Skip to content

Releases: OWASP/owasp-mastg

v1.7.0

31 Oct 08:36
7172dfa
Compare
Choose a tag to compare

MASTG Refactor Part 2: Techniques, Tools & Reference Apps: This release introduces the second phase of the MASTG (Mobile Application Security Testing Guide) refactor. These changes aim to enhance the usability and accessibility of the MASTG.

The primary focus of this new refactor is the reorganization of the MASTG content into different components, each housed in its dedicated section/folder and existing now as individual pages in our website (markdown files with metadata/frontmatter in GitHub):

image

image

NOTE: You may find broken links on the website and in the PDF/eBook. This is a consequence of these massive changes and we expect to be able to fix them soon.

  • Tests:

    • Website: Tests section.
    • GitHub: tests/ folder.
    • Identified by IDs in the format MASTG-TEST-XXXX.
    • Includes all tests originally in:
      • 0x05d/0x06d-Testing-Data-Storage.md
      • 0x05e/0x06e-Testing-Cryptography.md
      • 0x05f/0x06f-Testing-Local-Authentication.md
      • 0x05g/0x06g-Testing-Network-Communication.md
      • 0x05h/0x06h-Testing-Platform-Interaction.md
      • 0x05i/0x06i-Testing-Code-Quality-and-Build-Settings.md
      • 0x05j/0x06j-Testing-Resiliency-Against-Reverse-Engineering.md
    • ⚠️ IMPORTANT (TODO): These tests are still the original MASTG v1.6.0 tests. We will progressively split them into smaller tests, the so-called "atomic tests" in MASTG v2 and assign the new MAS profiles accordingly.
  • Techniques:

    • Website: Techniques section.
    • GitHub: techniques/ folder.
    • Identified by IDs in the format MASTG-TECH-XXXX.
    • Includes all techniques originally in:
      • 0x05b/0x06b-Basic-Security_Testing.md
      • 0x05c/0x06c-Reverse-Engineering-and-Tampering.md
  • Tools:

    • Website: Tools section.
    • GitHub: tools/ folder.
    • Identified by IDs in the format MASTG-TOOL-XXXX.
    • Includes all tools from:
      • 0x08a-Testing-Tools.md
  • Apps:

    • Website: Apps section.
    • GitHub: apps/ folder.
    • Identified by IDs in the format MASTG-APP-XXXX.
    • Includes all apps from:
      • 0x08b-Reference-Apps.md

We hope that the revamped structure enables you to navigate the MASTG more efficiently and access the information you need with ease. See below for a detailed list of changes.

We'd like to thank all of our loyal contributors and welcome our new contributors.

Special thanks to NowSecure for their consistent high-impact contributions to the project, especially for this new OWASP MASTG refactoring phase and for continuing spreading the word about the OWASP MAS project.

We'd also like to thank our new MAS Advocate applicants for waiting patiently while we get everything ready behind the scenes for them to help us efficiently.

💙 Thanks to Zimperium for their generous donation!


Carlos Holguera, Sven Schleier and Jeroen Beckers - OWASP MAS project


NOTE: the OWASP MASTG v1.7.0 relies on the latest MASVS v2.0.0

Help us improve! questions | ideas | contact


What's Changed

📢 News

🧪 MASTG Test Cases

📖 MASTG Testing Fundamentals

✨ MASTG Testing Techniques

🪄 MASTG Testing Tools

  • Replace Passionfruit with Grapefruit by @lihter in #2451
  • Update r2frida guide examples to use : instead of \ for command start by @Shiva953 in #2450

📜 Mobile Security Checklists

🎉 New Donators

Other Changes

New Contributors

Full Changelog: v1.6.0...v1.7.0

v1.6.0

08 May 10:20
1271f4b
Compare
Choose a tag to compare

Following up on the OWASP MASVS v2.0.0 Release we're excited to announce the release of the new OWASP MASTG version v1.6.0. This update includes a range of new features, including the first phase of the MASTG refactoring, MASVS color-coding, upgraded MAS Checklists (for OWASP MASVS v2.0.0 + MASTG v1.6.0), and much more. See below for a detailed list of changes.

We'd like to thank all of our loyal contributors and welcome our new contributors.

Special thanks to NowSecure for their consistent high-impact contributions to the project, especially for the MASVS refactoring, the OWASP MASTG refactoring, the OWASP MAS website and this MASTG v1.6.0 release and for continuing spreading the word about the OWASP MAS project.

💙 Thanks to dvuln, eShard, OHRUS and devoteam Cyber Trust for their generous donations!


Carlos Holguera, Sven Schleier and Jeroen Beckers - OWASP MAS project


NOTE: the OWASP MASTG v1.6.0 relies on the latest MASVS v2.0.0

Help us improve! questions | ideas | contact


What's Changed

📢 News

Introducing the MASVS v2 Colors

We're bringing official colors to the MASVS! The new colors will be used across the MASVS v2.0.0 and MASTG v2.0.0 to help users quickly identify the different control groups. We've also revamped certain areas of our website to make them more readable and easier to navigate as well as to prepare for what's coming with the MASTSG v2.0.0 (keyword: "atomic tests").

masvs_colors

MASVS

In the MASVS home page, the new colors will be used to highlight the different control groups.

masvs_home

The individual controls will also be color-coded to help users quickly identify the different control groups. We've also redesigned the control pages to make them more readable and easier to navigate.

masvs_control

MASTG

Now, when you navigate to the MASTG tests, you'll see that they are categorized by platform (Android/iOS) as well as by MASVS category, also using our new colors in the sidebar. The colors will also be used to highlight the different control groups in the test description.

Each test now contains a header section indicating the platform, the MASVS v1.5.0 controls, and the MASVS v2.0.0 controls.

mastg_test

We've also introduced a new section called "Resources" which is automatically generated using the inline links within the MASTG pages and serve as a quick reference to the most important resources for each test.

NOTE: The MASTG tests themselves haven't changed yet, we're still working on the refactoring. For now we've simply split the tests into individual pages to make them easier to navigate and reference. This will facilitate the work on the refactoring and the introduction of the new atomic tests.

MAS Checklist

The MAS Checklist pages and the MAS checklist itself have also been updated to use the new colors to highlight the different control groups and to make them easier to navigate.

checklist_home

When you click on a MASVS group you'll see a table listing the new MASVS v2.0.0 controls as well as the corresponding MASTG tests (v1.5.0) for both the Android and the iOS platforms.

checklist_detail

NOTE: The checklist contains the old MASVS v1 verification levels (L1, L2 and R) which we are currently reworking into "security testing profiles". The levels were assigned according to the MASVS v1 ID that the test was previously covering and might differ in the upcoming version of the MASTG and MAS Checklist.

For the upcoming of the MASTG version we will progressively split the MASTG tests into smaller tests, the so-called "atomic tests" and assign the new MAS profiles accordingly.


We hope you like the new colors and the changes we've made to the website. We're looking forward to your feedback! Please use our GitHub Discussions to post any questions or ideas you might have. If you see something wrong please let us know by opening a bug issue.

More News

🧪 MASTG Test Cases

  • Add static analysis details for Android keyboard cache by @DIvanov503 in #2254
  • Recommend Using conscrypt for Old Android API Levels by @rlatapy-luna in #2340
  • Deprecate Fragment Injection Test for MSTG-PLATFORM-2 by @cpholguera in #2328
  • Proofreading fixes 0x05d part 1 by @Laancelot in #2351
  • Proofreading fixes 0x05d part 2 by @Laancelot in #2358
  • Add Test for Android Pending Intents to 0x05h by @su-vikas in #2300
  • Add Test for Implicit Intent Injection (MSTG-PLATFORM-2) by @LukasMarckmiller in #2056
  • Add codesign/ldid to the test Determining Whether the App is Debuggable (MSTG-CODE-2) by @sohsatoh in #2296
  • Add otool command to 0x06i-Testing-Code-Quality-and-Build-Settings.md by @rsenet in #2362
  • [Phase 1] Refactor 0x05h-Testing-Platform-Interaction.md (@nowsecure) by @angrymuffinx in #2286
  • [Phase 1] Refactor 0x06j-Testing-Resiliency-Against-Reverse-Engineering.md by @iotaaxel in #2321
  • [Phase 1] Refactor 0x0**-Testing-Code-Quality.md by @cpholguera in #2381
  • [Phase 1] Refactor 0x06h-Testing-Platform-Interaction.md by @TheDauntless in #2380
  • [Phase 1] Refactor 0x0**-Testing-Resiliency-Against-Reverse-Engineering.md by @sushi2k in #2382
  • [Phase 1] Refactor 0x0**-Local-authentication.md by @TheDauntless in #2377
  • [Phase 1] Refactor 0x0**-Testing-Network-Communication.md by @sushi2k in #2378
  • [Phase 1] Refactor 0x0**-Testing-Cryptography.md by @sushi2k in #2372
  • [Phase 1] Refactor 0x0**-Testing-Data-Storage.md by @cpholguera in #2379

📖 MASTG Testing Fundamentals

✨ MASTG Testing Techniques

  • Proofreading fixes part ...
Read more

v1.5.0

06 Sep 14:56
3b9278f
Compare
Choose a tag to compare

We've been very busy with the OWASP MASVS refactoring but we're very excited to be able to bring you the new OWASP MASTG in its version v1.5.0 including loads of news including new Test Cases, Testing Fundamentals, upgraded MAS Checklists and many more, see below.

We'd like to thank all of our loyal contributors and welcome our new contributors.

Special thanks to NowSecure for their consistent high-impact contributions to the project, especially for the MASVS refactoring, the OWASP MAS rebranding, the brand new OWASP MAS website and this MASTG v1.5.0 release and for continuing spreading the word about the OWASP MAS project.


Carlos Holguera & Sven Schleier - OWASP MAS project


NOTE: the OWASP MASTG v1.5.0 relies on the latest MASVS v1.4.2


What's Changed

📢 News

New "Trusted By" Section & CREST OVS

trusted-by-logos

Introducing the "MAS Advocate" Status

image

Add Google's ADA MASA

Screenshot 2022-09-06 at 10 20 22

Project Rebranding to OWASP MAS

mas-rebranding

twitter-rename

OWASP MAS New Website

mas_new_website

🧪 MASTG Test Cases

📖 MASTG Testing Fundamentals

✨ MASTG Testing Techniques

🪄 MASTG Testing Tools

⚡ Automation

📜 MAS Checklists

  • Increase Checklist Test Coverage Including Tests from the 0x04* Chapters by @fujiokayu in #2085
  • Add Common Test Case Column to Checklist by @cpholguera in #2208

Checklist test coverage changes: removed (2) added (13) updated (51)

🎉 New Donators

🐞 Errata Corrections

Other Changes

New Contributors

Read more

v1.4.0

21 Jan 13:10
b04750a
Compare
Choose a tag to compare

What's Changed

OWASP Mobile App Security Checklists

The highly anticipated OWASP Mobile App Security Checklists are back including very exciting news.

checklists_update

New Features of the MASVS Checklists

  • Completely automated: generated from scratch using openpyxl.
  • Multi-language: now available in all 13 MASVS languages.
  • Always up-to-date: from now on released with every new MSTG version & always using the latest MASVS.
  • New clean design: consistent with our new identity.
  • Simpler structure: all MASVS categories in one sheet.
  • Traceable: include exact MASVS and MSTG versions and commit IDs.

checklists_features

Using the Checklists

  • Use the "Status" column to:
    • Discard controls by selecting N/A
    • Set the result of a test by selecting Pass or Fail.
  • Add more columns or sheets as you wish or need. For instance:
    • Duplicate & rename sheet to test for different platforms.
    • Simply copy & paste the "Status" column to cover additional platforms (rename title accordingly).

Feedback

Your feedback is essential for the development of the project. If you have any comments or new ideas please post them here:

https://github.com/OWASP/owasp-mstg/discussions/new?category=ideas

Other Changes

New Contributors

Full Changelog: v1.3.0...v1.4.0

v1.3.0

23 Dec 11:03
c7d61c2
Compare
Choose a tag to compare

What's Changed

Changes in MSTG Content

Errata Corrections (typos & more)

New Donators

Other Changes

New Contributors

Full Changelog: v1.2.1...v1.3.0

v1.2.1

23 Dec 09:41
12d9ffd
Compare
Choose a tag to compare

What's Changed

Minor release without relevant content changes.

Full Changelog: v1.2...v1.2.1

v1.2

25 Jul 22:47
Compare
Choose a tag to compare

Changelog

OWASP MSTG - Release v1.2 - 25th July 2021

167 issues were closed since the last release. A full overview can be seen in Github Issues https://github.com/OWASP/owasp-mstg/issues?q=is%3Aissue+is%3Aclosed+closed%3A2019-08-03..2021-07-25.

326 pull requests were merged since the last release. A full overview can be seen in Github Pull Requests https://github.com/OWASP/owasp-mstg/pulls?q=is%3Apr+is%3Aclosed+closed%3A2019-08-03..2021-07-25

Major changes include:

  • Migrating the new document build pipeline from MASVS to MSTG. This allows us to build consistently the whole OWASP MSTG documents (PDF, docx etc.) in minutes, without any manual work.
  • Besides numerous changes for the test cases we have a new Crackme - Android Level 4 https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/Android/Level_04 and also new write-ups for the Crackmes.
  • We removed all references to Needle and IDB tool, as both tools are outdated.
  • References of OWASP Mobile Top 10 and MSTG-IDs are completely moved to MASVS
  • Reworking of information gathering (static analysis) for Android Apps
  • Update of Biometric Authentication for Android Apps
  • New content and updates in the Android and iOS Reverse Engineering and Tampering chapters
  • 3 new iOS Reverse Engineering test cases
  • Translations of the MSTG are linked to the respective forks but are not part of the MSTG anymore
  • Updated English, Japanese, French, Korean and Spanish checklists to be compatible with MSTG 1.2
  • Updated Acknowledgments, with 1 new co-author and contributor
  • Added JNI Tracing for Android
  • Added dsdump for dumping Objective-C and Swift content
  • Added the procedure to sign the debugserver for iOS 12 and higher
  • Added dependency-check to verify for vulnerabilities in libraries added by iOS package managers
  • Added getppid as debugger detection (iOS)
  • Added Domain/URL Enumeration in APKs
  • Added introduction into Network.framework (iOS)
  • Added UnSAFE Bank iOS Application
  • Added information on SECCOMP (Android)
  • Added native and java method tracing (Android)
  • Added Android library injection
  • Added Android 10 TLS and cryptography updates
  • Updated code obfuscation for Android and iOS
  • Added test case for Reverse Engineering Tools Detection - MSTG-RESILIENCE-4 (iOS)
  • Added test case for Emulator Detection - MSTG-RESILIENCE-5 (iOS)
  • Added an example with truststore to bypass cert pinning (Android)
  • Added content to information gathering using frida (Android)
  • Added Sec Consult, RandoriSec and OWASP Bay area as donators
  • Added basic information gathering for Android and iOS
  • Added Simulating a Man-in-the-Middle Attack with an Access Point
  • Added gender neutrality to the MSTG
  • Extended section about dealing with Xamarin Apps
  • Updated all picture links (img tags) to be in markdown syntax
  • Updated iTunes limitations and usage since macOS Catalina
  • Added Emulation-based Analysis (iOS and Android)
  • Added Debugging iOS release applications using lldb
  • Added Korean translation of the checklist
  • Updated symbolic execution content (Android)
  • Added Ghidra for Android Reverse Engineering
  • Added section on Manual (Reversed) Code Review for iOS
  • Added explanation of more Frida APIs (iOS and Android)
  • Added Apple CryptoKit
  • Updated and simplified Frida detection methods
  • Added introduction to setup and disassembling for iOS Apps
  • Updated section about frida-ios-dump
  • Added gplaycli (Android)
  • Extended section on how to retrieve UDI (iOS)
  • Added new companies in the Users.md list with companies applying the MSTG/MASVS
  • Updated partially code samples to Swift 5
  • Adding Process Exploration (Android and iOS)
  • Updated best practices for passwords, added "Have I Been Pwned"
  • Updated SSL Pinning fallback methods
  • Updated app identifier (Android and iOS)
  • Updated permission changes for Android O, P and Q
  • Updated Broadcast Receiver section (Android)

Several other minor updates include fixing typos and markdown lint errors and updating outdated links.

We thank you all contributors for the hard work and continuously improving the document and the OWASP MSTG project!

Intermediate update 1.1.3-excel

11 Aug 19:43
25c580c
Compare
Choose a tag to compare

Intermediate update (1.1.3-excel). See CHANGELOG.md for updates on intermediate update releases.

Intermediate update 1.1.3 (OSS Release)

04 Aug 06:37
bb4b037
Compare
Choose a tag to compare

What's Changed

  • Updated Acknowledgments, with 2 new co-authors.
  • Translated various parts into Japanese.
  • A large restructuring of the general testing, platform specific testing and reverse-engineering chapters.
  • Updated description of many tools: Adb, Angr, APK axtractor, Apkx, Burp Suite, Drozer, ClassDump(Z/etc), Clutch, Drozer, Frida, Hopper, Ghidra, IDB, Ipa Installer, iFunBox, iOS-deploy, KeychainDumper, Mobile-Security-Framework, Nathan, Needle, Objection, Magisk, PassionFruit, Radare 2, Tableplus, SOcket CAT, Xposed, and others.
  • Updated most of the iOS hacking/verification techniques using iOS 12 or 11 as a base instead of iOS 9/10.
  • Removed tools which were no longer updated, such as introspy-Android and AndBug.
  • Added missing MASVS references from version 1.1.4: v1.X, V3.5, V5.6, V6.2-V6.5, V8.2-V8.6.
  • Rewrote device-binding explanation and testcases for Android.
  • Added parts on testing unmanaged code in Objective-C, Java, and C/C++.
  • Applied many spelling, punctuation and style-related fixes.
  • Updated many cryptography related parts.
  • Added testaces for upgrade-mechanism verification for apps.
  • Updated Readme, Code of Conduct, Contribution guidelines, verification, funding link, and generation scripts.
  • Added ISBN as the book is now available at Lulu.
  • Added various fixes for the .epub format.
  • Added testcases on Android and iOS backup verification.
  • Improved key-attestation related explanation for Android.
  • Restructured OWASP Mobile Wiki.
  • Removed Yahoo Weather app and simplified reference on using SQL injection.
  • Improve explanation for iOS app sideloading to include various available methods.
  • Added explanation on using ADB and device shell for Android.
  • Added explanation on using device shell for iOS.
  • Provided comparison for using emulators/simulators and real devices for iOS/Android.
  • Fixed Uncrackable Level 3 for Android.
  • Improved explanation on how to exfiltrate data and apps on iOS 12 and Android 8.
  • Improved/updated explanation on SSL-pinning.
  • Added list of adopters of the MASVS/MSTG.
  • Updated English, Japanese, French and Spanish checklists to be compatible with MSTG 1.1.2.
  • Added a small write-up on Adiantum for Google.
  • Added MSTG-ID to the paragraphs to create a link between MSTG paragraphs and MASVS requirements.
  • Added review criteria for Android instant apps and guidance for app-bundle evaluation.
  • Clarified the differences between various methods of dynamic analysis.

Intermediate update 1.1.2: Excel edition!

02 Aug 10:09
2524fd0
Compare
Choose a tag to compare

This is a special release with the new compliance lists for 1.1.2 only. Grab them while they're hot!