Location via proxy:
[ UP ]
[Report a bug]
[Manage cookies]
No cookies
No scripts
No ads
No referrer
Show this form
OWASP Mobile Application Security
MASTG-TECH-0093: Waiting for the debugger
Initializing search
OWASP/owasp-mastg
OWASP Mobile Application Security
MASWE (Beta)
MASTG
MASVS
MAS Checklist
MAS Crackmes
🗞 News
🎙 Talks
⭐ Contribute
💙 Donate
💬 Connect with Us
OWASP Mobile Application Security
OWASP/owasp-mastg
OWASP Mobile Application Security
MASWE (Beta)
MASWE (Beta)
MASWE
MASWE
Overview
MASVS CRYPTO
MASVS CRYPTO
1 strong crypto
1 strong crypto
Insecure random
Insecure random
Weakness: Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Android insecure random use
Android insecure random use
Test: Insecure Random API Usage
Demo 1
Demo 1
Demo: Common Uses of Insecure Random APIs
Android non random use
Android non random use
Test: Non-random Sources Usage
Demo 1
Demo 1
Demo: Common Uses of Insecure Random APIs
MASVS PRIVACY
MASVS PRIVACY
1 data minimization
1 data minimization
Sensitive data in network traffic
Sensitive data in network traffic
Weakness: Sensitive Data in Network Traffic
Android data in traffic capture
Android data in traffic capture
Test: Sensitive Data in Network Traffic Capture
Demo 1
Demo 1
Demo: Detecting Sensitive Data in Network Traffic
MASVS STORAGE
MASVS STORAGE
1 secure data storage
1 secure data storage
Data unencrypted shared storage no user interaction
Data unencrypted shared storage no user interaction
Weakness: Sensitive Data Stored Unencrypted in Shared Storage Requiring No User Interaction
Android data unencrypted shared storage no user interaction dynamic file diff
Android data unencrypted shared storage no user interaction dynamic file diff
Test: Files Written to External Storage
Demo 1
Demo 1
Demo: File System Snapshots from External Storage
Android data unencrypted shared storage no user interaction dynamic frida
Android data unencrypted shared storage no user interaction dynamic frida
Test: Runtime Use of APIs to Access External Storage
Demo 1
Demo 1
Demo: External Storage APIs Tracing with Frida
Android data unencrypted shared storage no user interaction static
Android data unencrypted shared storage no user interaction static
Test: References to APIs and Permissions for Accessing External Storage
Demo 1
Demo 1
Demo: App Writing to External Storage without Scoped Storage Restrictions
Demo 2
Demo 2
Demo: App Writing to External Storage with Scoped Storage Restrictions
Demo 3
Demo 3
Demo: App Writing to External Storage via the MediaStore API
2 prevent data leakage
2 prevent data leakage
Data in logs
Data in logs
Weakness: Insertion of Sensitive Data into Logs
Android data in logs frida
Android data in logs frida
Test: Leakage of Sensitive Data via Logging APIs
Demo 1
Demo 1
Demo: Tracing Common Logging APIs Looking for Secrets
MASTG
MASTG
Intro
Intro
Foreword
Frontispiece
OWASP MASVS and MASTG Adoption
Acknowledgments
Introduction to the OWASP Mobile Application Security Project
Suggested Reading
Theory
Theory
General Concepts
General Concepts
Mobile Application Taxonomy
Mobile Application Security Testing
Mobile App Tampering and Reverse Engineering
Mobile App Authentication Architectures
Mobile App Network Communication
Mobile App Cryptography
Mobile App Code Quality
Mobile App User Privacy Protection
Android Security Testing
Android Security Testing
Android Platform Overview
Android Security Testing
Android Data Storage
Android Cryptographic APIs
Android Local Authentication
Android Network Communication
Android Platform APIs
Android Code Quality and Build Settings
Android Anti-Reversing Defenses
iOS Security Testing
iOS Security Testing
iOS Platform Overview
iOS Security Testing
iOS Data Storage
iOS Cryptographic APIs
iOS Local Authentication
iOS Network Communication
iOS Platform APIs
iOS Code Quality and Build Settings
iOS Anti-Reversing Defenses
Tests
Tests
Android
Android
MASVS-STORAGE
MASVS-STORAGE
MASTG-TEST-0001: Testing Local Storage for Sensitive Data
MASTG-TEST-0003: Testing Logs for Sensitive Data
MASTG-TEST-0004: Determining Whether Sensitive Data Is Shared with Third Parties via Embedded Services
MASTG-TEST-0005: Determining Whether Sensitive Data Is Shared with Third Parties via Notifications
MASTG-TEST-0006: Determining Whether the Keyboard Cache Is Disabled for Text Input Fields
MASTG-TEST-0009: Testing Backups for Sensitive Data
MASTG-TEST-0011: Testing Memory for Sensitive Data
MASTG-TEST-0012: Testing the Device-Access-Security Policy
MASVS-CRYPTO
MASVS-CRYPTO
MASTG-TEST-0013: Testing Symmetric Cryptography
MASTG-TEST-0014: Testing the Configuration of Cryptographic Standard Algorithms
MASTG-TEST-0015: Testing the Purposes of Keys
MASTG-TEST-0016: Testing Random Number Generation
MASVS-AUTH
MASVS-AUTH
MASTG-TEST-0017: Testing Confirm Credentials
MASTG-TEST-0018: Testing Biometric Authentication
MASVS-NETWORK
MASVS-NETWORK
MASTG-TEST-0019: Testing Data Encryption on the Network
MASTG-TEST-0020: Testing the TLS Settings
MASTG-TEST-0021: Testing Endpoint Identify Verification
MASTG-TEST-0022: Testing Custom Certificate Stores and Certificate Pinning
MASTG-TEST-0023: Testing the Security Provider
MASVS-PLATFORM
MASVS-PLATFORM
MASTG-TEST-0007: Determining Whether Sensitive Stored Data Has Been Exposed via IPC Mechanisms
MASTG-TEST-0008: Checking for Sensitive Data Disclosure Through the User Interface
MASTG-TEST-0010: Finding Sensitive Information in Auto-Generated Screenshots
MASTG-TEST-0024: Testing for App Permissions
MASTG-TEST-0028: Testing Deep Links
MASTG-TEST-0029: Testing for Sensitive Functionality Exposure Through IPC
MASTG-TEST-0030: Testing for Vulnerable Implementation of PendingIntent
MASTG-TEST-0031: Testing JavaScript Execution in WebViews
MASTG-TEST-0032: Testing WebView Protocol Handlers
MASTG-TEST-0033: Testing for Java Objects Exposed Through WebViews
MASTG-TEST-0035: Testing for Overlay Attacks
MASTG-TEST-0037: Testing WebViews Cleanup
MASVS-CODE
MASVS-CODE
MASTG-TEST-0002: Testing Local Storage for Input Validation
MASTG-TEST-0025: Testing for Injection Flaws
MASTG-TEST-0026: Testing Implicit Intents
MASTG-TEST-0027: Testing for URL Loading in WebViews
MASTG-TEST-0034: Testing Object Persistence
MASTG-TEST-0036: Testing Enforced Updating
MASTG-TEST-0042: Checking for Weaknesses in Third Party Libraries
MASTG-TEST-0043: Memory Corruption Bugs
MASTG-TEST-0044: Make Sure That Free Security Features Are Activated
MASVS-RESILIENCE
MASVS-RESILIENCE
MASTG-TEST-0038: Making Sure that the App is Properly Signed
MASTG-TEST-0039: Testing whether the App is Debuggable
MASTG-TEST-0040: Testing for Debugging Symbols
MASTG-TEST-0041: Testing for Debugging Code and Verbose Error Logging
MASTG-TEST-0045: Testing Root Detection
MASTG-TEST-0046: Testing Anti-Debugging Detection
MASTG-TEST-0047: Testing File Integrity Checks
MASTG-TEST-0048: Testing Reverse Engineering Tools Detection
MASTG-TEST-0049: Testing Emulator Detection
MASTG-TEST-0050: Testing Runtime Integrity Checks
MASTG-TEST-0051: Testing Obfuscation
MASVS-PRIVACY
iOS
iOS
MASVS-STORAGE
MASVS-STORAGE
MASTG-TEST-0052: Testing Local Data Storage
MASTG-TEST-0053: Checking Logs for Sensitive Data
MASTG-TEST-0054: Determining Whether Sensitive Data Is Shared with Third Parties
MASTG-TEST-0055: Finding Sensitive Data in the Keyboard Cache
MASTG-TEST-0058: Testing Backups for Sensitive Data
MASTG-TEST-0060: Testing Memory for Sensitive Data
MASVS-CRYPTO
MASVS-CRYPTO
MASTG-TEST-0061: Verifying the Configuration of Cryptographic Standard Algorithms
MASTG-TEST-0062: Testing Key Management
MASTG-TEST-0063: Testing Random Number Generation
MASVS-AUTH
MASVS-AUTH
MASTG-TEST-0064: Testing Local Authentication
MASVS-NETWORK
MASVS-NETWORK
MASTG-TEST-0065: Testing Data Encryption on the Network
MASTG-TEST-0066: Testing the TLS Settings
MASTG-TEST-0067: Testing Endpoint Identity Verification
MASTG-TEST-0068: Testing Custom Certificate Stores and Certificate Pinning
MASVS-PLATFORM
MASVS-PLATFORM
MASTG-TEST-0056: Determining Whether Sensitive Data Is Exposed via IPC Mechanisms
MASTG-TEST-0057: Checking for Sensitive Data Disclosed Through the User Interface
MASTG-TEST-0059: Testing Auto-Generated Screenshots for Sensitive Information
MASTG-TEST-0069: Testing App Permissions
MASTG-TEST-0070: Testing Universal Links
MASTG-TEST-0071: Testing UIActivity Sharing
MASTG-TEST-0072: Testing App Extensions
MASTG-TEST-0073: Testing UIPasteboard
MASTG-TEST-0075: Testing Custom URL Schemes
MASTG-TEST-0076: Testing iOS WebViews
MASTG-TEST-0077: Testing WebView Protocol Handlers
MASTG-TEST-0078: Determining Whether Native Methods Are Exposed Through WebViews
MASVS-CODE
MASVS-CODE
MASTG-TEST-0079: Testing Object Persistence
MASTG-TEST-0080: Testing Enforced Updating
MASTG-TEST-0085: Checking for Weaknesses in Third Party Libraries
MASTG-TEST-0086: Memory Corruption Bugs
MASTG-TEST-0087: Make Sure That Free Security Features Are Activated
MASVS-RESILIENCE
MASVS-RESILIENCE
MASTG-TEST-0081: Making Sure that the App Is Properly Signed
MASTG-TEST-0082: Testing whether the App is Debuggable
MASTG-TEST-0083: Testing for Debugging Symbols
MASTG-TEST-0084: Testing for Debugging Code and Verbose Error Logging
MASTG-TEST-0088: Testing Jailbreak Detection
MASTG-TEST-0089: Testing Anti-Debugging Detection
MASTG-TEST-0090: Testing File Integrity Checks
MASTG-TEST-0091: Testing Reverse Engineering Tools Detection
MASTG-TEST-0092: Testing Emulator Detection
MASTG-TEST-0093: Testing Obfuscation
MASVS-PRIVACY
Techniques
Techniques
Generic
Generic
MASTG-TECH-0047: Reverse Engineering
MASTG-TECH-0048: Static Analysis
MASTG-TECH-0049: Dynamic Analysis
MASTG-TECH-0050: Binary Analysis
MASTG-TECH-0051: Tampering and Runtime Instrumentation
Android
Android
MASTG-TECH-0001: Accessing the Device Shell
MASTG-TECH-0002: Host-Device Data Transfer
MASTG-TECH-0003: Obtaining and Extracting Apps
MASTG-TECH-0004: Repackaging Apps
MASTG-TECH-0005: Installing Apps
MASTG-TECH-0006: Listing Installed Apps
MASTG-TECH-0007: Exploring the App Package
MASTG-TECH-0008: Accessing App Data Directories
MASTG-TECH-0009: Monitoring System Logs
MASTG-TECH-0010: Basic Network Monitoring/Sniffing
MASTG-TECH-0011: Setting Up an Interception Proxy
MASTG-TECH-0012: Bypassing Certificate Pinning
MASTG-TECH-0013: Reverse Engineering Android Apps
MASTG-TECH-0014: Static Analysis on Android
MASTG-TECH-0015: Dynamic Analysis on Android
MASTG-TECH-0016: Disassembling Code to Smali
MASTG-TECH-0017: Decompiling Java Code
MASTG-TECH-0018: Disassembling Native Code
MASTG-TECH-0019: Retrieving Strings
MASTG-TECH-0020: Retrieving Cross References
MASTG-TECH-0021: Information Gathering - API Usage
MASTG-TECH-0022: Information Gathering - Network Communication
MASTG-TECH-0023: Reviewing Decompiled Java Code
MASTG-TECH-0024: Reviewing Disassembled Native Code
MASTG-TECH-0025: Automated Static Analysis
MASTG-TECH-0026: Dynamic Analysis on Non-Rooted Devices
MASTG-TECH-0027: Get Open Files
MASTG-TECH-0028: Get Open Connections
MASTG-TECH-0029: Get Loaded Native Libraries
MASTG-TECH-0030: Sandbox Inspection
MASTG-TECH-0031: Debugging
MASTG-TECH-0032: Execution Tracing
MASTG-TECH-0033: Method Tracing
MASTG-TECH-0034: Native Code Tracing
MASTG-TECH-0035: JNI Tracing
MASTG-TECH-0036: Emulation-based Analysis
MASTG-TECH-0037: Symbolic Execution
MASTG-TECH-0038: Patching
MASTG-TECH-0039: Repackaging & Re-Signing
MASTG-TECH-0040: Waiting for the Debugger
MASTG-TECH-0041: Library Injection
MASTG-TECH-0042: Getting Loaded Classes and Methods Dynamically
MASTG-TECH-0043: Method Hooking
MASTG-TECH-0044: Process Exploration
MASTG-TECH-0045: Runtime Reverse Engineering
MASTG-TECH-0100: Logging Sensitive Data from Network Traffic
MASTG-TECH-0108: Taint Analysis
MASTG-TECH-0109: Intercepting Flutter HTTPS Traffic
iOS
iOS
MASTG-TECH-0052: Accessing the Device Shell
MASTG-TECH-0053: Host-Device Data Transfer
MASTG-TECH-0054: Obtaining and Extracting Apps
MASTG-TECH-0055: Repackaging Apps
MASTG-TECH-0056: Installing Apps
MASTG-TECH-0057: Listing Installed Apps
MASTG-TECH-0058: Exploring the App Package
MASTG-TECH-0059: Accessing App Data Directories
MASTG-TECH-0060: Monitoring System Logs
MASTG-TECH-0061: Dumping KeyChain Data
MASTG-TECH-0062: Basic Network Monitoring/Sniffing
MASTG-TECH-0063: Setting up an Interception Proxy
MASTG-TECH-0064: Bypassing Certificate Pinning
MASTG-TECH-0065: Reverse Engineering iOS Apps
MASTG-TECH-0066: Static Analysis on iOS
MASTG-TECH-0067: Dynamic Analysis on iOS
MASTG-TECH-0068: Disassembling Native Code
MASTG-TECH-0069: Decompiling Native Code
MASTG-TECH-0070: Extracting Information from the Application Binary
MASTG-TECH-0071: Retrieving Strings
MASTG-TECH-0072: Retrieving Cross References
MASTG-TECH-0073: Information Gathering - API Usage
MASTG-TECH-0074: Information Gathering - Network Communication
MASTG-TECH-0075: Reviewing Decompiled Objective-C and Swift Code
MASTG-TECH-0076: Reviewing Disassembled Objective-C and Swift Code
MASTG-TECH-0077: Reviewing Disassembled Native Code
MASTG-TECH-0078: Automated Static Analysis
MASTG-TECH-0079: Dynamic Analysis on Non-Jailbroken Devices
MASTG-TECH-0080: Get Open Files
MASTG-TECH-0081: Get Open Connections
MASTG-TECH-0082: Get Loaded Native Libraries
MASTG-TECH-0083: Sandbox Inspection
MASTG-TECH-0084: Debugging
MASTG-TECH-0085: Execution Tracing
MASTG-TECH-0086: Method Tracing
MASTG-TECH-0087: Native Code Tracing
MASTG-TECH-0088: Emulation-based Analysis
MASTG-TECH-0089: Symbolic Execution
MASTG-TECH-0090: Patching
MASTG-TECH-0091: Library Injection
MASTG-TECH-0092: Repackaging and Re-Signing
MASTG-TECH-0093: Waiting for the debugger
MASTG-TECH-0094: Getting Loaded Classes and Methods dynamically
MASTG-TECH-0095: Method Hooking
MASTG-TECH-0096: Process Exploration
MASTG-TECH-0097: Runtime Reverse Engineering
MASTG-TECH-0098: Patching React Native Apps
MASTG-TECH-0110: Intercepting Flutter HTTPS Traffic
Tools
Tools
Generic
Generic
MASTG-TOOL-0031: Frida
MASTG-TOOL-0032: Frida CodeShare
MASTG-TOOL-0033: Ghidra
MASTG-TOOL-0034: LIEF
MASTG-TOOL-0035: MobSF
MASTG-TOOL-0036: r2frida
MASTG-TOOL-0037: RMS Runtime Mobile Security
MASTG-TOOL-0038: objection
MASTG-TOOL-0098: iaito
MASTG-TOOL-0100: re-flutter
MASTG-TOOL-0101: disable-flutter-tls-verification
Android
Android
MASTG-TOOL-0001: Frida for Android
MASTG-TOOL-0002: MobSF for Android
MASTG-TOOL-0003: nm - Android
MASTG-TOOL-0004: adb
MASTG-TOOL-0005: Android NDK
MASTG-TOOL-0006: Android SDK
MASTG-TOOL-0007: Android Studio
MASTG-TOOL-0008: Android-SSL-TrustKiller
MASTG-TOOL-0009: APKiD
MASTG-TOOL-0010: APKLab
MASTG-TOOL-0011: Apktool
MASTG-TOOL-0012: apkx
MASTG-TOOL-0013: Busybox
MASTG-TOOL-0014: Bytecode Viewer
MASTG-TOOL-0015: Drozer
MASTG-TOOL-0016: gplaycli
MASTG-TOOL-0017: House
MASTG-TOOL-0018: jadx
MASTG-TOOL-0019: jdb
MASTG-TOOL-0020: JustTrustMe
MASTG-TOOL-0021: Magisk
MASTG-TOOL-0022: Proguard
MASTG-TOOL-0023: RootCloak Plus
MASTG-TOOL-0024: Scrcpy
MASTG-TOOL-0025: SSLUnpinning
MASTG-TOOL-0026: Termux
MASTG-TOOL-0027: Xposed
MASTG-TOOL-0028: radare2 for Android
MASTG-TOOL-0029: objection for Android
MASTG-TOOL-0030: Angr
MASTG-TOOL-0099: FlowDroid
iOS
iOS
MASTG-TOOL-0039: Frida for iOS
MASTG-TOOL-0040: MobSF for iOS
MASTG-TOOL-0041: nm - iOS
MASTG-TOOL-0042: BinaryCookieReader
MASTG-TOOL-0043: class-dump
MASTG-TOOL-0044: class-dump-z
MASTG-TOOL-0045: class-dump-dyld
MASTG-TOOL-0046: Cycript
MASTG-TOOL-0047: Cydia
MASTG-TOOL-0048: dsdump
MASTG-TOOL-0049: Frida-cycript
MASTG-TOOL-0050: Frida-ios-dump
MASTG-TOOL-0051: gdb
MASTG-TOOL-0053: iOSbackup
MASTG-TOOL-0054: ios-deploy
MASTG-TOOL-0055: iProxy
MASTG-TOOL-0056: Keychain-Dumper
MASTG-TOOL-0057: lldb
MASTG-TOOL-0058: MachoOView
MASTG-TOOL-0059: optool
MASTG-TOOL-0060: otool
MASTG-TOOL-0061: Grapefruit
MASTG-TOOL-0062: Plutil
MASTG-TOOL-0063: security
MASTG-TOOL-0064: Sileo
MASTG-TOOL-0065: simctl
MASTG-TOOL-0066: SSL Kill Switch 3
MASTG-TOOL-0067: swift-demangle
MASTG-TOOL-0068: SwiftShield
MASTG-TOOL-0069: Usbmuxd
MASTG-TOOL-0070: Xcode
MASTG-TOOL-0071: Xcode Command Line Tools
MASTG-TOOL-0072: xcrun
MASTG-TOOL-0073: radare2 for iOS
MASTG-TOOL-0074: objection for iOS
MASTG-TOOL-0101: codesign
MASTG-TOOL-0102: ios-app-signer
Network
Network
MASTG-TOOL-0075: Android tcpdump
MASTG-TOOL-0076: bettercap
MASTG-TOOL-0077: Burp Suite
MASTG-TOOL-0078: MITM Relay
MASTG-TOOL-0079: OWASP ZAP
MASTG-TOOL-0080: tcpdump
MASTG-TOOL-0081: Wireshark
MASTG-TOOL-0097: mitmproxy
Apps
Apps
Android
Android
MASTG-APP-0001: AndroGoat
MASTG-APP-0002: Android License Validator
MASTG-APP-0003: Android UnCrackable L1
MASTG-APP-0004: Android UnCrackable L2
MASTG-APP-0005: Android UnCrackable L3
MASTG-APP-0006: Digitalbank
MASTG-APP-0007: DIVA Android
MASTG-APP-0008: DodoVulnerableBank
MASTG-APP-0009: DVHMA
MASTG-APP-0010: InsecureBankv2
MASTG-APP-0011: MASTG Hacking Playground (Java)
MASTG-APP-0012: MASTG Hacking Playground (Kotlin)
MASTG-APP-0013: OVAA
MASTG-APP-0014: InsecureShop
MASTG-APP-0015: Android UnCrackable L4
MASTG-APP-0016: Finstergram
MASTG-APP-0017: Disable-flutter-tls-verification
iOS
iOS
MASTG-APP-0023: DVIA
MASTG-APP-0024: DVIA-v2
MASTG-APP-0025: iOS UnCrackable L1
MASTG-APP-0026: iOS UnCrackable L2
MASTG-APP-0027: Disable-flutter-tls-verification
MASVS
MASVS
Intro
Intro
Foreword
About the Standard
The Mobile Application Security Verification Standard
Assessment and Certification
MASVS-STORAGE: Storage
MASVS-STORAGE-1
MASVS-STORAGE-2
MASVS-CRYPTO: Cryptography
MASVS-CRYPTO-1
MASVS-CRYPTO-2
MASVS-AUTH: Authentication and Authorization
MASVS-AUTH-1
MASVS-AUTH-2
MASVS-AUTH-3
MASVS-NETWORK: Network Communication
MASVS-NETWORK-1
MASVS-NETWORK-2
MASVS-PLATFORM: Platform Interaction
MASVS-PLATFORM-1
MASVS-PLATFORM-2
MASVS-PLATFORM-3
MASVS-CODE: Code Quality
MASVS-CODE-1
MASVS-CODE-2
MASVS-CODE-3
MASVS-CODE-4
MASVS-RESILIENCE: Resilience Against Reverse Engineering and Tampering
MASVS-RESILIENCE-1
MASVS-RESILIENCE-2
MASVS-RESILIENCE-3
MASVS-RESILIENCE-4
MASVS-PRIVACY: Privacy
MASVS-PRIVACY-1
MASVS-PRIVACY-2
MASVS-PRIVACY-3
MASVS-PRIVACY-4
MAS Checklist
MAS Checklist
MASVS STORAGE
MASVS CRYPTO
MASVS AUTH
MASVS NETWORK
MASVS PLATFORM
MASVS CODE
MASVS RESILIENCE
MASVS PRIVACY
MAS Crackmes
MAS Crackmes
Android Crackmes
iOS Crackmes
🗞 News
🎙 Talks
⭐ Contribute
⭐ Contribute
Contributing to the MAS Project
How Can You Contribute?
Getting Started
Pull Requests & Reviews
Add a New Language
Style Guide
Add a Crackme
💙 Donate
💙 Donate
Donations
How to Donate
Donation Packages
💬 Connect with Us
Platform
ios
Last updated: September 29, 2023
MASTG-TECH-0093: Waiting for the debugger
Back to top