OWASP Mobile Application Security Files

MASTG Refactor Part 2: Techniques, Tools & Reference Apps: This release introduces the second phase of the MASTG (Mobile Application Security Testing Guide) refactor. These changes aim to enhance the usability and accessibility of the MASTG.

The primary focus of this new refactor is the reorganization of the MASTG content into different components, each housed in its dedicated section/folder and existing now as individual pages in our website (markdown files with metadata/frontmatter in GitHub):

NOTE: You may find broken links on the website and in the PDF/eBook. This is a consequence of these massive changes and we expect to be able to fix them soon.

• Tests:

  • Website: Tests section.
  • GitHub: tests/ folder.
  • Identified by IDs in the format MASTG-TEST-XXXX.
  • Includes all tests originally in:
    • 0x05d/0x06d-Testing-Data-Storage.md
    • 0x05e/0x06e-Testing-Cryptography.md
    • 0x05f/0x06f-Testing-Local-Authentication.md
    • 0x05g/0x06g-Testing-Network-Communication.md
    • 0x05h/0x06h-Testing-Platform-Interaction.md
    • 0x05i/0x06i-Testing-Code-Quality-and-Build-Settings.md
    • 0x05j/0x06j-Testing-Resiliency-Against-Reverse-Engineering.md
  • :warning: IMPORTANT (TODO): These tests are still the original MASTG v1.6.0 tests. We will progressively split them into smaller tests, the so-called "atomic tests" in MASTG v2 and assign the new MAS profiles accordingly.

• Techniques:

  • Website: Techniques section.
  • GitHub: techniques/ folder.
  • Identified by IDs in the format MASTG-TECH-XXXX.
  • Includes all techniques originally in:
    • 0x05b/0x06b-Basic-Security_Testing.md
    • 0x05c/0x06c-Reverse-Engineering-and-Tampering.md

• Tools:

  • Website: Tools section.
  • GitHub: tools/ folder.
  • Identified by IDs in the format MASTG-TOOL-XXXX.
  • Includes all tools from:
    • 0x08a-Testing-Tools.md

• Apps:

  • Website: Apps section.
  • GitHub: apps/ folder.
  • Identified by IDs in the format MASTG-APP-XXXX.
  • Includes all apps from:
    • 0x08b-Reference-Apps.md

We hope that the revamped structure enables you to navigate the MASTG more efficiently and access the information you need with ease. See below for a detailed list of changes.

We'd like to thank all of our loyal contributors and welcome our new contributors.

Special thanks to NowSecure for their consistent high-impact contributions to the project, especially for this new OWASP MASTG refactoring phase and for continuing spreading the word about the OWASP MAS project.

We'd also like to thank our new MAS Advocate applicants for waiting patiently while we get everything ready behind the scenes for them to help us efficiently.

💙 Thanks to Zimperium for their generous donation!

Carlos Holguera, Sven Schleier and Jeroen Beckers - OWASP MAS project

NOTE: the OWASP MASTG v1.7.0 relies on the latest MASVS v2.0.0

Help us improve! questions | ideas | contact

What's Changed

📢 News

• Introducing the new MAS Testing Profiles and MASTG Atomic Tests proposals by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2424
• Add news about the MAS Score Formula Proposal by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2436
• News: MASVS-PRIVACY by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2459

🧪 MASTG Test Cases

• Proofreading fixes 0x05d part 4 by @Laancelot in https://github.com/OWASP/owasp-mastg/pull/2414
• [ios_0x06d/0055] Fix the description of the keyboard cache location by @sohsatoh in https://github.com/OWASP/owasp-mastg/pull/2416
• Update Android permission protection levels and introduced risk categories (by @NowSecure) by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2423
• Proofreading fixes 0x05d part 3 by @Laancelot in https://github.com/OWASP/owasp-mastg/pull/2413
• Proofreading fixes 0x05d part 1 (by @NowSecure) by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2427
• Proofreading fixes 0x05e part 1 (by @NowSecure) by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2426

📖 MASTG Testing Fundamentals

• Introduce App Attest by @lihter in https://github.com/OWASP/owasp-mastg/pull/2462

✨ MASTG Testing Techniques

• Taint analysis for Android Java code by @su-vikas in https://github.com/OWASP/owasp-mastg/pull/2390

🪄 MASTG Testing Tools

• Replace Passionfruit with Grapefruit by @lihter in https://github.com/OWASP/owasp-mastg/pull/2451
• Update r2frida guide examples to use : instead of \ for command start by @Shiva953 in https://github.com/OWASP/owasp-mastg/pull/2450

📜 Mobile Security Checklists

• Changed value of status_cells in yaml_to_excel.py by @bl13pbl03p in https://github.com/OWASP/owasp-mastg/pull/2417

🎉 New Donators

• Add Zimperium to God Mode Donators by @sushi2k in https://github.com/OWASP/owasp-mastg/pull/2440

Other Changes

• Consolidate Contributors in the MAS Website by @sushi2k in https://github.com/OWASP/owasp-mastg/pull/2392
• Fix broken download button in overview page by @ploar-bear in https://github.com/OWASP/owasp-mastg/pull/2410
• UnCrackable L1 Solution using MobSF by @Xhoenix in https://github.com/OWASP/owasp-mastg/pull/2421
• Update MASTG-TEST-0087 "Make Sure That Free Security Features Are Activated" (by @NowSecure) by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2430
• MASTG Refactor Part 2: Techniques, Tools & Reference Apps (by @NowSecure) by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2439

New Contributors

• @ploar-bear made their first contribution in https://github.com/OWASP/owasp-mastg/pull/2410
• @bl13pbl03p made their first contribution in https://github.com/OWASP/owasp-mastg/pull/2417
• @Xhoenix made their first contribution in https://github.com/OWASP/owasp-mastg/pull/2421
• @lihter made their first contribution in https://github.com/OWASP/owasp-mastg/pull/2451
• @Shiva953 made their first contribution in https://github.com/OWASP/owasp-mastg/pull/2450

Full Changelog: https://github.com/OWASP/owasp-mastg/compare/v1.6.0...v1.7.0