v1.8.0
v1.8.0 Release Notes
This release spans October 2023 – December 2024 and lays the groundwork for MASTG v2: new component types (MASWE Weaknesses, MASTG Demos, MASTG Best Practices), a cross-reference system linking all MAS components, the first wave of v1→v2 test ports (by Guardsquare), and MASVS v2.1.0 with the new MASVS-PRIVACY category.
The period opened with a major standards milestone: the MASVS-PRIVACY proposal in October 2023, introducing four new privacy controls (MASVS-PRIVACY-1 through -4) and the MAS-P profile for holistic privacy assessment alongside security. After community review, MASVS v2.1.0 shipped in January 2024 with MASVS-PRIVACY formally included and CycloneDX/SBOM support added, enabling easier integration into DevSecOps pipelines.
External adoption continued to grow: in February 2024, the Cyber Security Agency of Singapore (CSA) published its "Safe App Standard", a national guideline for mobile app security based directly on the OWASP MASVS, covering MASVS-AUTH, MASVS-STORAGE, and MASVS-RESILIENCE.
The architectural highlight of the release came in July 2024 with the public introduction of MASWE — the Mobile App Security Weakness Enumeration. MASWE fills the gap between the high-level MASVS controls and the low-level MASTG tests, completing the full chain: MASVS control → MASWE weakness → MASTG test → MASTG demo. This release also introduced the MAS Test Apps (Android and iOS), purpose-built skeleton apps that embed code samples directly to make every demo reproducible and verifiable on a real device.
🏔️ OWASP Project Summit 2024
In November 2024, we hosted the OWASP Project Summit, where NowSecure led the mobile app security track. This five-day event brought together experts from various companies to discuss the future of mobile security, share insights, and collaborate on innovative solutions. During the summit, approximately 40 pull requests were created, and countless discussions were held. Special thanks to Jeroen Beckers (@TheDauntless) and especially to Guardsquare, who contributed the majority of PRs: Dennis Titze (@titze), Jan Seredynski (@serek8), Nuno Antunes (@nmsa), and Pascal Jungblut (@pascalj), with reviews by @cpholguera and @TheDauntless. This was a key moment for the MASTG v2 porting effort.
📢 News
- MASVS v2.1.0 released including the new MASVS-PRIVACY category by @cpholguera — #2513
- CSA publishes a standard for Secure Transactions via Mobile Applications based on the OWASP MASVS by @cpholguera — #2562
- Mobile Application Risk Scoring Q&A by @cpholguera — #2479
- New talks: OWASP AppSec US 2023 — #2466, #2469; 2024 H1 by @cpholguera — #2651
- New blog posts by @cpholguera — #2845, #2846
🆕 New MASTG v2 Components
🐛 MASWE — MAS Weaknesses
Note: MASWE started in this repo but was later moved to OWASP/maswe as a separate project (see v1.9.0 release notes).
A new component type linking MASVS controls to testable weaknesses. First entries added this release:
- [MASWE-0001, MASWE-0027, MASWE-0108] Initial MAS Weaknesses preview by @cpholguera — #2518
- [MASWE-0004] Sensitive Data Not Excluded From Backup by @serek8 — #2866
- [MASWE-0005] Sensitive Data Hardcoded in the App Package by @juanmanuelmartinez-dekra — #2565
- [MASWE-0006] Sensitive Data Stored Unencrypted in Private Storage Locations by @thomascannon — #2566
- [MASWE-0007] Sensitive Data Stored Unencrypted in Shared Storage Requiring No User Interaction by @serek8 — #2594
- [MASWE-0009] Weak Cryptographic Key Generation (by @appknox) by @sk3l10x1ng — #2849
- [MASWE-0014] Cryptographic Keys Not Properly Protected at Rest by @cpholguera — #2781
- [MASWE-0019] Potentially Weak Cryptography Implementations by @jmariasantosdekra — #2863
- MASWE-PRIVACY weaknesses (by @google MASA and @nowsecure) by @annab-google — #2860
- Additional draft MASWE entries by @cpholguera — #2687
🎬 MASTG Demos
A new component type providing concrete, reproducible test demonstrations with real app binaries:
- Android demo APK build pipeline via GitHub Actions (by @nowsecure) by @cpholguera — #2830
- [MASTG-DEMO-0014, MASTG-DEMO-0015, MASTG-DEMO-0016] Hardcoded cryptographic keys demos (by @nowsecure) by @cpholguera — #2879
- Refactored r2-based demos for consistency; added AI-decompiled code output (by @nowsecure) by @cpholguera — #2925
- Demos disclaimer added by @cpholguera — #2837
🛡️ MASTG Best Practices
A new component type providing actionable remediation guidance (previously called "Mitigations"):
- Initial Best Practices / Mitigations framework by @cpholguera — #3081
- Renamed from "mitigations" to "best-practices" by @cpholguera — #3085
- Refactored MASVS-RESILIENCE best practices by @cpholguera — #3092
🧪 MASTG Tests
v1 → v2 Ports (by @Guardsquare)
First wave of tests ported to the new v2 format with structured metadata, demos and evaluation criteria:
- [MASTG-TEST-0001] by @serek8 — #3040
- [MASTG-TEST-0003] by @serek8 — #3059
- [MASTG-TEST-0013] by @nmsa — #3033
- [MASTG-TEST-0019] by @titze — #3030
- [MASTG-TEST-0020] by @titze — #3027
- [MASTG-TEST-0038] by @titze — #3044
- [MASTG-TEST-0039] by @titze — #3042
- [MASTG-TEST-0044] by @titze — #3049
- [MASTG-TEST-0081] by @pascalj — #3034
- [MASTG-TEST-0083] by @pascalj — #3029
- [MASTG-TEST-0087] by @titze — #3056
New v2 Tests
- [MASTG-TEST-0210, MASTG-TEST-0211, MASTG-DEMO-0014, MASTG-DEMO-0015, MASTG-DEMO-0016] Hardcoded cryptographic keys (by @nowsecure) by @cpholguera — #2879
- [MASTG-TEST-0210] Hardcoded Cryptographic Keys in Code (by @appknox) by @ScreaMy7 — #2869
- [MASTG-TEST-0231] Weak encryption modes (Android) (by @nowsecure) by @cpholguera — #3079
Updates & Fixes
- Replace Google SafetyNet with Play Integrity API by @EdilsonGalvao — #2371
- MASTG-TEST-0038: updated with new recommendations and v4 (by @nowsecure) by @cpholguera — #2909
- MASTG-TEST-0016: restrict SecureRandom no-args constructor by @truerick — #2621
- MASTG-TEST-0023: add Frida as alternative to Xposed by @JJK96 — #2918
Deprecations
- Add deprecation notes and status for MASTG v1 tests by @cpholguera — #3089
- Remove MASTG-TEST-0074 (coverage duplicated by other tests) by @cpholguera — #2556
✨ MASTG Techniques
- [MASTG-TECH-0005] Expand APK installation: repackaged apps, split APKs and more by @TheDauntless — #2654
- [MASTG-TECH-0056] Update IPA installation to use Sideloadly by @TheDauntless — #2655
- [MASTG-TECH-0111] Analyzing entitlements by @TheDauntless — #2884
- Add connecting Burp via HTTP Toolkit by @umair-villanio — #2897
- Fix iOS patching technique by @cpholguera — #2601
- Update IPA patching by @sushi2k — #2907
- Added iOS & Android Flutter reverse engineering technique and tool (by @appknox) by @sk3l10x1ng — #2600
- Updated Decrypting Realm Databases (Android and iOS) by @R3zk0n — #2570
- Update MASTG-TECH-0054 by @sushi2k — #2906
🪄 MASTG Tools
New tools:
- [MASTG-TOOL-0102] ios-app-signer (by @appknox) by @sk3l10x1ng — #2612
- [MASTG-TOOL-0103] uber-apk-signer by @cpholguera — #2782
- [MASTG-TOOL-0104] hermes-dec (React Native static analysis) by @saulpanders — #2798
- [MASTG-TOOL-0105] ipsw by @TheDauntless — #2848
- [MASTG-TOOL-0106] Fridump by @TheDauntless — #2848
- [MASTG-TOOL-0107] jnitrace by @TheDauntless — #2848
- [MASTG-TOOL-0108] Corellium by @TheDauntless — #2848
- [MASTG-TOOL-0109] Nope Proxy (by @appknox) by @sk3l10x1ng — #2868
- [MASTG-TOOL-0110] Semgrep by @cpholguera — #2871
- [MASTG-TOOL-0112] pidcat (by @appknox) by @sk3l10x1ng — #2895
- [MASTG-TOOL-0114] codesign by @cpholguera — #2609
- [MASTG-TOOL-0115] HTTP Toolkit (by @appknox) by @ScreaMy7 — #2901
- [MASTG-TOOL-0116] Blutter (Flutter analysis, by @appknox) by @ScreaMy7 — #2881
- [MASTG-TOOL-0125] ApkLeaks (by @appknox) by @jeel38 — #3052
- bagbak added as alternative to [MASTG-TOOL-0050] (frida-ios-dump) by @lihter — #2461
New apps:
- [MASTG-APP-0016] Finstergram (vulnerable Android app) by @flwi-nl — #2625
- [MASTG-APP-0028] iGoat-Swift by @TheDauntless — #2848
Updates:
- ssl-kill-switch updated v2 → v3 (by @appknox) by @ScreaMy7 — #2571
- [MASTG-TOOL-0015] drozer: updated content, removed outdated references by @cyberMilosz — #2614
- [MASTG-TOOL-0056] Keychain-Dumper: updated to new repo (by @NVISOsecurity) by @TheDauntless — #3091
- [MASTG-TOOL-0100] Rename to reFlutter by @cpholguera — #2827
- [MASTG-TOOL-0108] Corellium: benefits and limitations detail by @cpholguera — #2834
🏗️ Site & Infrastructure
- Cross-reference system linking all MAS components (tests ↔ weaknesses ↔ demos ↔ tools) by @cpholguera — #2787, #2790; extended by @TheDauntless — #2848
- Flatten MASWE overview and improve navigation by @cpholguera — #2664
- Add tag and datatable support by @cpholguera — #2653
- Merge tables across tests, tools and techniques by @cpholguera — #2805
- Restructure and flatten site navigation by @cpholguera — #2803
- Dockerfile for running the site locally by @cpholguera — #2814
- MAS blog launched by @cpholguera — #2788
- Update Android permissions list to API level 34 by @olivandcode — #2630; API level 35 by @annab-google — #3087
- Add NIST CSWP 33 reference by @cpholguera — #2599
- Updated L1 vs L2 recommendation for MASVS-STORAGE / internal storage by @cpholguera — #2572
🐞 Errata Corrections
- Fix broken links to Reverse Engineering chapter by @cpholguera — #2606, #2607; by @chagemann — #2616
- Fix broken links in MASTG-TEST-0028 by @cpholguera — #2916
- r2frida: use
\instead of:in examples by @trufae — #2618 - r2 scripts: fix system
printfdependency by @trufae — #3070 - Fix broken link in MASWE-0116 by @tinyboxvk — #3068
- Various proofreading fixes (by @appknox) by @sk3l10x1ng — #2551, #2552, #2553, #2554, #2555
🎉 New Donators
- Promon joins as Good Samaritan Donator by @cpholguera — #2900
New Contributors
- @rsporsche — #2511
- @EdilsonGalvao — #2371
- @thornshadow99 — #2463
- @rmRizki — #2475
- @jvirgovic — #2474
- @nitianabhigyan — #2603
- @R3zk0n — #2570
- @chagemann — #2616
- @trufae — #2618
- @flwi-nl — #2625
- @olivandcode — #2630
- @josephkandi — #2624
- @juanmanuelmartinez-dekra — #2565
- @thomascannon — #2566
- @saulpanders — #2798
- @cyberMilosz — #2614
- @umair-villanio — #2897
- @JJK96 — #2918
- @tinyboxvk — #3068
- @kmaschke85 — #3083
Full Changelog: v1.7.0...v1.8.0