Vectors (IVs)
        • MASWE-0023: Weak Padding
        • MASWE-0024: Weak Message Authentication Codes (MAC)
        • MASWE-0025: Weak Signature
        • MASWE-0026: Improper Verification of Cryptographic Signature
        • MASWE-0027: Cryptographically Weak Pseudo-Random Number Generator (PRNG)
        • MASWE-0005: API Keys Hardcoded in the App Package
        • MASWE-0028: MFA Implementation Best Practices Not Followed
        • MASWE-0029: Step-Up Authentication Not Implemented After Login
        • MASWE-0030: Re-Authenticates Not Triggered On Contextual State Changes
        • MASWE-0031: Insecure use of Android Protected Confirmation
        • MASWE-0032: Platform-provided Authentication APIs Not Used
        • MASWE-0033: Authentication or Authorization Protocol Security Best Practices Not Followed
        • MASWE-0034: Insecure Implementation of Confirm Credentials
        • MASWE-0035: Passwordless Authentication Not Implemented
        • MASWE-0036: Authentication Material Stored Unencrypted on the Device
        • MASWE-0037: Authentication Material Sent over Insecure Connections
        • MASWE-0038: Authentication Tokens Not Validated
        • MASWE-0039: Shared Web Credentials and Website-association Not Implemented
        • MASWE-0040: Insecure Authentication in WebViews
        • MASWE-0041: Authentication Enforced Only Locally Instead of on the Server-side
        • MASWE-0042: Authorization Enforced Only Locally Instead of on the Server-side
        • MASWE-0043: App Custom PIN Not Bound to Platform KeyStore
        • MASWE-0044: Biometric Authentication is Event-bound
        • MASWE-0045: Fallback to Non-biometric Credentials Allowed for Sensitive Transactions
        • MASWE-0046: Crypto Keys Not Invalidated on New Biometric Enrollment
        • MASWE-0047: Insecure Identity Pinning
        • MASWE-0048: Insecure Machine-to-Machine Communication
        • MASWE-0049: Proven Networking APIs Not used
        • MASWE-0050: Cleartext Traffic
        • MASWE-0051: Unprotected Open Ports
        • MASWE-0052: Insecure Certificate Validation
        • MASWE-0053: Sensitive Data Leaked via the User Interface
        • MASWE-0054: Sensitive Data Leaked via Notifications
        • MASWE-0055: Sensitive Data Leaked via Screenshots
        • MASWE-0056: Tapjacking Attacks
        • MASWE-0057: StrandHogg Attack / Task Affinity Vulnerability
        • MASWE-0058: Insecure Deep Links
        • MASWE-0059: Use Of Unauthenticated Platform IPC
        • MASWE-0060: Insecure Use of UIActivity
        • MASWE-0061: Insecure Use of App Extensions
        • MASWE-0062: Insecure Services
        • MASWE-0063: Insecure Broadcast Receivers
        • MASWE-0064: Insecure Content Providers
        • MASWE-0065: Sensitive Data Permanently Shared with Other Apps
        • MASWE-0066: Insecure Intents
        • MASWE-0067: Debuggable Flag Not Disabled
        • MASWE-0068: JavaScript Bridges in WebViews
        • MASWE-0069: WebViews Allows Access to Local Resources
        • MASWE-0070: JavaScript Loaded from Untrusted Sources
        • MASWE-0071: WebViews Loading Content from Untrusted Sources
        • MASWE-0072: Universal XSS
        • MASWE-0073: Insecure WebResourceResponse Implementations
        • MASWE-0074: Web Content Debugging Enabled
        • MASWE-0075: Enforced Updating Not Implemented
        • MASWE-0076: Dependencies with Known Vulnerabilities
        • MASWE-0077: Running on a recent Platform Version Not Ensured
        • MASWE-0078: Latest Platform Version Not Targeted
        • MASWE-0079: Unsafe Handling of Data from the Network
        • MASWE-0080: Unsafe Handling of Data from Backups
        • MASWE-0081: Unsafe Handling Of Data From External Interfaces
        • MASWE-0082: Unsafe Handling of Data From Local Storage
        • MASWE-0083: Unsafe Handling of Data From The User Interface
        • MASWE-0084: Unsafe Handling of Data from IPC
        • MASWE-0085: Unsafe Dynamic Code Loading
        • MASWE-0086: SQL Injection
        • MASWE-0087: Insecure Parsing and Escaping
        • MASWE-0088: Insecure Object Deserialization
        • MASWE-0116: Compiler Provided Security Features Not Used
        • MASWE-0008: Missing Device Secure Lock Verification Implementation
        • MASWE-0089: Code Obfuscation Not Implemented
        • MASWE-0090: Resource Obfuscation Not Implemented
        • MASWE-0091: Anti-Deobfuscation Techniques Not Implemented
        • MASWE-0092: Static Analysis Tools Not Prevented
        • MASWE-0093: Debugging Symbols Not Removed
        • MASWE-0094: Non-Production Resources Not Removed
        • MASWE-0095: Code That Disables Security Controls Not Removed
        • MASWE-0096: Data Sent Unencrypted Over Encrypted Connections
        • MASWE-0097: Root/Jailbreak Detection Not Implemented
        • MASWE-0098: App Virtualization Environment Detection Not Implemented
        • MASWE-0099: Emulator Detection Not Implemented
        • MASWE-0100: Device Attestation Not Implemented
        • MASWE-0101: Debugger Detection Not Implemented
        • MASWE-0102: Dynamic Analysis Tools Detection Not Implemented
        • MASWE-0103: RASP Techniques Not Implemented
        • MASWE-0104: App Integrity Not Verified
        • MASWE-0105: Integrity of App Resources Not Verified
        • MASWE-0106: Official Store Verification Not Implemented
        • MASWE-0107: Runtime Code Integrity Not Verified
        • MASWE-0108: Sensitive Data in Network Traffic
        • MASWE-0109: Lack of Anonymization or Pseudonymisation Measures
        • MASWE-0110: Use of Unique Identifiers for User Tracking
        • MASWE-0111: Inadequate Privacy Policy
        • MASWE-0112: Inadequate Data Collection Declarations
        • MASWE-0113: Lack of Proper Data Management Controls
        • MASWE-0114: Inadequate Data Visibility Controls
        • MASWE-0115: Inadequate or Ambiguous User Consent Mechanisms
        • MASWE-0117: Inadequate Permission Management
    • MASTG
        • Foreword
        • Frontispiece
        • OWASP MASVS and MASTG Adoption
        • Acknowledgments
        • Suggested Reading
        • Mobile Application Taxonomy
        • Mobile Application Security Testing
        • Mobile App Tampering and Reverse Engineering
        • Mobile App Authentication Architectures
        • Mobile App Network Communication
        • Mobile App Cryptography
        • Mobile App Code Quality
        • Mobile App User Privacy Protection
        • Android Platform Overview
        • Android Security Testing
        • Android Data Storage
        • Android Cryptographic APIs
        • Android Local Authentication
        • Android Network Communication
        • Android Platform APIs
        • Android Code Quality and Build Settings
        • Android Anti-Reversing Defenses
        • iOS Platform Overview
        • iOS Security Testing
        • iOS Data Storage
        • iOS Cryptographic APIs
        • iOS Local Authentication
        • iOS Network Communication
        • iOS Platform APIs
        • iOS Code Quality and Build Settings
        • iOS Anti-Reversing Defenses
      • Best Practices (v2 Beta)
        • MASTG-BEST-0001: Use Secure Random Number Generator APIs
        • MASTG-BEST-0002: Remove Logging Code
        • MASTG-BEST-0003: Comply with Privacy Regulations and Best Practices
        • MASTG-BEST-0004: Exclude Sensitive Data from Backups
        • MASTG-BEST-0005: Use Secure Encryption Modes
        • MASTG-BEST-0006: Use Up-to-Date APK Signing Schemes
        • MASTG-BEST-0007: Debuggable Flag Disabled in the AndroidManifest
        • MASTG-BEST-0008: Debugging Disabled for WebViews
        • MASTG-BEST-0009: Use Secure Encryption Algorithms
      • Tests
            • MASTG-TEST-0001: Testing Local Storage for Sensitive Data
            • MASTG-TEST-0003: Testing Logs for Sensitive Data
            • MASTG-TEST-0004: Determining Whether Sensitive Data Is Shared with Third Parties via Embedded Services
            • MASTG-TEST-0005: Determining Whether Sensitive Data Is Shared with Third Parties via Notifications
            • MASTG-TEST-0006: Determining Whether the Keyboard Cache Is Disabled for Text Input Fields
            • MASTG-TEST-0009: Testing Backups for Sensitive Data
            • MASTG-TEST-0011: Testing Memory for Sensitive Data
            • MASTG-TEST-0012: Testing the Device-Access-Security Policy
            • MASTG-TEST-0013: Testing Symmetric Cryptography
            • MASTG-TEST-0014: Testing the Configuration of Cryptographic Standard Algorithms
            • MASTG-TEST-0015: Testing the Purposes of Keys
            • MASTG-TEST-0016: Testing Random Number Generation
            • MASTG-TEST-0017: Testing Confirm Credentials
            • MASTG-TEST-0018: Testing Biometric Authentication
            • MASTG-TEST-0019: Testing Data Encryption on the Network
            • MASTG-TEST-0020: Testing the TLS Settings
            • MASTG-TEST-0021: Testing Endpoint Identify Verification
            • MASTG-TEST-0022: Testing Custom Certificate Stores and Certificate Pinning
            • MASTG-TEST-0023: Testing the Security Provider
            • MASTG-TEST-0007: Determining Whether Sensitive Stored Data Has Been Exposed via IPC Mechanisms
            • MASTG-TEST-0008: Checking for Sensitive Data Disclosure Through the User Interface
            • MASTG-TEST-0010: Finding Sensitive Information in Auto-Generated Screenshots
            • MASTG-TEST-0024: Testing for App Permissions
            • MASTG-TEST-0028: Testing Deep Links
            • MASTG-TEST-0029: Testing for Sensitive Functionality Exposure Through IPC
            • MASTG-TEST-0030: Testing for Vulnerable Implementation of PendingIntent
            • MASTG-TEST-0031: Testing JavaScript Execution in WebViews
            • MASTG-TEST-0032: Testing WebView Protocol Handlers
            • MASTG-TEST-0033: Testing for Java Objects Exposed Through WebViews
            • MASTG-TEST-0035: Testing for Overlay Attacks
            • MASTG-TEST-0037: Testing WebViews Cleanup
            • MASTG-TEST-0002: Testing Local Storage for Input Validation
            • MASTG-TEST-0025: Testing for Injection Flaws
            • MASTG-TEST-0026: Testing Implicit Intents
            • MASTG-TEST-0027: Testing for URL Loading in WebViews
            • MASTG-TEST-0034: Testing Object Persistence
            • MASTG-TEST-0036: Testing Enforced Updating
            • MASTG-TEST-0042: Checking for Weaknesses in Third Party Libraries
            • MASTG-TEST-0043: Memory Corruption Bugs
            • MASTG-TEST-0044: Make Sure That Free Security Features Are Activated
            • MASTG-TEST-0038: Making Sure that the App is Properly Signed
            • MASTG-TEST-0039: Testing whether the App is Debuggable
            • MASTG-TEST-0040: Testing for Debugging Symbols
            • MASTG-TEST-0041: Testing for Debugging Code and Verbose Error Logging
            • MASTG-TEST-0045: Testing Root Detection
            • MASTG-TEST-0046: Testing Anti-Debugging Detection
            • MASTG-TEST-0047: Testing File Integrity Checks
            • MASTG-TEST-0048: Testing Reverse Engineering Tools Detection
            • MASTG-TEST-0049: Testing Emulator Detection
            • MASTG-TEST-0050: Testing Runtime Integrity Checks
            • MASTG-TEST-0051: Testing Obfuscation
          • MASVS-PRIVACY
            • MASTG-TEST-0052: Testing Local Data Storage
            • MASTG-TEST-0053: Checking Logs for Sensitive Data
            • MASTG-TEST-0054: Determining Whether Sensitive Data Is Shared with Third Parties
            • MASTG-TEST-0055: Finding Sensitive Data in the Keyboard Cache
            • MASTG-TEST-0058: Testing Backups for Sensitive Data
            • MASTG-TEST-0060: Testing Memory for Sensitive Data
            • MASTG-TEST-0061: Verifying the Configuration of Cryptographic Standard Algorithms
            • MASTG-TEST-0062: Testing Key Management
            • MASTG-TEST-0063: Testing Random Number Generation
            • MASTG-TEST-0064: Testing Local Authentication
            • MASTG-TEST-0065: Testing Data Encryption on the Network
            • MASTG-TEST-0066: Testing the TLS Settings
            • MASTG-TEST-0067: Testing Endpoint Identity Verification
            • MASTG-TEST-0068: Testing Custom Certificate Stores and Certificate Pinning
            • MASTG-TEST-0056: Determining Whether Sensitive Data Is Exposed via IPC Mechanisms
            • MASTG-TEST-0057: Checking for Sensitive Data Disclosed Through the User Interface
            • MASTG-TEST-0059: Testing Auto-Generated Screenshots for Sensitive Information
            • MASTG-TEST-0069: Testing App Permissions
            • MASTG-TEST-0070: Testing Universal Links
            • MASTG-TEST-0071: Testing UIActivity Sharing
            • MASTG-TEST-0072: Testing App Extensions
            • MASTG-TEST-0073: Testing UIPasteboard
            • MASTG-TEST-0075: Testing Custom URL Schemes
            • MASTG-TEST-0076: Testing iOS WebViews
            • MASTG-TEST-0077: Testing WebView Protocol Handlers
            • MASTG-TEST-0078: Determining Whether Native Methods Are Exposed Through WebViews
            • MASTG-TEST-0079: Testing Object Persistence
            • MASTG-TEST-0080: Testing Enforced Updating
            • MASTG-TEST-0085: Checking for Weaknesses in Third Party Libraries
            • MASTG-TEST-0086: Memory Corruption Bugs
            • MASTG-TEST-0087: Make Sure That Free Security Features Are Activated
            • MASTG-TEST-0081: Making Sure that the App Is Properly Signed
            • MASTG-TEST-0082: Testing whether the App is Debuggable
            • MASTG-TEST-0083: Testing for Debugging Symbols
            • MASTG-TEST-0084: Testing for Debugging Code and Verbose Error Logging
            • MASTG-TEST-0088: Testing Jailbreak Detection
            • MASTG-TEST-0089: Testing Anti-Debugging Detection
            • MASTG-TEST-0090: Testing File Integrity Checks
            • MASTG-TEST-0091: Testing Reverse Engineering Tools Detection
            • MASTG-TEST-0092: Testing Emulator Detection
            • MASTG-TEST-0093: Testing Obfuscation
          • MASVS-PRIVACY
      • Tests (v2 Beta)
            • MASTG-TEST-0200: Files Written to External Storage
            • MASTG-TEST-0201: Runtime Use of APIs to Access External Storage
            • MASTG-TEST-0202: References to APIs and Permissions for Accessing External Storage
            • MASTG-TEST-0203: Runtime Use of Logging APIs
            • MASTG-TEST-0207: Data Stored in the App Sandbox at Runtime
            • MASTG-TEST-0216: Sensitive Data Not Excluded From Backup
            • MASTG-TEST-0231: References to Logging APIs
            • MASTG-TEST-0262: References to Backup Configurations Not Excluding Sensitive Data
            • MASTG-TEST-0204: Insecure Random API Usage
            • MASTG-TEST-0205: Non-random Sources Usage
            • MASTG-TEST-0208: Inappropriate Key Sizes
            • MASTG-TEST-0212: Use of Hardcoded Cryptographic Keys in Code
            • MASTG-TEST-0221: Weak Symmetric Encryption Algorithms
            • MASTG-TEST-0232: Weak Symmetric Encryption Modes
            • MASTG-TEST-0217: Insecure TLS Protocols Explicitly Allowed in Code
            • MASTG-TEST-0218: Insecure TLS Protocols in Network Traffic
            • MASTG-TEST-0233: Hardcoded HTTP URLs
            • MASTG-TEST-0234: SSLSockets not Properly Verifying Hostnames
            • MASTG-TEST-0235: Android App Configurations Allowing Cleartext Traffic
            • MASTG-TEST-0236: Cleartext Traffic Observed on the Network
            • MASTG-TEST-0237: Cross-Platform Framework Configurations Allowing Cleartext Traffic
            • MASTG-TEST-0238: Runtime Use of Network APIs Transmitting Cleartext Traffic
            • MASTG-TEST-0239: Using low-level APIs (e.g. Socket) to set up a custom HTTP connection
            • MASTG-TEST-0242: Missing Certificate Pinning in Network Security Configuration
            • MASTG-TEST-0243: Expired Certificate Pins in the Network Security Configuration
            • MASTG-TEST-0244: Missing Certificate Pinning in Network Traffic
            • MASTG-TEST-0222: Position Independent Code (PIC) Not Enabled
            • MASTG-TEST-0223: Stack Canaries Not Enabled
            • MASTG-TEST-0245: References to Platform Version APIs
            • MASTG-TEST-0224: Usage of Insecure Signature Version
            • MASTG-TEST-0225: Usage of Insecure Signature Key Size
            • MASTG-TEST-0226: Debuggable Flag Enabled in the AndroidManifest
            • MASTG-TEST-0227: Debugging Enabled for WebViews
            • MASTG-TEST-0247: References to APIs for Detecting Secure Screen Lock
            • MASTG-TEST-0249: Runtime Use of Secure Screen Lock Detection APIs
            • MASTG-TEST-0263: Logging of StrictMode Violations
            • MASTG-TEST-0264: Runtime Use of StrictMode APIs
            • MASTG-TEST-0265: References to StrictMode APIs
            • MASTG-TEST-0206: Sensitive Data in Network Traffic Capture
            • MASTG-TEST-0254: Dangerous App Permissions
            • MASTG-TEST-0255: Permission Requests Not Minimized
            • MASTG-TEST-0256: Missing Permission Rationale
            • MASTG-TEST-0257: Not Resetting Unused Permissions
            • MASTG-TEST-0258: References to Keyboard Caching Attributes in UI Elements
            • MASTG-TEST-0215: Sensitive Data Not Excluded From Backup
            • MASTG-TEST-0209: Inappropriate Key Sizes
            • MASTG-TEST-0210: Weak Encryption Algorithms
            • MASTG-TEST-0211: Weak Hashing Algorithms
            • MASTG-TEST-0213: Use of Hardcoded Cryptographic Keys in Code
            • MASTG-TEST-0214: Hardcoded Cryptographic Keys in Files
            • MASTG-TEST-0228: Position Independent Code (PIC) not Enabled
            • MASTG-TEST-0229: Stack Canaries Not enabled
            • MASTG-TEST-0230: Automatic Reference Counting (ARC) not enabled
            • MASTG-TEST-0219: Testing for Debugging Symbols
            • MASTG-TEST-0220: Usage of Outdated Code Signature Format
            • MASTG-TEST-0240: Jailbreak Detection in Code
            • MASTG-TEST-0241: Runtime Use of Jailbreak Detection Techniques
            • MASTG-TEST-0246: Runtime Use of Secure Screen Lock Detection APIs
            • MASTG-TEST-0248: References to APIs for Detecting Secure Screen Lock
            • MASTG-TEST-0261: Debuggable Entitlement Enabled in the entitlements.plist
      • Demos (v2 Beta)
            • MASTG-DEMO-0001: File System Snapshots from External Storage
            • MASTG-DEMO-0002: External Storage APIs Tracing with Frida
            • MASTG-DEMO-0003: App Writing to External Storage without Scoped Storage Restrictions
            • MASTG-DEMO-0004: App Writing to External Storage with Scoped Storage Restrictions
            • MASTG-DEMO-0005: App Writing to External Storage via the MediaStore API
            • MASTG-DEMO-0006: Tracing Common Logging APIs Looking for Secrets
            • MASTG-DEMO-0010: File System Snapshots from Internal Storage
            • MASTG-DEMO-0020: Data Exclusion using backup_rules.xml with Backup Manager
            • MASTG-DEMO-0024: Uses of Caching UI Elements with semgrep
            • MASTG-DEMO-0034: Backup and Restore App Data with semgrep
            • MASTG-DEMO-0035: Data Exclusion using backup_rules.xml with adb backup
            • MASTG-DEMO-0007: Common Uses of Insecure Random APIs
            • MASTG-DEMO-0008: Uses of Non-random Sources
            • MASTG-DEMO-0012: Weak Cryptographic Key Generation
            • MASTG-DEMO-0017: Use of Hardcoded AES Key in SecretKeySpec with semgrep
            • MASTG-DEMO-0022: Uses of Insecure Symmetric Encryption Algorithms in Cipher with semgrep
            • MASTG-DEMO-0023: Uses of Insecure Encryption Modes in Cipher with semgrep
            • MASTG-DEMO-0009: Detecting Sensitive Data in Network Traffic
            • MASTG-DEMO-0033: Dangerous Permissions in the AndroidManifest with semgrep
            • MASTG-DEMO-0019: Uses of isExcludedFromBackupKey with r2
            • MASTG-DEMO-0011: Uses of Weak Key Size in SecKeyCreateRandomKey with r2
            • MASTG-DEMO-0013: Use of Hardcoded RSA Private Key in SecKeyCreateWithData with r2
            • MASTG-DEMO-0014: Use of Hardcoded ECDSA Private Key in CryptoKit with r2
            • MASTG-DEMO-0015: Uses of Insecure Hashing Algorithms in CommonCrypto with r2
            • MASTG-DEMO-0016: Uses of Insecure Hashing Algorithms in CryptoKit with r2
            • MASTG-DEMO-0018: Uses of Insecure Encryption Algorithms in CommonCrypto with r2
      • Techniques
          • MASTG-TECH-0047: Reverse Engineering
          • MASTG-TECH-0048: Static Analysis
          • MASTG-TECH-0049: Dynamic Analysis
          • MASTG-TECH-0050: Binary Analysis
          • MASTG-TECH-0051: Tampering and Runtime Instrumentation
          • MASTG-TECH-0119: Intercepting HTTP Traffic by Hooking Network APIs at the Application Layer
          • MASTG-TECH-0120: Intercepting HTTP Traffic Using an Interception Proxy
          • MASTG-TECH-0121: Intercepting Non-HTTP Traffic Using an Interception Proxy
          • MASTG-TECH-0122: Passive Eavesdropping
          • MASTG-TECH-0123: Achieving a MITM Position via ARP Spoofing
          • MASTG-TECH-0124: Achieving a MITM Position Using a Rogue Access Point
          • MASTG-TECH-0125: Intercepting Xamarin Traffic
          • MASTG-TECH-0001: Accessing the Device Shell
          • MASTG-TECH-0002: Host-Device Data Transfer
          • MASTG-TECH-0003: Obtaining and Extracting Apps
          • MASTG-TECH-0004: Repackaging Apps
          • MASTG-TECH-0005: Installing Apps
          • MASTG-TECH-0006: Listing Installed Apps
          • MASTG-TECH-0007: Exploring the App Package
          • MASTG-TECH-0008: Accessing App Data Directories
          • MASTG-TECH-0009: Monitoring System Logs
          • MASTG-TECH-0010: Basic Network Monitoring/Sniffing
          • MASTG-TECH-0011: Setting Up an Interception Proxy
          • MASTG-TECH-0012: Bypassing Certificate Pinning
          • MASTG-TECH-0013: Reverse Engineering Android Apps
          • MASTG-TECH-0014: Static Analysis on Android
          • MASTG-TECH-0015: Dynamic Analysis on Android
          • MASTG-TECH-0016: Disassembling Code to Smali
          • MASTG-TECH-0017: Decompiling Java Code
          • MASTG-TECH-0018: Disassembling Native Code
          • MASTG-TECH-0019: Retrieving Strings
          • MASTG-TECH-0020: Retrieving Cross References
          • MASTG-TECH-0021: Information Gathering - API Usage
          • MASTG-TECH-0022: Information Gathering - Network Communication
          • MASTG-TECH-0023: Reviewing Decompiled Java Code
          • MASTG-TECH-0024: Reviewing Disassembled Native Code
          • MASTG-TECH-0025: Automated Static Analysis
          • MASTG-TECH-0026: Dynamic Analysis on Non-Rooted Devices
          • MASTG-TECH-0027: Get Open Files
          • MASTG-TECH-0028: Get Open Connections
          • MASTG-TECH-0029: Get Loaded Native Libraries
          • MASTG-TECH-0030: Sandbox Inspection
          • MASTG-TECH-0031: Debugging
          • MASTG-TECH-0032: Execution Tracing
          • MASTG-TECH-0033: Method Tracing
          • MASTG-TECH-0034: Native Code Tracing
          • MASTG-TECH-0035: JNI Tracing
          • MASTG-TECH-0036: Emulation-based Analysis
          • MASTG-TECH-0037: Symbolic Execution
          • MASTG-TECH-0038: Patching
          • MASTG-TECH-0039: Repackaging & Re-Signing
          • MASTG-TECH-0040: Waiting for the Debugger
          • MASTG-TECH-0041: Library Injection
          • MASTG-TECH-0042: Getting Loaded Classes and Methods Dynamically
          • MASTG-TECH-0043: Method Hooking
          • MASTG-TECH-0044: Process Exploration
          • MASTG-TECH-0045: Runtime Reverse Engineering
          • MASTG-TECH-0100: Logging Sensitive Data from Network Traffic
          • MASTG-TECH-0108: Taint Analysis
          • MASTG-TECH-0109: Intercepting Flutter HTTPS Traffic
          • MASTG-TECH-0112: Reverse Engineering Flutter Applications
          • MASTG-TECH-0115: Obtaining Compiler-Provided Security Features
          • MASTG-TECH-0116: Obtaining Information about the APK Signature
          • MASTG-TECH-0117: Obtaining Information from the AndroidManifest
          • MASTG-TECH-0126: Obtaining App Permissions
          • MASTG-TECH-0127: Inspecting an App's Backup Data
          • MASTG-TECH-0128: Performing a Backup and Restore of App Data
          • MASTG-TECH-0052: Accessing the Device Shell
          • MASTG-TECH-0053: Host-Device Data Transfer
          • MASTG-TECH-0054: Obtaining and Extracting Apps
          • MASTG-TECH-0055: Launching a Repackaged App in Debug Mode
          • MASTG-TECH-0056: Installing Apps
          • MASTG-TECH-0057: Listing Installed Apps
          • MASTG-TECH-0058: Exploring the App Package
          • MASTG-TECH-0059: Accessing App Data Directories
          • MASTG-TECH-0060: Monitoring System Logs
          • MASTG-TECH-0061: Dumping KeyChain Data
          • MASTG-TECH-0062: Basic Network Monitoring/Sniffing
          • MASTG-TECH-0063: Setting up an Interception Proxy
          • MASTG-TECH-0064: Bypassing Certificate Pinning
          • MASTG-TECH-0065: Reverse Engineering iOS Apps
          • MASTG-TECH-0066: Static Analysis on iOS
          • MASTG-TECH-0067: Dynamic Analysis on iOS
          • MASTG-TECH-0068: Disassembling Native Code
          • MASTG-TECH-0069: Decompiling Native Code
          • MASTG-TECH-0070: Extracting Information from the Application Binary
          • MASTG-TECH-0071: Retrieving Strings
          • MASTG-TECH-0072: Retrieving Cross References
          • MASTG-TECH-0073: Information Gathering - API Usage
          • MASTG-TECH-0074: Information Gathering - Network Communication
          • MASTG-TECH-0075: Reviewing Decompiled Objective-C and Swift Code
          • MASTG-TECH-0076: Reviewing Disassembled Objective-C and Swift Code
          • MASTG-TECH-0077: Reviewing Disassembled Native Code
          • MASTG-TECH-0078: Automated Static Analysis
          • MASTG-TECH-0079: Obtaining a Developer Provisioning Profile
          • MASTG-TECH-0080: Get Open Files
          • MASTG-TECH-0081: Get Open Connections
          • MASTG-TECH-0082: Get Shared Libraries
          • MASTG-TECH-0083: Sandbox Inspection
          • MASTG-TECH-0084: Debugging
          • MASTG-TECH-0085: Execution Tracing
          • MASTG-TECH-0086: Method Tracing
          • MASTG-TECH-0087: Native Code Tracing
          • MASTG-TECH-0088: Emulation-based Analysis
          • MASTG-TECH-0089: Symbolic Execution
          • MASTG-TECH-0090: Injecting Frida Gadget into an IPA Automatically
          • MASTG-TECH-0091: Injecting Libraries into an IPA Manually
          • MASTG-TECH-0092: Signing IPA files
          • MASTG-TECH-0093: Waiting for the debugger
          • MASTG-TECH-0094: Getting Loaded Classes and Methods dynamically
          • MASTG-TECH-0095: Method Hooking
          • MASTG-TECH-0096: Process Exploration
          • MASTG-TECH-0097: Runtime Reverse Engineering
          • MASTG-TECH-0098: Patching React Native Apps
          • MASTG-TECH-0110: Intercepting Flutter HTTPS Traffic
          • MASTG-TECH-0111: Extracting Entitlements from MachO Binaries
          • MASTG-TECH-0112: Obtaining the Code Signature Format Version
          • MASTG-TECH-0113: Obtaining Debugging Symbols
          • MASTG-TECH-0114: Demangling Symbols
          • MASTG-TECH-0118: Obtaining Compiler-Provided Security Features
      • Tools
          • MASTG-TOOL-0031: Frida
          • MASTG-TOOL-0032: Frida CodeShare
          • MASTG-TOOL-0033: Ghidra
          • MASTG-TOOL-0034: LIEF
          • MASTG-TOOL-0035: MobSF
          • MASTG-TOOL-0036: r2frida
          • MASTG-TOOL-0037: RMS Runtime Mobile Security
          • MASTG-TOOL-0038: objection
          • MASTG-TOOL-0098: iaito
          • MASTG-TOOL-0100: reFlutter
          • MASTG-TOOL-0101: disable-flutter-tls-verification
          • MASTG-TOOL-0104: hermes-dec
          • MASTG-TOOL-0106: Fridump
          • MASTG-TOOL-0108: Corellium
          • MASTG-TOOL-0110: semgrep
          • MASTG-TOOL-0129: rabin2
          • MASTG-TOOL-0001: Frida for Android
          • MASTG-TOOL-0002: MobSF for Android
          • MASTG-TOOL-0003: nm - Android
          • MASTG-TOOL-0004: adb
          • MASTG-TOOL-0005: Android NDK
          • MASTG-TOOL-0006: Android SDK
          • MASTG-TOOL-0007: Android Studio
          • MASTG-TOOL-0008: Android-SSL-TrustKiller
          • MASTG-TOOL-0009: APKiD
          • MASTG-TOOL-0010: APKLab
          • MASTG-TOOL-0011: Apktool
          • MASTG-TOOL-0012: apkx
          • MASTG-TOOL-0013: Busybox
          • MASTG-TOOL-0014: Bytecode Viewer
          • MASTG-TOOL-0015: drozer
          • MASTG-TOOL-0016: gplaycli
          • MASTG-TOOL-0017: House
          • MASTG-TOOL-0018: jadx
          • MASTG-TOOL-0019: jdb
          • MASTG-TOOL-0020: JustTrustMe
          • MASTG-TOOL-0021: Magisk
          • MASTG-TOOL-0022: Proguard
          • MASTG-TOOL-0023: RootCloak Plus
          • MASTG-TOOL-0024: Scrcpy
          • MASTG-TOOL-0025: SSLUnpinning
          • MASTG-TOOL-0026: Termux
          • MASTG-TOOL-0027: Xposed
          • MASTG-TOOL-0028: radare2 for Android
          • MASTG-TOOL-0029: objection for Android
          • MASTG-TOOL-0030: Angr
          • MASTG-TOOL-0099: FlowDroid
          • MASTG-TOOL-0103: uber-apk-signer
          • MASTG-TOOL-0107: JNITrace
          • MASTG-TOOL-0112: pidcat
          • MASTG-TOOL-0116: Blutter
          • MASTG-TOOL-0120: ProxyDroid
          • MASTG-TOOL-0123: apksigner
          • MASTG-TOOL-0124: aapt2
          • MASTG-TOOL-0125: Apkleaks
          • MASTG-TOOL-0039: Frida for iOS
          • MASTG-TOOL-0040: MobSF for iOS
          • MASTG-TOOL-0041: nm - iOS
          • MASTG-TOOL-0042: BinaryCookieReader
          • MASTG-TOOL-0043: class-dump
          • MASTG-TOOL-0044: class-dump-z
          • MASTG-TOOL-0045: class-dump-dyld
          • MASTG-TOOL-0046: Cycript
          • MASTG-TOOL-0047: Cydia
          • MASTG-TOOL-0048: dsdump
          • MASTG-TOOL-0049: Frida-cycript
          • MASTG-TOOL-0050: Frida-ios-dump
          • MASTG-TOOL-0051: gdb
          • MASTG-TOOL-0053: iOSbackup
          • MASTG-TOOL-0054: ios-deploy
          • MASTG-TOOL-0055: iproxy
          • MASTG-TOOL-0056: Keychain-Dumper
          • MASTG-TOOL-0057: lldb
          • MASTG-TOOL-0058: MachoOView
          • MASTG-TOOL-0059: optool
          • MASTG-TOOL-0060: otool
          • MASTG-TOOL-0061: Grapefruit
          • MASTG-TOOL-0062: Plutil
          • MASTG-TOOL-0063: security
          • MASTG-TOOL-0064: Sileo
          • MASTG-TOOL-0065: simctl
          • MASTG-TOOL-0066: SSL Kill Switch 3
          • MASTG-TOOL-0067: swift-demangle
          • MASTG-TOOL-0068: SwiftShield
          • MASTG-TOOL-0069: Usbmuxd
          • MASTG-TOOL-0070: Xcode
          • MASTG-TOOL-0071: Xcode Command Line Tools
          • MASTG-TOOL-0072: xcrun
          • MASTG-TOOL-0073: radare2 for iOS
          • MASTG-TOOL-0074: objection for iOS
          • MASTG-TOOL-0102: ios-app-signer
          • MASTG-TOOL-0105: ipsw
          • MASTG-TOOL-0111: ldid
          • MASTG-TOOL-0114: codesign
          • MASTG-TOOL-0117: fastlane
          • MASTG-TOOL-0118: Sideloadly
          • MASTG-TOOL-0121: objdump - iOS
          • MASTG-TOOL-0122: c++filt
          • MASTG-TOOL-0126: libimobiledevice suite
          • MASTG-TOOL-0127: AppSync Unified
          • MASTG-TOOL-0128: Filza
          • MASTG-TOOL-0075: Android tcpdump
          • MASTG-TOOL-0076: bettercap
          • MASTG-TOOL-0077: Burp Suite
          • MASTG-TOOL-0078: MITM Relay
          • MASTG-TOOL-0079: ZAP
          • MASTG-TOOL-0080: tcpdump
          • MASTG-TOOL-0081: Wireshark
          • MASTG-TOOL-0097: mitmproxy
          • MASTG-TOOL-0109: Nope-Proxy
          • MASTG-TOOL-0115: HTTP Toolkit
      • Apps
          • MASTG-APP-0001: AndroGoat
          • MASTG-APP-0002: Android License Validator
          • MASTG-APP-0003: Android UnCrackable L1
          • MASTG-APP-0004: Android UnCrackable L2
          • MASTG-APP-0005: Android UnCrackable L3
          • MASTG-APP-0006: Digitalbank
          • MASTG-APP-0007: DIVA Android
          • MASTG-APP-0008: DodoVulnerableBank
          • MASTG-APP-0009: DVHMA
          • MASTG-APP-0010: InsecureBankv2
          • MASTG-APP-0011: MASTG Hacking Playground (Java)
          • MASTG-APP-0012: MASTG Hacking Playground (Kotlin)
          • MASTG-APP-0013: OVAA
          • MASTG-APP-0014: InsecureShop
          • MASTG-APP-0015: Android UnCrackable L4
          • MASTG-APP-0016: Finstergram
          • MASTG-APP-0017: Disable-flutter-tls-verification
          • MASTG-APP-0023: DVIA
          • MASTG-APP-0024: DVIA-v2
          • MASTG-APP-0025: iOS UnCrackable L1
          • MASTG-APP-0026: iOS UnCrackable L2
          • MASTG-APP-0027: Disable-flutter-tls-verification
          • MASTG-APP-0028: iGoat-Swift
    • MASVS
        • Foreword
        • About the Standard
        • The Mobile Application Security Verification Standard
        • Assessment and Certification
      • MASVS-STORAGE: Storage
      • MASVS-STORAGE-1
      • MASVS-STORAGE-2
      • MASVS-CRYPTO: Cryptography
      • MASVS-CRYPTO-1
      • MASVS-CRYPTO-2
      • MASVS-AUTH: Authentication and Authorization
      • MASVS-AUTH-1
      • MASVS-AUTH-2
      • MASVS-AUTH-3
      • MASVS-NETWORK: Network Communication
      • MASVS-NETWORK-1
      • MASVS-NETWORK-2
      • MASVS-PLATFORM: Platform Interaction
      • MASVS-PLATFORM-1
      • MASVS-PLATFORM-2
      • MASVS-PLATFORM-3
      • MASVS-CODE: Code Quality
      • MASVS-CODE-1
      • MASVS-CODE-2
      • MASVS-CODE-3
      • MASVS-CODE-4
      • MASVS-RESILIENCE: Resilience Against Reverse Engineering and Tampering
      • MASVS-RESILIENCE-1
      • MASVS-RESILIENCE-2
      • MASVS-RESILIENCE-3
      • MASVS-RESILIENCE-4
      • MASVS-PRIVACY: Privacy
      • MASVS-PRIVACY-1
      • MASVS-PRIVACY-2
      • MASVS-PRIVACY-3
      • MASVS-PRIVACY-4
    • MAS Checklist
      • MASVS-STORAGE
      • MASVS-CRYPTO
      • MASVS-AUTH
      • MASVS-NETWORK
      • MASVS-PLATFORM
      • MASVS-CODE
      • MASVS-RESILIENCE
      • MASVS-PRIVACY
    • MAS Crackmes
      • Android Crackmes
      • iOS Crackmes
    • News
        • 2025
        • 2024
        • 2023
        • 2022
        • 2021
        • 2020
        • 2019
        • 2018
        • 2017
        • 2016
    • 🎙 Talks
      • Contributing to the MAS Project
      • How Can You Contribute?
      • Getting Started
      • Pull Requests & Reviews
      • Add a New Language
      • Style Guide
      • Add a Crackme
      • Donations
      • How to Donate
      • Donation Packages
    • 💬 Connect with Us
    Back to index
    Sven Schleier Sven Schleier
    Creator
    • Metadata
      • October 2, 2019
      • 1 min read

    MSTG Project joins Hacktoberfest

    We are joining the #hacktoberfest October 2-31. Check out our issues at Github. Register at https://hacktoberfest.digitalocean.com.

    © OWASP Foundation 2025. This work is licensed under CC-BY-4.0. For any reuse or distribution, you must make clear to others the license terms of this work.
    OWASP ® is a registered trademark of the OWASP Foundation, Inc. This website uses cookies to analyze our traffic and only share that information with our analytics partners. Learn more.
    Made with Material for MkDocs | Website and covers designed by Carlos Holguera.