MASTG Demos
About the MASTG Demos
Demos are write-ups that demonstrate the weakness in a sample application. They can be seen as a practical application of the tests.
Each demo contains the following information:
- Overview: A brief description of the demo.
- Sample: A code snippet that demonstrates the weakness.
- Steps: The specific steps followed to identify the weakness in the sample code.
- Observation: A description of the results of running the test against the code.
- Evaluation: The evaluation of the results of the test explaining why it failed or passed.
All demos in the MASTG are written in markdown and are located in thedemos directory.
Each demo directory contains the following files:
MASTG-DEMO-****.md: The markdown file containing the demo write-up.MastgTest.kt: The Kotlin code snippet that demonstrates the weakness.output.txt: The output of running the test against the code.run.sh: The script that runs the test against the code.
Depending on the test, the demo may contain additional files, such as configuration files or additional code snippets, scripts (e.g. in Python), or output files. The samples are written in Kotlin or Swift, depending on the platform. In some cases, the samples will also include configuration files such asAndroidManifest.xml orInfo.plist.
If the sample can be decompiled, the decompiled code is also provided in the demo. This is useful for understanding the code in the context of the application.
Demos are required to be fully self-contained and should not rely on external resources or dependencies. This ensures that the demos can be run independently and that the results are reproducible. They must be proven to work on the provided sample applications and must be tested thoroughly before being included in the MASTG.
MAS Test Apps
In order for our new demos to be reliable and consistent, we needed to make sure that the results were reproducible and could be tested and validated. This is where the new MASTestApps came in. They are two very simple apps that mirror each other on Android and iOS. Demos must be implemented using these apps. This helps the reviewer and serves as a playground to create and practice your MAS skills.
Simply clone the repository and follow the instructions to run the apps on your local machine. Use them to validate the demos before submitting them to the MASTG.
IMPORTANT DISCLAIMER
Please read this disclaimer carefully as it contains essential information regarding the use of the Mobile Application Security Testing Guide (MASTG).
Scope and Purpose of MASTG Artifacts: Each new release of the MASTG will include a collection of testing resources such as Static Application Security Testing (SAST) rules, Dynamic Application Security Testing (DAST) scripts, and other relevant artifacts. However, it's crucial to understand that these resources are not intended to provide a comprehensive solution for all your security testing needs.
Baseline: The resources provided in the MASTG serve as a baseline or starting point. They are designed to be used as references and learning tools in the field of mobile application security. While they offer valuable insights and guidelines, they should be used as a foundation upon which you can build and tailor your own specific automation and security testing processes.
No Guarantee of Complete Coverage: The OWASP Mobile Application Security (MAS) project, the entity behind the MASTG, explicitly does not assume responsibility or guarantee that the provided code and resources will identify all possible vulnerabilities in mobile applications. Security testing is a complex and evolving field, and the effectiveness of any set of tools or rules varies depending on numerous factors, including the specific context of the application being tested, the experience of the tester, and the changing landscape of security threats.
Potential for False Positives and Negatives: Users of the MASTG should be aware that the testing resources might generate a significant number of false positives (incorrectly identifying non-issues as vulnerabilities) and false negatives (failing to detect actual vulnerabilities). It is essential to approach the results with a critical and informed mindset, and supplement automated testing with manual review and analysis.
Continuous Learning and Adaptation: The field of mobile application security is continuously evolving. As such, the MASTG resources should be seen as a living body of knowledge, subject to updates and improvements. Users are encouraged to stay informed about the latest security trends and techniques and to actively contribute to the evolution of these resources.
By using the MASTG, you acknowledge and agree to these limitations. It's recommended to combine the use of MASTG resources with other security practices and tools to achieve a more comprehensive and effective security testing strategy for your mobile applications.
| ID | Title | Platform | Test | Status |
|---|---|---|---|---|
| MASTG-DEMO-0005 | App Writing to External Storage via the MediaStore API | platform:android | MASTG-TEST-0202 | newstatus:new |
| MASTG-DEMO-0035 | Data Exclusion using backup_rules.xml with adb backup | platform:android | MASTG-TEST-0216 | newstatus:new |
| MASTG-DEMO-0001 | File System Snapshots from External Storage | platform:android | MASTG-TEST-0200 | newstatus:new |
| MASTG-DEMO-0004 | App Writing to External Storage with Scoped Storage Restrictions | platform:android | MASTG-TEST-0202 | newstatus:new |
| MASTG-DEMO-0064 | Uses of Caching UI Elements with semgrep | platform:android | MASTG-TEST-0258 | newstatus:new |
| MASTG-DEMO-0060 | App Writing Sensitive Data to Sandbox using EncryptedSharedPreferences | platform:android | MASTG-TEST-0287 | newstatus:new |
| MASTG-DEMO-0059 | Using SharedPreferences to Write Sensitive Data Unencrypted to the App Sandbox | platform:android | MASTG-TEST-0207 | newstatus:new |
| MASTG-DEMO-0002 | External Storage APIs Tracing with Frida | platform:android | MASTG-TEST-0201 | newstatus:new |
| MASTG-DEMO-0006 | Tracing Common Logging APIs Looking for Secrets | platform:android | MASTG-TEST-0203 | newstatus:new |
| MASTG-DEMO-0003 | App Writing to External Storage without Scoped Storage Restrictions | platform:android | MASTG-TEST-0202 | newstatus:new |
| MASTG-DEMO-0034 | Backup and Restore App Data with semgrep | platform:android | MASTG-TEST-0262 | newstatus:new |
| MASTG-DEMO-0068 | Sensitive Data in Unencrypted SQLite | platform:android | MASTG-TEST-0304 | placeholderstatus:placeholder |
| MASTG-DEMO-0070 | Sensitive Data Stored Unencrypted via Room Database | platform:android | MASTG-TEST-0306 | placeholderstatus:placeholder |
| MASTG-DEMO-0069 | Sensitive Data Stored Unencrypted via DataStore | platform:android | MASTG-TEST-0305 | placeholderstatus:placeholder |
| MASTG-DEMO-0010 | File System Snapshots from Internal Storage | platform:android | MASTG-TEST-0207 | newstatus:new |
| MASTG-DEMO-0020 | Data Exclusion using backup_rules.xml with Backup Manager | platform:android | MASTG-TEST-0216 | newstatus:new |
| MASTG-DEMO-0033 | Dangerous Permissions in the AndroidManifest with semgrep | platform:android | MASTG-TEST-0254 | newstatus:new |
| MASTG-DEMO-0009 | Detecting Undeclared PII in Network Traffic | platform:android | MASTG-TEST-0206 | newstatus:new |
| MASTG-DEMO-0040 | Debuggable Flag Enabled in the AndroidManifest with semgrep | platform:android | MASTG-TEST-0226 | newstatus:new |
| MASTG-DEMO-0062 | Enabling Screenshots in Recents via setRecentsScreenshotEnabled with semgrep | platform:android | MASTG-TEST-0292 | placeholderstatus:placeholder |
| MASTG-DEMO-0030 | Uses of WebViews Allowing Content Access with Frida | platform:android | MASTG-TEST-0251 | newstatus:new |
| MASTG-DEMO-0078 | App Leaking Sensitive Data via Notifications | platform:android | MASTG-TEST-0315 | newstatus:new |
| MASTG-DEMO-0031 | Uses of WebViews Allowing Local File Access with Frida | platform:android | MASTG-TEST-0253 | newstatus:new |
| MASTG-DEMO-0079 | App Exposing Access and Verification Codes in Text Input Fields | platform:android | MASTG-TEST-0316 | newstatus:new |
| MASTG-DEMO-0029 | Uses of WebViews Allowing Content Access with semgrep | platform:android | MASTG-TEST-0250 | newstatus:new |
| MASTG-DEMO-0032 | Uses of WebViews Allowing Local File Access with semgrep | platform:android | MASTG-TEST-0252 | newstatus:new |
| MASTG-DEMO-0063 | Incorrectly Preventing Screenshots with SecureFlagPolicy in Compose Dialogs with semgrep | platform:android | MASTG-TEST-0293 | placeholderstatus:placeholder |
| MASTG-DEMO-0061 | Uses of FLAG_SECURE with semgrep | platform:android | MASTG-TEST-0291 | newstatus:new |
| MASTG-DEMO-0025 | Uses of Build.VERSION.SDK_INT with semgrep | platform:android | MASTG-TEST-0245 | newstatus:new |
| MASTG-DEMO-0050 | Identifying Insecure Dependencies in Android Studio | platform:android | MASTG-TEST-0272 | newstatus:new |
| MASTG-DEMO-0051 | Identifying Insecure Dependencies through SBOM Creation | platform:android | MASTG-TEST-0272 | newstatus:new |
| MASTG-DEMO-0048 | SSLSocket Connection to Wrong Host Server Allowed by Lack of HostnameVerifier | platform:android | MASTG-TEST-0234 | newstatus:new |
| MASTG-DEMO-0056 | WebView Ignoring TLS Errors in onReceivedSslError | platform:android | MASTG-TEST-0284 | newstatus:new |
| MASTG-DEMO-0057 | Network Security Configuration Allows User-Added Certificates | platform:android | MASTG-TEST-0286 | newstatus:new |
| MASTG-DEMO-0055 | Use of the HostnameVerifier that Allows Any Hostname | platform:android | MASTG-TEST-0283 | newstatus:new |
| MASTG-DEMO-0054 | Use of a TrustManager that Does Not Validate Certificate Chains | platform:android | MASTG-TEST-0282 | newstatus:new |
| MASTG-DEMO-0049 | SSLSocket Connection to Wrong Host Server Blocked by HostnameVerifier | platform:android | MASTG-TEST-0234 | newstatus:new |
| MASTG-DEMO-0027 | Runtime Use of KeyguardManager.isDeviceSecure and BiometricManager.canAuthenticate APIs with Frida | platform:android | MASTG-TEST-0249 | newstatus:new |
| MASTG-DEMO-0038 | Detecting StrictMode Uses with Frida | platform:android | MASTG-TEST-0264 | newstatus:new |
| MASTG-DEMO-0039 | Detecting StrictMode PenaltyLog Usage with Semgrep | platform:android | MASTG-TEST-0265 | newstatus:new |
| MASTG-DEMO-0037 | App Leaking Information about Unclosed SQL Cursor via StrictMode | platform:android | MASTG-TEST-0263 | newstatus:new |
| MASTG-DEMO-0028 | Uses of KeyguardManager.isDeviceSecure and BiometricManager.canAuthenticate with semgrep | platform:android | MASTG-TEST-0247 | newstatus:new |
| MASTG-DEMO-0007 | Common Uses of Insecure Random APIs | platform:android | MASTG-TEST-0204 | newstatus:new |
| MASTG-DEMO-0012 | Cryptographic Key Generation With Insufficient Key Length | platform:android | MASTG-TEST-0208 | newstatus:new |
| MASTG-DEMO-0017 | Use of Hardcoded AES Key in SecretKeySpec with semgrep | platform:android | MASTG-TEST-0212 | newstatus:new |
| MASTG-DEMO-0058 | Using KeyGenParameterSpec with a Broken ECB Block Mode | platform:android | MASTG-TEST-0232 | newstatus:new |
| MASTG-DEMO-0008 | Uses of Non-random Sources | platform:android | MASTG-TEST-0205 | newstatus:new |
| MASTG-DEMO-0023 | Uses of Broken Encryption Modes in Cipher with semgrep | platform:android | MASTG-TEST-0232 | newstatus:new |
| MASTG-DEMO-0022 | Uses of Broken Symmetric Encryption Algorithms in Cipher with semgrep | platform:android | MASTG-TEST-0221 | newstatus:new |
| MASTG-DEMO-0072 | Runtime Use of Asymmetric Key Pairs Used For Multiple Purposes With Frida | platform:android | MASTG-TEST-0308 | newstatus:new |
| MASTG-DEMO-0075 | Uses of Explicit Security Providers in Cryptographic APIs with semgrep | platform:android | MASTG-TEST-0312 | newstatus:new |
| MASTG-DEMO-0071 | References to Asymmetric Key Pairs Used For Multiple Purposes with Semgrep | platform:android | MASTG-TEST-0307 | newstatus:new |
| MASTG-DEMO-0077 | Runtime Monitoring of Text Fields Eligible for Keyboard Caching with Frida | platform:ios | MASTG-TEST-0314 | newstatus:new |
| MASTG-DEMO-0019 | Uses of isExcludedFromBackupKey with r2 | platform:ios | MASTG-TEST-0215 | newstatus:new |
| MASTG-DEMO-0067 | Runtime Tracking of Files Eligible for Backup with Frida | platform:ios | MASTG-TEST-0298 | newstatus:new |
| MASTG-DEMO-0065 | Uses of Logging APIs with r2 | platform:ios | MASTG-TEST-0297 | newstatus:new |
| MASTG-DEMO-0066 | Sensitive Data Logging with idevicesyslog | platform:ios | MASTG-TEST-0296 | newstatus:new |
| MASTG-DEMO-0076 | Keyboard Caching Not Prevented for Sensitive Data with r2 | platform:ios | MASTG-TEST-0313 | newstatus:new |
| MASTG-DEMO-0052 | Scanning Package Manager Artifacts for Insecure iOS Dependencies | platform:ios | MASTG-TEST-0273 | newstatus:new |
| MASTG-DEMO-0053 | Identifying Insecure Dependencies in SwiftPM through SBOM creation | platform:ios | MASTG-TEST-0273 | newstatus:new |
| MASTG-DEMO-0021 | Uses of Jailbreak Detection Techniques with r2 | platform:ios | MASTG-TEST-0240 | newstatus:new |
| MASTG-DEMO-0026 | Runtime Use of LAContext.canEvaluatePolicy with Frida | platform:ios | MASTG-TEST-0246 | newstatus:new |
| MASTG-DEMO-0036 | Debuggable Entitlement Enabled in the entitlements.plist with rabin2 | platform:ios | MASTG-TEST-0261 | newstatus:new |
| MASTG-DEMO-0024 | Uses of LAContext.canEvaluatePolicy with r2 | platform:ios | MASTG-TEST-0248 | newstatus:new |
| MASTG-DEMO-0041 | Uses of LAContext.evaluatePolicy with r2 | platform:ios | MASTG-TEST-0266 | newstatus:new |
| MASTG-DEMO-0044 | Runtime Use of kSecAccessControlUserPresence with Frida | platform:ios | MASTG-TEST-0269 | newstatus:new |
| MASTG-DEMO-0047 | Runtime Use of the Keychain Not Requiring User Presence with Frida | platform:ios | MASTG-TEST-0266 | placeholderstatus:placeholder |
| MASTG-DEMO-0046 | Runtime Use of kSecAccessControlBiometryCurrentSet with Frida | platform:ios | MASTG-TEST-0271 | newstatus:new |
| MASTG-DEMO-0045 | Uses of kSecAccessControlBiometryCurrentSet with r2 | platform:ios | MASTG-TEST-0270 | newstatus:new |
| MASTG-DEMO-0043 | Uses of kSecAccessControlUserPresence with r2 | platform:ios | MASTG-TEST-0268 | newstatus:new |
| MASTG-DEMO-0042 | Runtime Use of LAContext.evaluatePolicy with Frida | platform:ios | MASTG-TEST-0267 | newstatus:new |
| MASTG-DEMO-0080 | Uses of Broken Encryption Modes in CommonCrypto with r2 | platform:ios | MASTG-TEST-0317 | newstatus:new |
| MASTG-DEMO-0018 | Uses of Broken Encryption Algorithms in CommonCrypto with r2 | platform:ios | MASTG-TEST-0210 | newstatus:new |
| MASTG-DEMO-0015 | Uses of Broken Hashing Algorithms in CommonCrypto with r2 | platform:ios | MASTG-TEST-0211 | newstatus:new |
| MASTG-DEMO-0011 | Uses of Insufficient Key Size in SecKeyCreateRandomKey with r2 | platform:ios | MASTG-TEST-0209 | newstatus:new |
| MASTG-DEMO-0074 | Uses of Insecure Random Number Generation with frida-trace | platform:ios | MASTG-TEST-0311 | newstatus:new |
| MASTG-DEMO-0016 | Uses of Broken Hashing Algorithms in CryptoKit with r2 | platform:ios | MASTG-TEST-0211 | newstatus:new |
| MASTG-DEMO-0073 | Uses of Insecure Random Number Generation with r2 | platform:ios | MASTG-TEST-0311 | newstatus:new |
| MASTG-DEMO-0013 | Use of Hardcoded RSA Private Key in SecKeyCreateWithData with r2 | platform:ios | MASTG-TEST-0213 | newstatus:new |
| MASTG-DEMO-0014 | Use of Hardcoded ECDSA Private Key in CryptoKit with r2 | platform:ios | MASTG-TEST-0213 | newstatus:new |