OWASP Mobile Security Testing Guide Files

We've been very busy with the OWASP MASVS refactoring but we're very excited to be able to bring you the new OWASP MASTG in its version v1.5.0 including loads of news including new Test Cases, Testing Fundamentals, upgraded MAS Checklists and many more, see below.

We'd like to thank all of our loyal contributors and welcome our new contributors.

Special thanks to NowSecure for their consistent high-impact contributions to the project, especially for the MASVS refactoring, the OWASP MAS rebranding, the brand new OWASP MAS website and this MASTG v1.5.0 release and for continuing spreading the word about the OWASP MAS project.

Carlos Holguera & Sven Schleier - OWASP MAS project

NOTE: the OWASP MASTG v1.5.0 relies on the latest MASVS v1.4.2

What's Changed

📢 News

New "Trusted By" Section & CREST OVS

Introducing the "MAS Advocate" Status

Add Google's ADA MASA

Project Rebranding to OWASP MAS

OWASP MAS New Website

• Add Trusted By Section and Adopters by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2059
• Add CREST and CREST OVS by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2172
• Introducing the "MAS Advocate" Status by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2132 *Add Google's ADA MASA (by @NowSecure) by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2128
• First Update to MAS and MASTG by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2179
• Add MASTG New Cover for PDF by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2205
• Update Twitter Handle to @OWASP_MAS by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2186
• Rename MSTG to MASTG & link to New Website mas.owasp.org by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2195

🧪 MASTG Test Cases

• MSTG-CODE-1 Add Link to Latest Code Signature Format for iOS by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2025
• Testing Instant Apps is now in 0x05b (Basic Security Testing) by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2039
• MSTG-NETWORK-1 Added clearText Traffic Info by @TheDauntless in https://github.com/OWASP/owasp-mastg/pull/2037
• MSTG-CODE-9 Update Xcode Menu Options for PIE Protection by @ichistmeinname in https://github.com/OWASP/owasp-mastg/pull/2078
• MSTG-CODE-1 Enhance iOS Code Signing Section (by @NowSecure) by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2102
• MSTG-PLATFORM-1 Introducing Privacy-Friendly Alternatives to Requesting Permissions by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/1993
• MSTG-PLATFORM-2 MSTG-PLATFORM-3 Enhance Android Deep Link Testing (by @NowSecure) by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2090
• MSTG-PLATFORM-10 Add WebViews Cleanup by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/1984
• Add coverage for MSTG-CODE-9 on Android by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2089
• MSTG-NETWORK-1-4 Fix Network Security Testing on Android and iOS (by @NowSecure) by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2042
• MSTG-RESILIENCE-5 Update Emulation Available on iOS by @t3chn0m4g3 in https://github.com/OWASP/owasp-mastg/pull/2167

📖 MASTG Testing Fundamentals

• 0x06b - Upgrade Jailbreak section by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/1943
• Fix Deprecated SecKeyEncrypt Class (iOS) by @fujiokayu in https://github.com/OWASP/owasp-mastg/pull/2083
• 0x04e - About OTP Authentication Checks by @Saket-taneja in https://github.com/OWASP/owasp-mastg/pull/1938
• Added instructions explaining how to move certificate from user to root store by @DemanNL in https://github.com/OWASP/owasp-mastg/pull/1915
• Key Management Updates for iOS and Android by @vixentael in https://github.com/OWASP/owasp-mastg/pull/2127
• CRYPTO: Export and import crypto regulations by @julepka in https://github.com/OWASP/owasp-mastg/pull/1885
• 0x06b - Update Jailbreak Content (by @NowSecure) by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2145
• Add FIPS 140-2 validated info for corecrypto by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2144
• Improve the Android Architecture Section (by @NowSecure) by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2118
• Add New References to Android API changes (by @NowSecure) by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2153
• Updated Symmetric and Asymmetric Encryption Description by @dmagnate in https://github.com/OWASP/owasp-mastg/pull/2139

✨ MASTG Testing Techniques

• 0x05c - Update Angr Example to Angr 9.2.2 by @kousha1999 in https://github.com/OWASP/owasp-mastg/pull/2103
• Enabling Safari Web Inspector on iOS by @lndevel in https://github.com/OWASP/owasp-mastg/pull/2112
• Update Corellium info and about decrypting IPAs by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2124

🪄 MASTG Testing Tools

• New Chapter for Reference Apps [#2142] by @wwwhackcom in https://github.com/OWASP/owasp-mastg/pull/2156
• Add APKLab for Android by @fujiokayu in https://github.com/OWASP/owasp-mastg/pull/2177

⚡ Automation

• Update Changelog Automation by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2057
• Add GitHub Action for codespell by @cclauss in https://github.com/OWASP/owasp-mastg/pull/2069
• Fix All Markdown Lint Issues and Broken Links by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2143
• Auto-label PRs by @witzki in https://github.com/OWASP/owasp-mastg/pull/2101
• Enhance Auto Release Notes by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2234
• Add MASVS version to MASTG PDF by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2235

📜 MAS Checklists

• Increase Checklist Test Coverage Including Tests from the 0x04* Chapters by @fujiokayu in https://github.com/OWASP/owasp-mastg/pull/2085
• Add Common Test Case Column to Checklist by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2208

🎉 New Donators

• Thanks Corellium by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2174

🐞 Errata Corrections

• Update broken links by @TheDauntless in https://github.com/OWASP/owasp-mastg/pull/2038
• Fixing typos and more in the Android Crypto Chapter by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/1992
• Fix spelling by @TheDauntless in https://github.com/OWASP/owasp-mastg/pull/2049
• Fix typos discovered by codespell by @cclauss in https://github.com/OWASP/owasp-mastg/pull/2067
• Fixed Typos in 0x04i-Testing-User-Privacy-Protection by @wassef911 in https://github.com/OWASP/owasp-mastg/pull/2123
• Fix Intros in Cryptography Chapters (by @NowSecure) by @corielynch in https://github.com/OWASP/owasp-mastg/pull/2051
• Fix typo in 0x04f-Testing-Network-Communication.md by @dturner42 in https://github.com/OWASP/owasp-mastg/pull/2178
• Resolved broken link to OWASP MASTG authors and co-authors (#2197) ; by @chantzlarge in https://github.com/OWASP/owasp-mastg/pull/2198
• Resolved broken link to OWASP MASTG Contributors (#2199) ; by @chantzlarge in https://github.com/OWASP/owasp-mastg/pull/2200
• Fix lulu.com links by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2203

Other Changes

• Improve README UX by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2061
• Fix chapter outline for 0x04g (Mobile App Cryptography) by @cpholguera in https://github.com/OWASP/owasp-mastg/pull/2040
• Change markdown images to html images by @TheDauntless in https://github.com/OWASP/owasp-mastg/pull/2126

New Contributors

• @cclauss made their first contribution in https://github.com/OWASP/owasp-mastg/pull/2067
• @ichistmeinname made their first contribution in https://github.com/OWASP/owasp-mastg/pull/2078
• @kousha1999 made their first contribution in https://github.com/OWASP/owasp-mastg/pull/2103
• @lndevel made their first contribution in https://github.com/OWASP/owasp-mastg/pull/2112
• @wassef911 made their first contribution in https://github.com/OWASP/owasp-mastg/pull/2123
• @DemanNL made their first contribution in https://github.com/OWASP/owasp-mastg/pull/1915
• @dmagnate made their first contribution in https://github.com/OWASP/owasp-mastg/pull/2139
• @witzki made their first contribution in https://github.com/OWASP/owasp-mastg/pull/2101
• @wwwhackcom made their first contribution in https://github.com/OWASP/owasp-mastg/pull/2156
• @t3chn0m4g3 made their first contribution in https://github.com/OWASP/owasp-mastg/pull/2167
• @dturner42 made their first contribution in https://github.com/OWASP/owasp-mastg/pull/2178
• @chantzlarge made their first contribution in https://github.com/OWASP/owasp-mastg/pull/2198

Full Changelog: https://github.com/OWASP/owasp-mastg/compare/v1.4.0...v1.5.0