v1.7.0

MASTG Refactor Part 2: Techniques, Tools & Reference Apps: This release introduces the second phase of the MASTG (Mobile Application Security Testing Guide) refactor. These changes aim to enhance the usability and accessibility of the MASTG.

The primary focus of this new refactor is the reorganization of the MASTG content into different components, each housed in its dedicated section/folder and existing now as individual pages in our website (markdown files with metadata/frontmatter in GitHub):

NOTE: You may find broken links on the website and in the PDF/eBook. This is a consequence of these massive changes and we expect to be able to fix them soon.

• Tests:

  • Website: Tests section.
  • GitHub: tests/ folder.
  • Identified by IDs in the format MASTG-TEST-XXXX.
  • Includes all tests originally in:
    • 0x05d/0x06d-Testing-Data-Storage.md
    • 0x05e/0x06e-Testing-Cryptography.md
    • 0x05f/0x06f-Testing-Local-Authentication.md
    • 0x05g/0x06g-Testing-Network-Communication.md
    • 0x05h/0x06h-Testing-Platform-Interaction.md
    • 0x05i/0x06i-Testing-Code-Quality-and-Build-Settings.md
    • 0x05j/0x06j-Testing-Resiliency-Against-Reverse-Engineering.md
  • ⚠️ IMPORTANT (TODO): These tests are still the original MASTG v1.6.0 tests. We will progressively split them into smaller tests, the so-called "atomic tests" in MASTG v2 and assign the new MAS profiles accordingly.

• Techniques:

  • Website: Techniques section.
  • GitHub: techniques/ folder.
  • Identified by IDs in the format MASTG-TECH-XXXX.
  • Includes all techniques originally in:
    • 0x05b/0x06b-Basic-Security_Testing.md
    • 0x05c/0x06c-Reverse-Engineering-and-Tampering.md

• Tools:

  • Website: Tools section.
  • GitHub: tools/ folder.
  • Identified by IDs in the format MASTG-TOOL-XXXX.
  • Includes all tools from:
    • 0x08a-Testing-Tools.md

• Apps:

  • Website: Apps section.
  • GitHub: apps/ folder.
  • Identified by IDs in the format MASTG-APP-XXXX.
  • Includes all apps from:
    • 0x08b-Reference-Apps.md

We hope that the revamped structure enables you to navigate the MASTG more efficiently and access the information you need with ease. See below for a detailed list of changes.

We'd like to thank all of our loyal contributors and welcome our new contributors.

Special thanks to NowSecure for their consistent high-impact contributions to the project, especially for this new OWASP MASTG refactoring phase and for continuing spreading the word about the OWASP MAS project.

We'd also like to thank our new MAS Advocate applicants for waiting patiently while we get everything ready behind the scenes for them to help us efficiently.

💙 Thanks to Zimperium for their generous donation!

Carlos Holguera, Sven Schleier and Jeroen Beckers - OWASP MAS project

NOTE: the OWASP MASTG v1.7.0 relies on the latest MASVS v2.0.0

Help us improve! questions | ideas | contact

What's Changed

📢 News

• Introducing the new MAS Testing Profiles and MASTG Atomic Tests proposals by @cpholguera in #2424
• Add news about the MAS Score Formula Proposal by @cpholguera in #2436
• News: MASVS-PRIVACY by @cpholguera in #2459

🧪 MASTG Test Cases

• Proofreading fixes 0x05d part 4 by @Laancelot in #2414
• [ios_0x06d/0055] Fix the description of the keyboard cache location by @sohsatoh in #2416
• Update Android permission protection levels and introduced risk categories (by @nowsecure) by @cpholguera in #2423
• Proofreading fixes 0x05d part 3 by @Laancelot in #2413
• Proofreading fixes 0x05d part 1 (by @nowsecure) by @cpholguera in #2427
• Proofreading fixes 0x05e part 1 (by @nowsecure) by @cpholguera in #2426

📖 MASTG Testing Fundamentals

• Introduce App Attest by @lihter in #2462

✨ MASTG Testing Techniques

• Taint analysis for Android Java code by @su-vikas in #2390

🪄 MASTG Testing Tools

• Replace Passionfruit with Grapefruit by @lihter in #2451
• Update r2frida guide examples to use : instead of \ for command start by @Shiva953 in #2450

📜 Mobile Security Checklists

• Changed value of status_cells in yaml_to_excel.py by @bl13pbl03p in #2417

🎉 New Donators

• Add Zimperium to God Mode Donators by @sushi2k in #2440

Other Changes

• Consolidate Contributors in the MAS Website by @sushi2k in #2392
• Fix broken download button in overview page by @ploar-bear in #2410
• UnCrackable L1 Solution using MobSF by @Xhoenix in #2421
• Update MASTG-TEST-0087 "Make Sure That Free Security Features Are Activated" (by @nowsecure) by @cpholguera in #2430
• MASTG Refactor Part 2: Techniques, Tools & Reference Apps (by @nowsecure) by @cpholguera in #2439

New Contributors

• @ploar-bear made their first contribution in #2410
• @bl13pbl03p made their first contribution in #2417
• @Xhoenix made their first contribution in #2421
• @lihter made their first contribution in #2451
• @Shiva953 made their first contribution in #2450

Full Changelog: v1.6.0...v1.7.0

v1.6.0

Following up on the OWASP MASVS v2.0.0 Release we're excited to announce the release of the new OWASP MASTG version v1.6.0. This update includes a range of new features, including the first phase of the MASTG refactoring, MASVS color-coding, upgraded MAS Checklists (for OWASP MASVS v2.0.0 + MASTG v1.6.0), and much more. See below for a detailed list of changes.

We'd like to thank all of our loyal contributors and welcome our new contributors.

Special thanks to NowSecure for their consistent high-impact contributions to the project, especially for the MASVS refactoring, the OWASP MASTG refactoring, the OWASP MAS website and this MASTG v1.6.0 release and for continuing spreading the word about the OWASP MAS project.

💙 Thanks to dvuln, eShard, OHRUS and devoteam Cyber Trust for their generous donations!

Carlos Holguera, Sven Schleier and Jeroen Beckers - OWASP MAS project

NOTE: the OWASP MASTG v1.6.0 relies on the latest MASVS v2.0.0

Help us improve! questions | ideas | contact

What's Changed

📢 News

Introducing the MASVS v2 Colors

We're bringing official colors to the MASVS! The new colors will be used across the MASVS v2.0.0 and MASTG v2.0.0 to help users quickly identify the different control groups. We've also revamped certain areas of our website to make them more readable and easier to navigate as well as to prepare for what's coming with the MASTSG v2.0.0 (keyword: "atomic tests").

MASVS

In the MASVS home page, the new colors will be used to highlight the different control groups.

The individual controls will also be color-coded to help users quickly identify the different control groups. We've also redesigned the control pages to make them more readable and easier to navigate.

MASTG

Now, when you navigate to the MASTG tests, you'll see that they are categorized by platform (Android/iOS) as well as by MASVS category, also using our new colors in the sidebar. The colors will also be used to highlight the different control groups in the test description.

Each test now contains a header section indicating the platform, the MASVS v1.5.0 controls, and the MASVS v2.0.0 controls.

We've also introduced a new section called "Resources" which is automatically generated using the inline links within the MASTG pages and serve as a quick reference to the most important resources for each test.

NOTE: The MASTG tests themselves haven't changed yet, we're still working on the refactoring. For now we've simply split the tests into individual pages to make them easier to navigate and reference. This will facilitate the work on the refactoring and the introduction of the new atomic tests.

MAS Checklist

The MAS Checklist pages and the MAS checklist itself have also been updated to use the new colors to highlight the different control groups and to make them easier to navigate.

When you click on a MASVS group you'll see a table listing the new MASVS v2.0.0 controls as well as the corresponding MASTG tests (v1.5.0) for both the Android and the iOS platforms.

NOTE: The checklist contains the old MASVS v1 verification levels (L1, L2 and R) which we are currently reworking into "security testing profiles". The levels were assigned according to the MASVS v1 ID that the test was previously covering and might differ in the upcoming version of the MASTG and MAS Checklist.

For the upcoming of the MASTG version we will progressively split the MASTG tests into smaller tests, the so-called "atomic tests" and assign the new MAS profiles accordingly.

We hope you like the new colors and the changes we've made to the website. We're looking forward to your feedback! Please use our GitHub Discussions to post any questions or ideas you might have. If you see something wrong please let us know by opening a bug issue.

More News

• Website Redesign and Restructure by @cpholguera in #2242
• Update Talks (Cybersec Chile) by @cpholguera in #2275
• Add NSConnect 2022 Talk by @cpholguera in #2302
• Add Guidelines to Contribute with Crackmes by @cpholguera in #2303
• Added AppSec EU and US Talks by @sushi2k in #2385
• Update with MASVS v2 Release by @cpholguera in #2397
• Added Case Study by NowSecure by @cpholguera in #2402
• MASTG Transition Version by @cpholguera in #2396

🧪 MASTG Test Cases

• Add static analysis details for Android keyboard cache by @DIvanov503 in #2254
• Recommend Using conscrypt for Old Android API Levels by @rlatapy-luna in #2340
• Deprecate Fragment Injection Test for MSTG-PLATFORM-2 by @cpholguera in #2328
• Proofreading fixes 0x05d part 1 by @Laancelot in #2351
• Proofreading fixes 0x05d part 2 by @Laancelot in #2358
• Add Test for Android Pending Intents to 0x05h by @su-vikas in #2300
• Add Test for Implicit Intent Injection (MSTG-PLATFORM-2) by @LukasMarckmiller in #2056
• Add codesign/ldid to the test Determining Whether the App is Debuggable (MSTG-CODE-2) by @sohsatoh in #2296
• Add otool command to 0x06i-Testing-Code-Quality-and-Build-Settings.md by @rsenet in #2362
• [Phase 1] Refactor 0x05h-Testing-Platform-Interaction.md (@nowsecure) by @angrymuffinx in #2286
• [Phase 1] Refactor 0x06j-Testing-Resiliency-Against-Reverse-Engineering.md by @iotaaxel in #2321
• [Phase 1] Refactor 0x0**-Testing-Code-Quality.md by @cpholguera in #2381
• [Phase 1] Refactor 0x06h-Testing-Platform-Interaction.md by @TheDauntless in #2380
• [Phase 1] Refactor 0x0**-Testing-Resiliency-Against-Reverse-Engineering.md by @sushi2k in #2382
• [Phase 1] Refactor 0x0**-Local-authentication.md by @TheDauntless in #2377
• [Phase 1] Refactor 0x0**-Testing-Network-Communication.md by @sushi2k in #2378
• [Phase 1] Refactor 0x0**-Testing-Cryptography.md by @sushi2k in #2372
• [Phase 1] Refactor 0x0**-Testing-Data-Storage.md by @cpholguera in #2379

📖 MASTG Testing Fundamentals

• Proofreading fixes 0x04b by @Laancelot in #2276
• Proofreading fixes 0x04c by @Laancelot in #2277
• Proofreading fixes 0x04f by @Laancelot in #2279
• Proofreading fixes 0x04g by @Laancelot in #2281
• Proofreading fixes 0x04e by @Laancelot in #2278
• Proofreading fixes 0x04i by @Laancelot in #2287
• Proofreading fixes part 1 0x05a by @Laancelot in #2289
• Proofreading fixes part 2 0x05a by @Laancelot in #2292
• Proofreading fixes part 1 0x05b by @Laancelot in #2293
• Proofreading fixes part 3 0x05b by @Laancelot in #2298
• Proofreading fixes part 3 0x05b by @Laancelot in #2299
• Proofreading fixes part 2 0x05b by @Laancelot in #2297
• Add iOS tcpdump instructions to 0x06b and related mitmproxy reference to 0x08a by @cgarst in #2326

✨ MASTG Testing Techniques

• Proofreading fixes part ...

v1.5.0

We've been very busy with the OWASP MASVS refactoring but we're very excited to be able to bring you the new OWASP MASTG in its version v1.5.0 including loads of news including new Test Cases, Testing Fundamentals, upgraded MAS Checklists and many more, see below.

We'd like to thank all of our loyal contributors and welcome our new contributors.

Special thanks to NowSecure for their consistent high-impact contributions to the project, especially for the MASVS refactoring, the OWASP MAS rebranding, the brand new OWASP MAS website and this MASTG v1.5.0 release and for continuing spreading the word about the OWASP MAS project.

Carlos Holguera & Sven Schleier - OWASP MAS project

NOTE: the OWASP MASTG v1.5.0 relies on the latest MASVS v1.4.2

What's Changed

📢 News

New "Trusted By" Section & CREST OVS

Introducing the "MAS Advocate" Status

Add Google's ADA MASA

Project Rebranding to OWASP MAS

OWASP MAS New Website

• Add Trusted By Section and Adopters by @cpholguera in #2059
• Add CREST and CREST OVS by @cpholguera in #2172
• Introducing the "MAS Advocate" Status by @cpholguera in #2132
  *Add Google's ADA MASA (by @nowsecure) by @cpholguera in #2128
• First Update to MAS and MASTG by @cpholguera in #2179
• Add MASTG New Cover for PDF by @cpholguera in #2205
• Update Twitter Handle to @OWASP_MAS by @cpholguera in #2186
• Rename MSTG to MASTG & link to New Website mas.owasp.org by @cpholguera in #2195

🧪 MASTG Test Cases

• MSTG-CODE-1 Add Link to Latest Code Signature Format for iOS by @cpholguera in #2025
• Testing Instant Apps is now in 0x05b (Basic Security Testing) by @cpholguera in #2039
• MSTG-NETWORK-1 Added clearText Traffic Info by @TheDauntless in #2037
• MSTG-CODE-9 Update Xcode Menu Options for PIE Protection by @ichistmeinname in #2078
• MSTG-CODE-1 Enhance iOS Code Signing Section (by @nowsecure) by @cpholguera in #2102
• MSTG-PLATFORM-1 Introducing Privacy-Friendly Alternatives to Requesting Permissions by @cpholguera in #1993
• MSTG-PLATFORM-2 MSTG-PLATFORM-3 Enhance Android Deep Link Testing (by @nowsecure) by @cpholguera in #2090
• MSTG-PLATFORM-10 Add WebViews Cleanup by @cpholguera in #1984
• Add coverage for MSTG-CODE-9 on Android by @cpholguera in #2089
• MSTG-NETWORK-1-4 Fix Network Security Testing on Android and iOS (by @nowsecure) by @cpholguera in #2042
• MSTG-RESILIENCE-5 Update Emulation Available on iOS by @t3chn0m4g3 in #2167

📖 MASTG Testing Fundamentals

• 0x06b - Upgrade Jailbreak section by @cpholguera in #1943
• Fix Deprecated SecKeyEncrypt Class (iOS) by @fujiokayu in #2083
• 0x04e - About OTP Authentication Checks by @Saket-taneja in #1938
• Added instructions explaining how to move certificate from user to root store by @DemanNL in #1915
• Key Management Updates for iOS and Android by @vixentael in #2127
• CRYPTO: Export and import crypto regulations by @julepka in #1885
• 0x06b - Update Jailbreak Content (by @nowsecure) by @cpholguera in #2145
• Add FIPS 140-2 validated info for corecrypto by @cpholguera in #2144
• Improve the Android Architecture Section (by @nowsecure) by @cpholguera in #2118
• Add New References to Android API changes (by @nowsecure) by @cpholguera in #2153
• Updated Symmetric and Asymmetric Encryption Description by @dmagnate in #2139

✨ MASTG Testing Techniques

• 0x05c - Update Angr Example to Angr 9.2.2 by @kousha1999 in #2103
• Enabling Safari Web Inspector on iOS by @lndevel in #2112
• Update Corellium info and about decrypting IPAs by @cpholguera in #2124

🪄 MASTG Testing Tools

• New Chapter for Reference Apps #2142 by @wwwhackcom in #2156
• Add APKLab for Android by @fujiokayu in #2177

⚡ Automation

• Update Changelog Automation by @cpholguera in #2057
• Add GitHub Action for codespell by @cclauss in #2069
• Fix All Markdown Lint Issues and Broken Links by @cpholguera in #2143
• Auto-label PRs by @witzki in #2101
• Enhance Auto Release Notes by @cpholguera in #2234
• Add MASVS version to MASTG PDF by @cpholguera in #2235

📜 MAS Checklists

• Increase Checklist Test Coverage Including Tests from the 0x04* Chapters by @fujiokayu in #2085
• Add Common Test Case Column to Checklist by @cpholguera in #2208

Checklist test coverage changes: removed (2) added (13) updated (51)

🎉 New Donators

• Thanks Corellium by @cpholguera in #2174

🐞 Errata Corrections

• Update broken links by @TheDauntless in #2038
• Fixing typos and more in the Android Crypto Chapter by @cpholguera in #1992
• Fix spelling by @TheDauntless in #2049
• Fix typos discovered by codespell by @cclauss in #2067
• Fixed Typos in 0x04i-Testing-User-Privacy-Protection by @wassef911 in #2123
• Fix Intros in Cryptography Chapters (by @nowsecure) by @corielynch in #2051
• Fix typo in 0x04f-Testing-Network-Communication.md by @dturner42 in #2178
• Resolved broken link to OWASP MASTG authors and co-authors (#2197) ; by @chantzlarge in #2198
• Resolved broken link to OWASP MASTG Contributors (#2199) ; by @chantzlarge in #2200
• Fix lulu.com links by @cpholguera in #2203

Other Changes

• Improve README UX by @cpholguera in #2061
• Fix chapter outline for 0x04g (Mobile App Cryptography) by @cpholguera in #2040
• Change markdown images to html images by @TheDauntless in #2126

New Contributors

• @cclauss made their first contribution in #2067
• @ichistmeinname made their first contribution in #2078
• @kousha1999 made their first contribution in #2103
• @lndevel made their first contribution in #2112
• @wassef911 made their first contribution in #2123
• @DemanNL made their first contribution in #1915
• @dmagnate made their first contribution in #2139
• @witzki made their first contribution in #2101
• @wwwhackcom made their first contribution in #2156
• @t3chn0m4g3 made their first contribution in #2167
• @dturner42 made their first contribution in http...

v1.4.0

What's Changed

OWASP Mobile App Security Checklists

The highly anticipated OWASP Mobile App Security Checklists are back including very exciting news.

New Features of the MASVS Checklists

• Completely automated: generated from scratch using openpyxl.
• Multi-language: now available in all 13 MASVS languages.
• Always up-to-date: from now on released with every new MSTG version & always using the latest MASVS.
• New clean design: consistent with our new identity.
• Simpler structure: all MASVS categories in one sheet.
• Traceable: include exact MASVS and MSTG versions and commit IDs.

Using the Checklists

• Use the "Status" column to:
  • Discard controls by selecting N/A
  • Set the result of a test by selecting Pass or Fail.
• Add more columns or sheets as you wish or need. For instance:
  • Duplicate & rename sheet to test for different platforms.
  • Simply copy & paste the "Status" column to cover additional platforms (rename title accordingly).

Feedback

Your feedback is essential for the development of the project. If you have any comments or new ideas please post them here:

https://github.com/OWASP/owasp-mstg/discussions/new?category=ideas

Other Changes

• Update README.md by @sushi2k in #2018
• Upgrade NowSecure to God Mode donator by @cpholguera in #2021
• Fixed link by @Brasco in #2032
• Automated Checklist and YAML Generation by @cpholguera in #2010

New Contributors

• @corielynch made their first contribution in #2029
• @Brasco made their first contribution in #2032

Full Changelog: v1.3.0...v1.4.0

v1.3.0

What's Changed

Changes in MSTG Content

• [Android Tool] Replace Outdated Drozer when Possible by @righettod in #1904
• [MSTG-CODE-9] Update iOS Binary Protection Checks by @su-vikas in #1925
• [MSTG-CODE-3] Add iOS Debugging Symbols Inspection by @su-vikas in #1930
• [0x05a] Add APK Signature Scheme (v4) by @Saket-taneja in #1937
• [0x06c] Add Patching Example for Debugging iOS Apps by @su-vikas in #1932
• [0x04e] Add check for JWT Claim by @Saket-taneja in #1939
• [0x06c] Add section Loaded Native Libraries by @cpholguera in #1948
• [0x06a] Add Visual Studio App Center by @anantshri in #1963
• [MSTG-STORAGE-12] Add Privacy Labels and Rework Privacy Chapter by @cpholguera in #1988

Errata Corrections (typos & more)

• Minor spelling correction of "Wether" in MSTG-STORAGE-10 by @Narendran36 in #1936
• Update dated/broken links in the docs by @PeterDaveHello in #1940
• Fix Broken Link by @cpholguera in #1941
• correcting local build instructions. by @anantshri in #1954
• Correcting link errors based on failed checks by @anantshri in #1955
• Fix typo in 0x06i-Testing-Code-Quality-and-Build-Settings.md by @chrihala in #1969
• fix lvl 6 heading by @cpholguera in #1973
• Fix link in 0x6g by @cpholguera in #1990

New Donators

• [Donator] Add ZIMPERIUM by @cpholguera in #1952

Other Changes

• Add donations issue form template by @cpholguera in #1947
• Update mlc_config.json by @cpholguera in #1958
• Enable CodeQL Analysis by @cpholguera in #1966
• Upgrade all workflows to actions/checkout@v2 by @cpholguera in #2013
• Upgrade Release Process by @cpholguera in #2015

New Contributors

• @Narendran36 made their first contribution in #1936
• @PeterDaveHello made their first contribution in #1940
• @Saket-taneja made their first contribution in #1937
• @anantshri made their first contribution in #1954
• @chrihala made their first contribution in #1969

Full Changelog: v1.2.1...v1.3.0

v1.2.1

What's Changed

Minor release without relevant content changes.

• Fixing semantic versioning by @cpholguera
• Add citation file by @cpholguera in #1934

Full Changelog: v1.2...v1.2.1

v1.2

Changelog

OWASP MSTG - Release v1.2 - 25th July 2021

167 issues were closed since the last release. A full overview can be seen in Github Issues https://github.com/OWASP/owasp-mstg/issues?q=is%3Aissue+is%3Aclosed+closed%3A2019-08-03..2021-07-25.

326 pull requests were merged since the last release. A full overview can be seen in Github Pull Requests https://github.com/OWASP/owasp-mstg/pulls?q=is%3Apr+is%3Aclosed+closed%3A2019-08-03..2021-07-25

Major changes include:

• Migrating the new document build pipeline from MASVS to MSTG. This allows us to build consistently the whole OWASP MSTG documents (PDF, docx etc.) in minutes, without any manual work.
• Besides numerous changes for the test cases we have a new Crackme - Android Level 4 https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/Android/Level_04 and also new write-ups for the Crackmes.
• We removed all references to Needle and IDB tool, as both tools are outdated.
• References of OWASP Mobile Top 10 and MSTG-IDs are completely moved to MASVS
• Reworking of information gathering (static analysis) for Android Apps
• Update of Biometric Authentication for Android Apps
• New content and updates in the Android and iOS Reverse Engineering and Tampering chapters
• 3 new iOS Reverse Engineering test cases
• Translations of the MSTG are linked to the respective forks but are not part of the MSTG anymore
• Updated English, Japanese, French, Korean and Spanish checklists to be compatible with MSTG 1.2
• Updated Acknowledgments, with 1 new co-author and contributor
• Added JNI Tracing for Android
• Added dsdump for dumping Objective-C and Swift content
• Added the procedure to sign the debugserver for iOS 12 and higher
• Added dependency-check to verify for vulnerabilities in libraries added by iOS package managers
• Added getppid as debugger detection (iOS)
• Added Domain/URL Enumeration in APKs
• Added introduction into Network.framework (iOS)
• Added UnSAFE Bank iOS Application
• Added information on SECCOMP (Android)
• Added native and java method tracing (Android)
• Added Android library injection
• Added Android 10 TLS and cryptography updates
• Updated code obfuscation for Android and iOS
• Added test case for Reverse Engineering Tools Detection - MSTG-RESILIENCE-4 (iOS)
• Added test case for Emulator Detection - MSTG-RESILIENCE-5 (iOS)
• Added an example with truststore to bypass cert pinning (Android)
• Added content to information gathering using frida (Android)
• Added Sec Consult, RandoriSec and OWASP Bay area as donators
• Added basic information gathering for Android and iOS
• Added Simulating a Man-in-the-Middle Attack with an Access Point
• Added gender neutrality to the MSTG
• Extended section about dealing with Xamarin Apps
• Updated all picture links (img tags) to be in markdown syntax
• Updated iTunes limitations and usage since macOS Catalina
• Added Emulation-based Analysis (iOS and Android)
• Added Debugging iOS release applications using lldb
• Added Korean translation of the checklist
• Updated symbolic execution content (Android)
• Added Ghidra for Android Reverse Engineering
• Added section on Manual (Reversed) Code Review for iOS
• Added explanation of more Frida APIs (iOS and Android)
• Added Apple CryptoKit
• Updated and simplified Frida detection methods
• Added introduction to setup and disassembling for iOS Apps
• Updated section about frida-ios-dump
• Added gplaycli (Android)
• Extended section on how to retrieve UDI (iOS)
• Added new companies in the Users.md list with companies applying the MSTG/MASVS
• Updated partially code samples to Swift 5
• Adding Process Exploration (Android and iOS)
• Updated best practices for passwords, added "Have I Been Pwned"
• Updated SSL Pinning fallback methods
• Updated app identifier (Android and iOS)
• Updated permission changes for Android O, P and Q
• Updated Broadcast Receiver section (Android)

Several other minor updates include fixing typos and markdown lint errors and updating outdated links.

We thank you all contributors for the hard work and continuously improving the document and the OWASP MSTG project!

Intermediate update 1.1.3-excel

Intermediate update (1.1.3-excel). See CHANGELOG.md for updates on intermediate update releases.

Intermediate update 1.1.3 (OSS Release)

What's Changed

• Updated Acknowledgments, with 2 new co-authors.
• Translated various parts into Japanese.
• A large restructuring of the general testing, platform specific testing and reverse-engineering chapters.
• Updated description of many tools: Adb, Angr, APK axtractor, Apkx, Burp Suite, Drozer, ClassDump(Z/etc), Clutch, Drozer, Frida, Hopper, Ghidra, IDB, Ipa Installer, iFunBox, iOS-deploy, KeychainDumper, Mobile-Security-Framework, Nathan, Needle, Objection, Magisk, PassionFruit, Radare 2, Tableplus, SOcket CAT, Xposed, and others.
• Updated most of the iOS hacking/verification techniques using iOS 12 or 11 as a base instead of iOS 9/10.
• Removed tools which were no longer updated, such as introspy-Android and AndBug.
• Added missing MASVS references from version 1.1.4: v1.X, V3.5, V5.6, V6.2-V6.5, V8.2-V8.6.
• Rewrote device-binding explanation and testcases for Android.
• Added parts on testing unmanaged code in Objective-C, Java, and C/C++.
• Applied many spelling, punctuation and style-related fixes.
• Updated many cryptography related parts.
• Added testaces for upgrade-mechanism verification for apps.
• Updated Readme, Code of Conduct, Contribution guidelines, verification, funding link, and generation scripts.
• Added ISBN as the book is now available at Lulu.
• Added various fixes for the .epub format.
• Added testcases on Android and iOS backup verification.
• Improved key-attestation related explanation for Android.
• Restructured OWASP Mobile Wiki.
• Removed Yahoo Weather app and simplified reference on using SQL injection.
• Improve explanation for iOS app sideloading to include various available methods.
• Added explanation on using ADB and device shell for Android.
• Added explanation on using device shell for iOS.
• Provided comparison for using emulators/simulators and real devices for iOS/Android.
• Fixed Uncrackable Level 3 for Android.
• Improved explanation on how to exfiltrate data and apps on iOS 12 and Android 8.
• Improved/updated explanation on SSL-pinning.
• Added list of adopters of the MASVS/MSTG.
• Updated English, Japanese, French and Spanish checklists to be compatible with MSTG 1.1.2.
• Added a small write-up on Adiantum for Google.
• Added MSTG-ID to the paragraphs to create a link between MSTG paragraphs and MASVS requirements.
• Added review criteria for Android instant apps and guidance for app-bundle evaluation.
• Clarified the differences between various methods of dynamic analysis.

Intermediate update 1.1.2: Excel edition!

This is a special release with the new compliance lists for 1.1.2 only. Grab them while they're hot!