Skip to content

v1.9.0

Choose a tag to compare

@cpholguera cpholguera released this 24 Jun 08:58
a1e000c

v1.9.0 Release Notes

This release spans January – December 2025 and is the largest in the project's history by volume: over 2,000 commits, dozens of v1→v2 test ports, a complete CWE mapping across all MASVS categories, new knowledge and best practice content, and several major structural milestones — including MASTG v2 graduating from beta, the MAS website moving to its own repository, and Guardsquare joining NowSecure as an OWASP MAS Advocate.

The year opened with the three-year anniversary of NowSecure as an OWASP MAS Advocate, reflecting on more than 320 pull requests, 230 reviews, and 42,000+ additions to the MASTG — a partnership that has been instrumental in driving the v2 refactor forward. Alongside this, the MAS Task Force (launched in February 2024) continued to meet monthly, coordinating the porting effort and shaping the project roadmap.

In May 2025, Guardsquare officially achieved MAS Advocate status — the highest recognition in the project. Their sustained contributions, including the bulk of the v1→v2 test ports in this release, and their key role in the OWASP Project Summit 2024, made them a natural fit. This release contains the most visible result of that commitment: a major wave of tests fully ported to the v2 format by Dennis Titze, Jan Seredynski, Nuno Antunes, and Pascal Jungblut.

The defining technical milestone of the year was the removal of the beta label from MASTG v2 and the deprecation of the legacy PDF format — a signal that the new modular structure is now the primary and stable reference. Alongside this, two major extractions reshaped the project structure: MASWE was temporarily moved to its own OWASP/maswe repository (and later re-integrated), and the MAS website was extracted to OWASP/mas-website, allowing each to evolve independently.


📢 News


🏛️ Major Structural Milestones


🐛 MASWE — MAS Weaknesses

New Weaknesses

CWE Mapping

Complete CWE mapping added across all MASVS categories by @truerick and @poffo-mobisec:


🧪 MASTG Tests

v1 → v2 Ports (by @Guardsquare)

v1 → v2 Ports (by @appknox)

v1 → v2 Ports (community)

New v2 Tests

  • MASTG-TEST-0262, MASTG-TEST-0263: Android backup testing by @cpholguera#3217
  • MASTG-TEST-0264, MASTG-TEST-0265: StrictMode detection by @cpholguera#3246
  • MASTG-TEST-0278, MASTG-TEST-0279, MASTG-TEST-0280: iOS UIPasteboard by @cpholguera#3289
  • iOS ECB insecure encryption modes test and demo by @Diolor#3547
  • New Android privacy test case drafts by @cpholguera#3228

Updates & Fixes

Deprecations

  • MASTG-TEST-0031: Testing JavaScript Execution in WebViews — deprecated by @cpholguera#3419
  • Memory corruption and sensitive data tests deprecated for Android and iOS by @cpholguera#3506
  • EncryptedFile / EncryptedSharedPreferences deprecation warnings added by @AndrewScull#3158

🎬 MASTG Demos


🛡️ MASTG Best Practices

  • MASTG-BEST-0004: link to security recommendations for backups by @cpholguera#3118
  • Enhanced error and exception handling best practices for Android by @cpholguera#3471

📖 MASTG Knowledge

  • Split Android and iOS platform security knowledge into distinct sections by @cpholguera#3413
  • MASTG-KNOW-0017: updated by @KVVat#3488

✨ MASTG Techniques


🪄 MASTG Tools

New tools:

  • [MASTG-TOOL-0129] rabin2 by @cpholguera#3154
  • [MASTG-TOOL-0131] PlistBuddy and plistlib by @TheDauntless#3349
  • [MASTG-TOOL-0137] GlobalWebInspect, [MASTG-TOOL-0138] ipainstaller, [MASTG-TOOL-0139] ElleKit, [MASTG-TOOL-0140] frida-multiple-unpinning, [MASTG-TOOL-0141] IOSSecuritySuite, [MASTG-TOOL-0142] Choicy by @TheDauntless#3354
  • [MASTG-TOOL-0143] badssl.com (network testing) by @cpholguera#3372
  • [MASTG-TOOL-0144] gitleaks by @cpholguera#3467

New apps:

  • BugBazaar and iBugBazaar (vulnerable Android/iOS apps) by @krutarthshukla#3192
  • [MASTG-APP-0031] VulnForum (intentionally vulnerable Android app) by @macik09#3514

Updates:

Deprecations:

  • MASTG-TOOL-0023 (RootCloak), MASTG-TOOL-0046 (Cycript), MASTG-TOOL-0047 (Cydia) deprecated by @TheDauntless#3354

⚡ Automation


🏗️ Site & Infrastructure


🐞 Errata Corrections


🎉 New Donators


New Contributors


Full Changelog: v1.8.0...v1.9.0