v1.9.0
v1.9.0 Release Notes
This release spans January – December 2025 and is the largest in the project's history by volume: over 2,000 commits, dozens of v1→v2 test ports, a complete CWE mapping across all MASVS categories, new knowledge and best practice content, and several major structural milestones — including MASTG v2 graduating from beta, the MAS website moving to its own repository, and Guardsquare joining NowSecure as an OWASP MAS Advocate.
The year opened with the three-year anniversary of NowSecure as an OWASP MAS Advocate, reflecting on more than 320 pull requests, 230 reviews, and 42,000+ additions to the MASTG — a partnership that has been instrumental in driving the v2 refactor forward. Alongside this, the MAS Task Force (launched in February 2024) continued to meet monthly, coordinating the porting effort and shaping the project roadmap.
In May 2025, Guardsquare officially achieved MAS Advocate status — the highest recognition in the project. Their sustained contributions, including the bulk of the v1→v2 test ports in this release, and their key role in the OWASP Project Summit 2024, made them a natural fit. This release contains the most visible result of that commitment: a major wave of tests fully ported to the v2 format by Dennis Titze, Jan Seredynski, Nuno Antunes, and Pascal Jungblut.
The defining technical milestone of the year was the removal of the beta label from MASTG v2 and the deprecation of the legacy PDF format — a signal that the new modular structure is now the primary and stable reference. Alongside this, two major extractions reshaped the project structure: MASWE was temporarily moved to its own OWASP/maswe repository (and later re-integrated), and the MAS website was extracted to OWASP/mas-website, allowing each to evolve independently.
📢 News
- NowSecure: 3 years as OWASP MAS Advocate — #3253
- Guardsquare achieves MAS Advocate status by @cpholguera — #3285
- Safe App Standard v2.0 adoption update by @userdehghani — #3254
- New talk: OWASP AppSec US 2024 (San Francisco) by @sushi2k — #3143
- New talk: OWASP AppSec EU 2025 by @sushi2k — #3345
🏛️ Major Structural Milestones
- MASTG v2 exits beta — removed beta status, deprecated legacy PDF format by @cpholguera — #3295
- MASWE temporarily extracted to OWASP/maswe as a dedicated repo, then re-integrated into MASTG by @cpholguera — #3395, #3398, #3400
- MAS Website extracted to OWASP/mas-website by @cpholguera — #3426, #3459
- MAS-P Privacy profile added, covering all MASVS-PRIVACY test cases by @Diolor — #3496
- MAS Testing Profiles applied to all v2 test cases and documented by @cpholguera — #3315, #3483
🐛 MASWE — MAS Weaknesses
New Weaknesses
- [MASWE-0020] Weak Encryption (by @appknox) by @sk3l10x1ng — #2910
- [MASWE-0023] Weak Padding by @jmariasantosdekra — #2922
- [MASWE-0047–0052] New weaknesses by @cpholguera — #2919
- [MASWE-0067] Debuggable Flag Not Disabled (by @appknox) by @ScreaMy7 — #3244
- [MASWE-0076] Dependencies with Known Vulnerabilities (SBOM) by @sushi2k — #2912
- [MASWE-0117] Inadequate Permission Management (by @nowsecure) by @cpholguera — #3119
CWE Mapping
Complete CWE mapping added across all MASVS categories by @truerick and @poffo-mobisec:
- MASVS-AUTH-1 — #3133 · AUTH-2 — #3137 · AUTH-3 — #3138
- MASVS-CRYPTO-1 — #3139 · CRYPTO-2 — #3140
- MASVS-NETWORK-1 — #3141 · NETWORK-2 — #3142
- MASVS-PLATFORM-3 — #3144 · PLATFORM (full) — #3149
- MASVS-STORAGE-1 — #3145 · STORAGE-2 — #3146
- MASVS-CODE — #3152
- MASVS-RESILIENCE — #3151
🧪 MASTG Tests
v1 → v2 Ports (by @Guardsquare)
- MASTG-TEST-0006 by @serek8 — #3055
- MASTG-TEST-0009 by @serek8 — #3028
- MASTG-TEST-0010, MASTG-TEST-0059 by @serek8 — #3112
- MASTG-TEST-0012 by @serek8 — #3113
- MASTG-TEST-0015 by @serek8 — #3525
- MASTG-TEST-0022 by @titze — #3035
- MASTG-TEST-0041 by @titze — #3242
- MASTG-TEST-0052 by @serek8 — #3045
- MASTG-TEST-0053 by @serek8 — #3038
- MASTG-TEST-0054 by @serek8 — #3047
- MASTG-TEST-0055 by @serek8 — #3054
- MASTG-TEST-0058 by @serek8 — #3039
- MASTG-TEST-0073 by @pascalj — #3051
v1 → v2 Ports (by @appknox)
- MASTG-TEST-0024 by @ScreaMy7 — #3076
- MASTG-TEST-0082 by @jeel38 — #3097
- MASTG-TEST-0088 by @sk3l10x1ng — #3073
v1 → v2 Ports (community)
- MASTG-TEST-0004 by @Diolor — #3485
- MASTG-TEST-0005 by @Diolor — #3464
- MASTG-TEST-0008 by @Diolor — #3495
- MASTG-TEST-0014 (by @nowsecure) by @cpholguera — #3551
- MASTG-TEST-0021 by @sydseter — #3255
- MASTG-TEST-0023 (by @nowsecure) by @cpholguera — #3423
- MASTG-TEST-0032 (by @nowsecure) by @cpholguera — #3177
- MASTG-TEST-0040 (by @nowsecure) by @cpholguera — #3417
- MASTG-TEST-0042, MASTG-TEST-0085, MASWE-0076 — Dependencies with Known Vulnerabilities (SBOM) by @sushi2k — #2912
- MASTG-TEST-0061, MASTG-TEST-0062 by @sydseter — #3194
- MASTG-TEST-0063 (by @nowsecure) by @cpholguera — #3521
- MASTG-TEST-0064 by @serek8 — #3256
New v2 Tests
- MASTG-TEST-0262, MASTG-TEST-0263: Android backup testing by @cpholguera — #3217
- MASTG-TEST-0264, MASTG-TEST-0265: StrictMode detection by @cpholguera — #3246
- MASTG-TEST-0278, MASTG-TEST-0279, MASTG-TEST-0280: iOS UIPasteboard by @cpholguera — #3289
- iOS ECB insecure encryption modes test and demo by @Diolor — #3547
- New Android privacy test case drafts by @cpholguera — #3228
Updates & Fixes
- MASTG-TEST-0210: add Blowfish and third-party / custom implementations by @cpholguera — #3369
- MASTG-TEST-0228: remove unnecessary step by @barbieri-mobisec — #3106
- MASTG-TEST-0281: improved steps and criteria, add MASTG-TECH-0136, 0137, 0138 by @cpholguera — #3338
- MASTG-TEST-0016: marked as covered by v2 (by @Guardsquare) by @nmsa — #3026
- Keyboard caching theory for Android enhanced (by @nowsecure) by @cpholguera — #3237
- Cryptographic language standardized (e.g. "weak") by @sydseter — #3199
Deprecations
- MASTG-TEST-0031: Testing JavaScript Execution in WebViews — deprecated by @cpholguera — #3419
- Memory corruption and sensitive data tests deprecated for Android and iOS by @cpholguera — #3506
- EncryptedFile / EncryptedSharedPreferences deprecation warnings added by @AndrewScull — #3158
🎬 MASTG Demos
- MASTG-DEMO-0034, MASTG-DEMO-0035: Android backup via adb and semgrep (by @nowsecure) by @cpholguera — #3217
- MASTG-DEMO-0038, MASTG-DEMO-0039: StrictMode detection (by @nowsecure) by @cpholguera — #3246
- MASTG-DEMO-0048, MASTG-DEMO-0049 (by @nowsecure) by @cpholguera — #3274
- MASTG-DEMO-0060: EncryptedSharedPreferences secure storage (by @nowsecure) by @cpholguera — #3410
- MASTG-DEMO-0040: Debuggable Flag Not Disabled (by @appknox) by @ScreaMy7 — #3244
- Demo download buttons: direct APK/IPA download by @TheDauntless — #3348
- Add demo status display and draft banner by @cpholguera — #3208
- Fix all demos for Frida 17 breaking changes by @cpholguera — #3364
- Update MASTG-DEMO-0009: focus on undeclared PII in network traffic by @cpholguera — #3502
- Update MASTG-DEMO-0027: Frida script flags and result lookup by @cpholguera — #3363
- Update MASTG-DEMO-0058, MASTG-DEMO-0059 by @cpholguera — #3460
🛡️ MASTG Best Practices
- MASTG-BEST-0004: link to security recommendations for backups by @cpholguera — #3118
- Enhanced error and exception handling best practices for Android by @cpholguera — #3471
📖 MASTG Knowledge
- Split Android and iOS platform security knowledge into distinct sections by @cpholguera — #3413
- MASTG-KNOW-0017: updated by @KVVat — #3488
✨ MASTG Techniques
- [MASTG-TECH-0112] Reverse Engineering Flutter Applications by @Datafarm-Research — #2913
- [MASTG-TECH-0136, 0137, 0138] MITM techniques clarified and added (by @nowsecure) by @cpholguera — #3184
- New technique: Inspecting the Merged Android Manifest by @Diolor — #3490
- MASTG-TECH-0052: simulator commands updated by @cpholguera — #3186
- MASTG-TECH-0117: updated with jadx by @cpholguera — #3334
- MASTG-TECH-0058, MASTG-TECH-0111: properly linked to TOOL pages by @cpholguera — #3342
- IPA Installation Techniques updated (by @NVISOsecurity) by @TheDauntless — #3100
- Terminology: updated MITM to "Machine-in-the-Middle" by @sushi2k — #3175
🪄 MASTG Tools
New tools:
- [MASTG-TOOL-0129] rabin2 by @cpholguera — #3154
- [MASTG-TOOL-0131] PlistBuddy and plistlib by @TheDauntless — #3349
- [MASTG-TOOL-0137] GlobalWebInspect, [MASTG-TOOL-0138] ipainstaller, [MASTG-TOOL-0139] ElleKit, [MASTG-TOOL-0140] frida-multiple-unpinning, [MASTG-TOOL-0141] IOSSecuritySuite, [MASTG-TOOL-0142] Choicy by @TheDauntless — #3354
- [MASTG-TOOL-0143] badssl.com (network testing) by @cpholguera — #3372
- [MASTG-TOOL-0144] gitleaks by @cpholguera — #3467
New apps:
- BugBazaar and iBugBazaar (vulnerable Android/iOS apps) by @krutarthshukla — #3192
- [MASTG-APP-0031] VulnForum (intentionally vulnerable Android app) by @macik09 — #3514
Updates:
- MASTG-TOOL-0031 (Frida): updated for Frida 17 breaking changes by @cpholguera — #3362
- MASTG-TOOL-0043 (class-dump): dockerized version added by @lucacapacci — #3466
- MASTG-TOOL-0064 (Sileo): updated (by @NVISOsecurity) by @TheDauntless — #3104
- MASTG-TOOL-0074 (objection): Frida 17+ support and new commands by @IPMegladon — #3378
- ProxyDroid updated (by @NVISOsecurity) by @TheDauntless — #3111
- MASTG-TECH-0017, MASTG-TECH-0023, MASTG-TOOL-0018 updated by @TheDauntless — #3346
- Add GitHub statistics to all GitHub-based tool pages by @TheDauntless — #3350
Deprecations:
- MASTG-TOOL-0023 (RootCloak), MASTG-TOOL-0046 (Cycript), MASTG-TOOL-0047 (Cydia) deprecated by @TheDauntless — #3354
⚡ Automation
- iOS demo build pipeline via GitHub Actions (by @nowsecure) by @cpholguera — #3125
- Android demo build: simplified scripts, caching by @javier-ruiz-b — #3157
- Android demo build: proto files and build.gradle.kts support (by @nowsecure) by @cpholguera with @Copilot — #3543
- iOS build: Local.xcconfig copy step by @Diolor — #3599
- Only run APK/IPA builds on demo changes (PR-scoped) by @cpholguera — #3205
- Custom linting rules by @cpholguera — #2816
- Workflow to check for duplicate file IDs in PRs by @cpholguera — #3202
- Reusable GitHub Actions workflow for website build and deploy by @cpholguera — #3325, #3326
- pip install speed improved via action-setup-venv by @javier-ruiz-b — #3336
- Hooks refactored, tags upgraded, requirements fixed by @TheDauntless — #3317
🏗️ Site & Infrastructure
- Interactive test filters added to the tests index by @cpholguera — #3332
- Table search refactored by @TheDauntless — #3340
- Taxonomy section updated by @TheDauntless — #3352
- MAS Components authoring instructions added by @cpholguera — #3447
- Frida 17 base script PoC by @bernhste — #3359
- Data storage chapter updated: internal/external/scoped storage, APIs and permissions by @cpholguera — #3179
- Frida hook improvements: instance tracking, simpleHash, optional overload definitions (by @nowsecure) by @cpholguera — #3553, #3556
- ZAP references updated by @kingthorin — #3169
🐞 Errata Corrections
- MSTG → MASTG rename sweep by @Diolor — #3577
- Grammar and punctuation fixes across Android techniques (TECH 1–140) by @Diolor — #3474, #3475, #3476, #3477, #3478
- Fix link typo in security testing document by @mrjonstrong — #3443
- Fix various grammar mistakes in tools/android by @Diolor — #3481
- Update Salesforce link for ZAP setup by @Diolor — #3480
- Objection: remove outdated pip/PyPI warnings by @cpholguera with @Copilot — #3550
- Frida for iOS reference corrected to Frida for Android by @Stormtrooperroman — #3501
🎉 New Donators
New Contributors
- @Datafarm-Research — #2913
- @barbieri-mobisec — #3106
- @poffo-mobisec — #3133
- @javier-ruiz-b — #3157
- @kingthorin — #3169
- @sydseter — #3193
- @userdehghani — #3254
- @Azulath — #3260
- @GSFZamai — #3258
- @emmanuel-ferdman — #3272
- @AndrewScull — #3158
- @nobodynate — #3414
- @mrjonstrong — #3443
- @bernhste — #3359
- @krutarthshukla — #3192
- @lucacapacci — #3466
- @Stormtrooperroman — #3501
- @IPMegladon — #3378
- @macik09 — #3514
- @Diolor — #3474
- @KVVat — #3488
Full Changelog: v1.8.0...v1.9.0