MASTG Tests

About the MASTG Tests

The MASTG "Atomic Tests" are a new addition to the MAS project. They are a collection of small, individual tests that can be used to assess the security and privacy of a mobile application. Each test is designed to be simple and focused on a single issue. The goal is to make it easier for developers and security professionals to identify and fix issues in their mobile applications.

Tests are organized into categories based on the OWASP MASVS and have a weakness assigned from the OWASP MASWE.

Each test includes:

  • Overview: A brief description of the test.
  • Steps: A set of steps to follow to identify the weakness in a mobile application.
  • Observation: A description of the results of running the test against an application.
  • Evaluation: Specific instructions for evaluating the results of the test.

Each test comes with a collection of demos that demonstrate the weakness in a sample application. These demos are written in markdown and are located in the Demos section of the MASTG.

ID Title Platform L1 L2 R P Status
MASTG-TEST-0017 Testing Confirm Credentials platform:android profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0018 Testing Biometric Authentication platform:android profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0032 Testing WebView Protocol Handlers platform:android profile:L1 profile:L2 deprecatedstatus:deprecated
MASTG-TEST-0037 Testing WebViews Cleanup platform:android profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0252 References to Local File Access in WebViews platform:android profile:L1 profile:L2 newstatus:new
MASTG-TEST-0253 Runtime Use of Local File Access APIs in WebViews platform:android profile:L1 profile:L2 newstatus:new
MASTG-TEST-0033 Testing for Java Objects Exposed Through WebViews platform:android profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0035 Testing for Overlay Attacks platform:android profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0010 Finding Sensitive Information in Auto-Generated Screenshots platform:android profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0031 Testing JavaScript Execution in WebViews platform:android profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0029 Testing for Sensitive Functionality Exposure Through IPC platform:android profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0251 Runtime Use of Content Provider Access APIs in WebViews platform:android profile:L1 profile:L2 newstatus:new
MASTG-TEST-0007 Determining Whether Sensitive Stored Data Has Been Exposed via IPC Mechanisms platform:android profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0024 Testing for App Permissions platform:android profile:L1 profile:L2 deprecatedstatus:deprecated
MASTG-TEST-0028 Testing Deep Links platform:android profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0250 References to Content Provider Access in WebViews platform:android profile:L1 profile:L2 newstatus:new
MASTG-TEST-0008 Checking for Sensitive Data Disclosure Through the User Interface platform:android profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0258 References to Keyboard Caching Attributes in UI Elements platform:android profile:L2 newstatus:new
MASTG-TEST-0030 Testing for Vulnerable Implementation of PendingIntent platform:android profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0036 Testing Enforced Updating platform:android profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0027 Testing for URL Loading in WebViews platform:android profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0002 Testing Local Storage for Input Validation platform:android profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0026 Testing Implicit Intents platform:android profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0034 Testing Object Persistence platform:android profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0025 Testing for Injection Flaws platform:android profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0274 Dependencies with Known Vulnerabilities in the App's SBOM platform:android profile:L1 profile:L2 newstatus:new
MASTG-TEST-0042 Checking for Weaknesses in Third Party Libraries platform:android profile:L1 profile:L2 deprecatedstatus:deprecated
MASTG-TEST-0222 Position Independent Code (PIC) Not Enabled platform:android profile:L2 newstatus:new
MASTG-TEST-0044 Make Sure That Free Security Features Are Activated platform:android profile:L1 profile:L2 deprecatedstatus:deprecated
MASTG-TEST-0223 Stack Canaries Not Enabled platform:android profile:L2 newstatus:new
MASTG-TEST-0043 Memory Corruption Bugs platform:android profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0272 Identify Dependencies with Known Vulnerabilities in the Android Project platform:android profile:L1 profile:L2 newstatus:new
MASTG-TEST-0245 References to Platform Version APIs platform:android profile:L2 newstatus:new
MASTG-TEST-0015 Testing the Purposes of Keys platform:android profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0013 Testing Symmetric Cryptography platform:android profile:L1 profile:L2 deprecatedstatus:deprecated
MASTG-TEST-0232 Weak Symmetric Encryption Modes platform:android profile:L1 profile:L2 newstatus:new
MASTG-TEST-0016 Testing Random Number Generation platform:android profile:L1 profile:L2 deprecatedstatus:deprecated
MASTG-TEST-0208 Inappropriate Key Sizes platform:android profile:L1 profile:L2 newstatus:new
MASTG-TEST-0221 Weak Symmetric Encryption Algorithms platform:android profile:L1 profile:L2 newstatus:new
MASTG-TEST-0205 Non-random Sources Usage platform:android profile:L1 profile:L2 newstatus:new
MASTG-TEST-0014 Testing the Configuration of Cryptographic Standard Algorithms platform:android profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0204 Insecure Random API Usage platform:android profile:L1 profile:L2 newstatus:new
MASTG-TEST-0212 Use of Hardcoded Cryptographic Keys in Code platform:android profile:L1 profile:L2 newstatus:new
MASTG-TEST-0235 Android App Configurations Allowing Cleartext Traffic platform:android profile:L1 profile:L2 newstatus:new
MASTG-TEST-0236 Cleartext Traffic Observed on the Network platform:network profile:L1 profile:L2 newstatus:new
MASTG-TEST-0019 Testing Data Encryption on the Network platform:android profile:L1 profile:L2 deprecatedstatus:deprecated
MASTG-TEST-0218 Insecure TLS Protocols in Network Traffic platform:network profile:L1 profile:L2 newstatus:new
MASTG-TEST-0242 Missing Certificate Pinning in Network Security Configuration platform:android profile:L2 newstatus:new
MASTG-TEST-0023 Testing the Security Provider platform:android profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0217 Insecure TLS Protocols Explicitly Allowed in Code platform:android profile:L1 profile:L2 newstatus:new
MASTG-TEST-0022 Testing Custom Certificate Stores and Certificate Pinning platform:android profile:L2 deprecatedstatus:deprecated
MASTG-TEST-0243 Expired Certificate Pins in the Network Security Configuration platform:android profile:L2 newstatus:new
MASTG-TEST-0244 Missing Certificate Pinning in Network Traffic platform:network profile:L2 newstatus:new
MASTG-TEST-0239 Using low-level APIs (e.g. Socket) to set up a custom HTTP connection platform:android profile:L1 profile:L2 placeholderstatus:placeholder
MASTG-TEST-0234 SSLSockets not Properly Verifying Hostnames platform:android profile:L1 profile:L2 newstatus:new
MASTG-TEST-0238 Runtime Use of Network APIs Transmitting Cleartext Traffic platform:android profile:L1 profile:L2 placeholderstatus:placeholder
MASTG-TEST-0020 Testing the TLS Settings platform:android profile:L1 profile:L2 deprecatedstatus:deprecated
MASTG-TEST-0021 Testing Endpoint Identify Verification platform:android profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0233 Hardcoded HTTP URLs platform:android profile:L1 profile:L2 newstatus:new
MASTG-TEST-0237 Cross-Platform Framework Configurations Allowing Cleartext Traffic platform:android profile:L1 profile:L2 placeholderstatus:placeholder
MASTG-TEST-0249 Runtime Use of Secure Screen Lock Detection APIs platform:android profile:L2 newstatus:new
MASTG-TEST-0047 Testing File Integrity Checks platform:android profile:R update-pendingstatus:update-pending
MASTG-TEST-0049 Testing Emulator Detection platform:android profile:R update-pendingstatus:update-pending
MASTG-TEST-0225 Usage of Insecure Signature Key Size platform:android profile:R newstatus:new
MASTG-TEST-0247 References to APIs for Detecting Secure Screen Lock platform:android profile:L2 newstatus:new
MASTG-TEST-0041 Testing for Debugging Code and Verbose Error Logging platform:android profile:R deprecatedstatus:deprecated
MASTG-TEST-0226 Debuggable Flag Enabled in the AndroidManifest platform:android profile:R newstatus:new
MASTG-TEST-0048 Testing Reverse Engineering Tools Detection platform:android profile:R update-pendingstatus:update-pending
MASTG-TEST-0224 Usage of Insecure Signature Version platform:android profile:R newstatus:new
MASTG-TEST-0045 Testing Root Detection platform:android profile:R update-pendingstatus:update-pending
MASTG-TEST-0227 Debugging Enabled for WebViews platform:android profile:R newstatus:new
MASTG-TEST-0050 Testing Runtime Integrity Checks platform:android profile:R update-pendingstatus:update-pending
MASTG-TEST-0040 Testing for Debugging Symbols platform:android profile:R update-pendingstatus:update-pending
MASTG-TEST-0263 Logging of StrictMode Violations platform:android profile:R newstatus:new
MASTG-TEST-0038 Making Sure that the App is Properly Signed platform:android profile:R deprecatedstatus:deprecated
MASTG-TEST-0051 Testing Obfuscation platform:android profile:R update-pendingstatus:update-pending
MASTG-TEST-0264 Runtime Use of StrictMode APIs platform:android profile:R newstatus:new
MASTG-TEST-0046 Testing Anti-Debugging Detection platform:android profile:R update-pendingstatus:update-pending
MASTG-TEST-0039 Testing whether the App is Debuggable platform:android profile:R deprecatedstatus:deprecated
MASTG-TEST-0265 References to StrictMode APIs platform:android profile:R newstatus:new
MASTG-TEST-0001 Testing Local Storage for Sensitive Data platform:android profile:L1 profile:L2 deprecatedstatus:deprecated
MASTG-TEST-0003 Testing Logs for Sensitive Data platform:android profile:L1 profile:L2 deprecatedstatus:deprecated
MASTG-TEST-0262 References to Backup Configurations Not Excluding Sensitive Data platform:android profile:L1 profile:L2 profile:P newstatus:new
MASTG-TEST-0005 Determining Whether Sensitive Data Is Shared with Third Parties via Notifications platform:android profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0202 References to APIs and Permissions for Accessing External Storage platform:android profile:L1 profile:L2 newstatus:new
MASTG-TEST-0011 Testing Memory for Sensitive Data platform:android profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0207 Data Stored in the App Sandbox at Runtime platform:android profile:L2 newstatus:new
MASTG-TEST-0203 Runtime Use of Logging APIs platform:android profile:L1 profile:L2 profile:P newstatus:new
MASTG-TEST-0009 Testing Backups for Sensitive Data platform:android profile:L1 profile:L2 deprecatedstatus:deprecated
MASTG-TEST-0004 Determining Whether Sensitive Data Is Shared with Third Parties via Embedded Services platform:android profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0201 Runtime Use of APIs to Access External Storage platform:android profile:L1 profile:L2 newstatus:new
MASTG-TEST-0231 References to Logging APIs platform:android profile:L1 profile:L2 profile:P newstatus:new
MASTG-TEST-0200 Files Written to External Storage platform:android profile:L1 profile:L2 newstatus:new
MASTG-TEST-0012 Testing the Device-Access-Security Policy platform:android profile:L2 deprecatedstatus:deprecated
MASTG-TEST-0006 Determining Whether the Keyboard Cache Is Disabled for Text Input Fields platform:android profile:L1 profile:L2 deprecatedstatus:deprecated
MASTG-TEST-0216 Sensitive Data Not Excluded From Backup platform:android profile:L1 profile:L2 profile:P newstatus:new
MASTG-TEST-0254 Dangerous App Permissions platform:android profile:P newstatus:new
MASTG-TEST-0255 Permission Requests Not Minimized platform:android profile:P placeholderstatus:placeholder
MASTG-TEST-0256 Missing Permission Rationale platform:android profile:P placeholderstatus:placeholder
MASTG-TEST-0206 Sensitive Data in Network Traffic Capture platform:android profile:P newstatus:new
MASTG-TEST-0257 Not Resetting Unused Permissions platform:android profile:P placeholderstatus:placeholder
MASTG-TEST-0268 References to APIs Allowing Fallback to Non-Biometric Authentication platform:ios profile:L2 newstatus:new
MASTG-TEST-0271 Runtime Use Of APIs Detecting Biometric Enrollment Changes platform:ios profile:L2 newstatus:new
MASTG-TEST-0270 References to APIs Detecting Biometric Enrollment Changes platform:ios profile:L2 newstatus:new
MASTG-TEST-0269 Runtime Use Of APIs Allowing Fallback to Non-Biometric Authentication platform:ios profile:L2 newstatus:new
MASTG-TEST-0267 Runtime Use Of Event-Bound Biometric Authentication platform:ios profile:L2 newstatus:new
MASTG-TEST-0064 Testing Biometric Authentication platform:ios profile:L2 deprecatedstatus:deprecated
MASTG-TEST-0266 References to APIs for Event-Bound Biometric Authentication platform:ios profile:L2 newstatus:new
MASTG-TEST-0072 Testing App Extensions platform:ios profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0078 Determining Whether Native Methods Are Exposed Through WebViews platform:ios profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0071 Testing UIActivity Sharing platform:ios profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0057 Checking for Sensitive Data Disclosed Through the User Interface platform:ios profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0075 Testing Custom URL Schemes platform:ios profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0077 Testing WebView Protocol Handlers platform:ios profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0073 Testing UIPasteboard platform:ios profile:L1 profile:L2 deprecatedstatus:deprecated
MASTG-TEST-0277 Sensitive Data in the iOS General Pasteboard at Runtime platform:ios profile:L2 newstatus:new
MASTG-TEST-0076 Testing iOS WebViews platform:ios profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0279 Pasteboard Contents Not Expiring platform:ios profile:L2 newstatus:new
MASTG-TEST-0069 Testing App Permissions platform:ios profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0059 Testing Auto-Generated Screenshots for Sensitive Information platform:ios profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0070 Testing Universal Links platform:ios profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0280 Pasteboard Contents Not Restricted to Local Device platform:ios profile:L2 newstatus:new
MASTG-TEST-0278 Pasteboard Contents Not Cleared After Use platform:ios profile:L2 newstatus:new
MASTG-TEST-0276 Use of the iOS General Pasteboard platform:ios profile:L2 newstatus:new
MASTG-TEST-0056 Determining Whether Sensitive Data Is Exposed via IPC Mechanisms platform:ios profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0080 Testing Enforced Updating platform:ios profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0087 Make Sure That Free Security Features Are Activated platform:ios profile:L1 profile:L2 deprecatedstatus:deprecated
MASTG-TEST-0229 Stack Canaries Not enabled platform:ios profile:L2 newstatus:new
MASTG-TEST-0228 Position Independent Code (PIC) not Enabled platform:ios profile:L2 newstatus:new
MASTG-TEST-0085 Checking for Weaknesses in Third Party Libraries platform:ios profile:L1 profile:L2 deprecatedstatus:deprecated
MASTG-TEST-0079 Testing Object Persistence platform:ios profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0086 Memory Corruption Bugs platform:ios profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0230 Automatic Reference Counting (ARC) not enabled platform:ios profile:L2 newstatus:new
MASTG-TEST-0275 Dependencies with Known Vulnerabilities in the App's SBOM platform:ios profile:L1 profile:L2 newstatus:new
MASTG-TEST-0273 Identify Dependencies with Known Vulnerabilities by Scanning Dependency Managers Artifacts platform:ios profile:L1 profile:L2 newstatus:new
MASTG-TEST-0214 Hardcoded Cryptographic Keys in Files platform:ios profile:L1 profile:L2 newstatus:new
MASTG-TEST-0062 Testing Key Management platform:ios profile:L2 deprecatedstatus:deprecated
MASTG-TEST-0213 Use of Hardcoded Cryptographic Keys in Code platform:ios profile:L1 profile:L2 newstatus:new
MASTG-TEST-0211 Weak Hashing Algorithms platform:ios profile:L1 profile:L2 newstatus:new
MASTG-TEST-0210 Weak Encryption Algorithms platform:ios profile:L1 profile:L2 newstatus:new
MASTG-TEST-0063 Testing Random Number Generation platform:ios profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0209 Inappropriate Key Sizes platform:ios profile:L1 profile:L2 newstatus:new
MASTG-TEST-0061 Verifying the Configuration of Cryptographic Standard Algorithms platform:ios profile:L1 profile:L2 deprecatedstatus:deprecated
MASTG-TEST-0066 Testing the TLS Settings platform:ios profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0068 Testing Custom Certificate Stores and Certificate Pinning platform:ios profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0065 Testing Data Encryption on the Network platform:ios profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0067 Testing Endpoint Identity Verification platform:ios profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0219 Testing for Debugging Symbols platform:ios profile:R newstatus:new
MASTG-TEST-0240 Jailbreak Detection in Code platform:ios profile:R newstatus:new
MASTG-TEST-0088 Testing Jailbreak Detection platform:ios profile:R deprecatedstatus:deprecated
MASTG-TEST-0220 Usage of Outdated Code Signature Format platform:ios profile:R newstatus:new
MASTG-TEST-0093 Testing Obfuscation platform:ios profile:R update-pendingstatus:update-pending
MASTG-TEST-0092 Testing Emulator Detection platform:ios profile:R update-pendingstatus:update-pending
MASTG-TEST-0083 Testing for Debugging Symbols platform:ios profile:R deprecatedstatus:deprecated
MASTG-TEST-0081 Making Sure that the App Is Properly Signed platform:ios profile:R deprecatedstatus:deprecated
MASTG-TEST-0261 Debuggable Entitlement Enabled in the entitlements.plist platform:ios profile:R newstatus:new
MASTG-TEST-0091 Testing Reverse Engineering Tools Detection platform:ios profile:R update-pendingstatus:update-pending
MASTG-TEST-0084 Testing for Debugging Code and Verbose Error Logging platform:ios profile:R update-pendingstatus:update-pending
MASTG-TEST-0246 Runtime Use of Secure Screen Lock Detection APIs platform:ios profile:L2 newstatus:new
MASTG-TEST-0241 Runtime Use of Jailbreak Detection Techniques platform:ios profile:R newstatus:new
MASTG-TEST-0089 Testing Anti-Debugging Detection platform:ios profile:R update-pendingstatus:update-pending
MASTG-TEST-0090 Testing File Integrity Checks platform:ios profile:R update-pendingstatus:update-pending
MASTG-TEST-0082 Testing whether the App is Debuggable platform:ios profile:R deprecatedstatus:deprecated
MASTG-TEST-0248 References to APIs for Detecting Secure Screen Lock platform:ios profile:L2 newstatus:new
MASTG-TEST-0055 Finding Sensitive Data in the Keyboard Cache platform:ios profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0052 Testing Local Data Storage platform:ios profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0215 Sensitive Data Not Excluded From Backup platform:ios profile:L1 profile:L2 profile:P newstatus:new
MASTG-TEST-0053 Checking Logs for Sensitive Data platform:ios profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0060 Testing Memory for Sensitive Data platform:ios profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0058 Testing Backups for Sensitive Data platform:ios profile:L1 profile:L2 update-pendingstatus:update-pending
MASTG-TEST-0054 Determining Whether Sensitive Data Is Shared with Third Parties platform:ios profile:L1 profile:L2 deprecatedstatus:deprecated
MASTG-TEST-0281 Undeclared Known Tracking Domains platform:ios profile:P newstatus:new