4 |
5 | These are the UnCrackable Apps for Android and iOS, a collection of mobile reverse engineering challenges. These challenges are used as examples throughout the OWASP MASTG. Of course, you can also solve them for fun.
6 |
7 | See 
20 |
--------------------------------------------------------------------------------
/Document/0x08b-Reference-Apps.md:
--------------------------------------------------------------------------------
1 | # Reference applications
2 |
3 | The applications listed below can be used as training materials. Note: only the MASTG apps and Crackmes are tested and maintained by the MAS project.
4 |
5 | ## Android
6 |
7 | ### Android Crackmes
8 |
9 | A set of apps to test your Android application hacking skills - 
4 |
5 | :material-github: GitHub Repo
6 |
7 | Previously known as OWASP MSTG (Mobile Security Testing Guide)
8 |
9 | The **OWASP Mobile Application Security Testing Guide (MASTG)** is a comprehensive manual for mobile app security testing and reverse engineering. It describes technical processes for verifying the controls listed in the [OWASP MASVS](MASVS.md).
10 |
11 | 12 | 13 | [:material-download: Download the MASTG](https://github.com/OWASP/owasp-mastg/releases/latest/download/OWASP_MASTG-v1.5.0.pdf){ .md-button .md-button--primary } 14 | 15 |
16 | 17 | :blue_heart:{ .pump } Support the project by purchasing the [OWASP MASTG on leanpub.com](https://leanpub.com/owasp-mastg). All funds raised through sales of this book go directly into the project budget and will be used to for technical editing and designing the book and fund production of future releases. 18 | 19 | > :material-translate: The OWASP MASTG is only available in English but you can get both the [OWASP MASVS](MASVS.md) and the [MAS Checklist](MAS_checklist.md) in other languages. 20 | 21 |
22 | -------------------------------------------------------------------------------- /docs/MASVS.md: -------------------------------------------------------------------------------- 1 | # OWASP MASVS 2 | 3 |
4 |
5 | :material-github: GitHub Repo
6 |
7 | The **OWASP MASVS (Mobile Application Security Verification Standard)** is the industry standard for mobile app security. It can be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers to ensure completeness and consistency of test results.
8 |
9 | 10 | 11 | [:material-download: Download the MASVS](https://github.com/OWASP/owasp-masvs/releases/latest/download/OWASP_MASVS-v1.4.2-en.pdf){ .md-button .md-button--primary } 12 | 13 |
14 | 15 | :warning: HELP WANTED: We're currently refactoring the MASVS to bring it to version 2.0. This is a community effort and you can also participate. Take a look at it and give your feedback using the button below. 16 | 17 | [:material-open-in-new: MASVS Refactoring](https://github.com/OWASP/owasp-masvs/discussions/categories/big-masvs-refactoring){ .md-button } 18 | 19 |
20 | 21 | > :material-translate: The OWASP MASVS is also available in [other languages](https://github.com/OWASP/owasp-masvs#masvs-translations). Is your language not here? We'd love to [add it](contributing/4_Add_new_Language.md)! 22 | > 23 | > :material-download: Download international PDFs: 24 | > 25 | > [Deutsch](https://github.com/OWASP/owasp-masvs/releases/latest/download/OWASP_MASVS-v1.4.2-de.pdf) | 26 | > [Español](https://github.com/OWASP/owasp-masvs/releases/latest/download/OWASP_MASVS-v1.4.2-es.pdf) | 27 | > [François](https://github.com/OWASP/owasp-masvs/releases/latest/download/OWASP_MASVS-v1.4.2-fr.pdf) | 28 | > [فارسى](https://github.com/OWASP/owasp-masvs/releases/latest/download/OWASP_MASVS-v1.4.2-fa.pdf) | 29 | > [हिन्दी](https://github.com/OWASP/owasp-masvs/releases/latest/download/OWASP_MASVS-v1.4.2-hi.pdf) | 30 | > [日本語](https://github.com/OWASP/owasp-masvs/releases/latest/download/OWASP_MASVS-v1.4.2-ja.pdf) | 31 | > [한국어](https://github.com/OWASP/owasp-masvs/releases/latest/download/OWASP_MASVS-v1.4.2-ko.pdf) | 32 | > [português (br)](https://github.com/OWASP/owasp-masvs/releases/latest/download/OWASP_MASVS-v1.4.2-ptbr.pdf) | 33 | > [português (pt)](https://github.com/OWASP/owasp-masvs/releases/latest/download/OWASP_MASVS-v1.4.2-ptpt.pdf) | 34 | > [Русский](https://github.com/OWASP/owasp-masvs/releases/latest/download/OWASP_MASVS-v1.4.2-ru.pdf) | 35 | > [中文 (cn)](https://github.com/OWASP/owasp-masvs/releases/latest/download/OWASP_MASVS-v1.4.2-zhcn.pdf) | 36 | > [中文 (tw)](https://github.com/OWASP/owasp-masvs/releases/latest/download/OWASP_MASVS-v1.4.2-zhtw.pdf) 37 | 38 |
39 | -------------------------------------------------------------------------------- /docs/MAS_checklist.md: -------------------------------------------------------------------------------- 1 | --- 2 | hide: 3 | - navigation 4 | - toc 5 | --- 6 | 7 | # OWASP MAS Checklist 8 | 9 |
10 |
11 | The OWASP Mobile Application Security Checklist contains links to the MASTG test case for each MASVS requirement.
12 |
13 | - **Security Assessments / Pentests**: ensure you're at least covering the standard attack surface and start exploring.
14 | - **Standard Compliance**: includes MASVS and MASTG versions and commit IDs
15 | - **Learn & practice** your mobile security skills.
16 | - **Bug Bounties**: go step by step covering the mobile attack surface.
17 |
18 | 19 | 20 | [:material-download: Download the MAS Checklist](https://github.com/OWASP/owasp-mastg/releases/latest/download/Mobile_App_Security_Checklist_en.xlsx){ .md-button .md-button--primary } 21 | 22 |
23 | 24 | > :material-translate: The OWASP MAS Checklist is also available in [other languages](https://github.com/OWASP/owasp-masvs#masvs-translations). Is your language not here? We'd love to [add it](contributing/4_Add_new_Language.md)! 25 | > 26 | > :material-download: Download international PDFs: 27 | > 28 | > [Deutsch](https://github.com/OWASP/owasp-masvs/releases/latest/download/OWASP_MASVS-v1.4.2-de.pdf) | 29 | > [Español](https://github.com/OWASP/owasp-masvs/releases/latest/download/OWASP_MASVS-v1.4.2-es.pdf) | 30 | > [François](https://github.com/OWASP/owasp-masvs/releases/latest/download/OWASP_MASVS-v1.4.2-fr.pdf) | 31 | > [فارسى](https://github.com/OWASP/owasp-masvs/releases/latest/download/OWASP_MASVS-v1.4.2-fa.pdf) | 32 | > [हिन्दी](https://github.com/OWASP/owasp-masvs/releases/latest/download/OWASP_MASVS-v1.4.2-hi.pdf) | 33 | > [日本語](https://github.com/OWASP/owasp-masvs/releases/latest/download/OWASP_MASVS-v1.4.2-ja.pdf) | 34 | > [한국어](https://github.com/OWASP/owasp-masvs/releases/latest/download/OWASP_MASVS-v1.4.2-ko.pdf) | 35 | > [português (br)](https://github.com/OWASP/owasp-masvs/releases/latest/download/OWASP_MASVS-v1.4.2-ptbr.pdf) | 36 | > [português (pt)](https://github.com/OWASP/owasp-masvs/releases/latest/download/OWASP_MASVS-v1.4.2-ptpt.pdf) | 37 | > [Русский](https://github.com/OWASP/owasp-masvs/releases/latest/download/OWASP_MASVS-v1.4.2-ru.pdf) | 38 | > [中文 (cn)](https://github.com/OWASP/owasp-masvs/releases/latest/download/OWASP_MASVS-v1.4.2-ptbr.pdf) | 39 | > [中文 (tw)](https://github.com/OWASP/owasp-masvs/releases/latest/download/OWASP_MASVS-v1.4.2-ptpt.pdf) 40 | 41 |
42 | -------------------------------------------------------------------------------- /docs/assets/GitHub_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MobSF/owasp-mstg/aec82a15a6e96b77d17074fdf1ec87f34b84d366/docs/assets/GitHub_logo.png -------------------------------------------------------------------------------- /docs/assets/OWASP_logo_white.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MobSF/owasp-mstg/aec82a15a6e96b77d17074fdf1ec87f34b84d366/docs/assets/OWASP_logo_white.png -------------------------------------------------------------------------------- /docs/assets/carlos.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MobSF/owasp-mstg/aec82a15a6e96b77d17074fdf1ec87f34b84d366/docs/assets/carlos.jpg -------------------------------------------------------------------------------- /docs/assets/checklist_en_filled.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MobSF/owasp-mstg/aec82a15a6e96b77d17074fdf1ec87f34b84d366/docs/assets/checklist_en_filled.png -------------------------------------------------------------------------------- /docs/assets/comment-marked-as-answer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MobSF/owasp-mstg/aec82a15a6e96b77d17074fdf1ec87f34b84d366/docs/assets/comment-marked-as-answer.png -------------------------------------------------------------------------------- /docs/assets/donations/donators.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MobSF/owasp-mstg/aec82a15a6e96b77d17074fdf1ec87f34b84d366/docs/assets/donations/donators.png -------------------------------------------------------------------------------- /docs/assets/donations/mastg_donation_form.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MobSF/owasp-mstg/aec82a15a6e96b77d17074fdf1ec87f34b84d366/docs/assets/donations/mastg_donation_form.png -------------------------------------------------------------------------------- /docs/assets/donations/owasp_donation_form.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MobSF/owasp-mstg/aec82a15a6e96b77d17074fdf1ec87f34b84d366/docs/assets/donations/owasp_donation_form.png -------------------------------------------------------------------------------- /docs/assets/hover-comment-icon.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MobSF/owasp-mstg/aec82a15a6e96b77d17074fdf1ec87f34b84d366/docs/assets/hover-comment-icon.gif -------------------------------------------------------------------------------- /docs/assets/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MobSF/owasp-mstg/aec82a15a6e96b77d17074fdf1ec87f34b84d366/docs/assets/logo.png -------------------------------------------------------------------------------- /docs/assets/logo_circle.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MobSF/owasp-mstg/aec82a15a6e96b77d17074fdf1ec87f34b84d366/docs/assets/logo_circle.png -------------------------------------------------------------------------------- /docs/assets/mastg_cover.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MobSF/owasp-mstg/aec82a15a6e96b77d17074fdf1ec87f34b84d366/docs/assets/mastg_cover.png -------------------------------------------------------------------------------- /docs/assets/masvs_cover.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MobSF/owasp-mstg/aec82a15a6e96b77d17074fdf1ec87f34b84d366/docs/assets/masvs_cover.png -------------------------------------------------------------------------------- /docs/assets/news/mas-rebranding.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MobSF/owasp-mstg/aec82a15a6e96b77d17074fdf1ec87f34b84d366/docs/assets/news/mas-rebranding.png -------------------------------------------------------------------------------- /docs/assets/release_header.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MobSF/owasp-mstg/aec82a15a6e96b77d17074fdf1ec87f34b84d366/docs/assets/release_header.png -------------------------------------------------------------------------------- /docs/assets/starring.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MobSF/owasp-mstg/aec82a15a6e96b77d17074fdf1ec87f34b84d366/docs/assets/starring.png -------------------------------------------------------------------------------- /docs/assets/suggestion-block.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MobSF/owasp-mstg/aec82a15a6e96b77d17074fdf1ec87f34b84d366/docs/assets/suggestion-block.png -------------------------------------------------------------------------------- /docs/assets/sven.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MobSF/owasp-mstg/aec82a15a6e96b77d17074fdf1ec87f34b84d366/docs/assets/sven.jpg -------------------------------------------------------------------------------- /docs/assets/trusted-by-logos.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MobSF/owasp-mstg/aec82a15a6e96b77d17074fdf1ec87f34b84d366/docs/assets/trusted-by-logos.png -------------------------------------------------------------------------------- /docs/contact.md: -------------------------------------------------------------------------------- 1 | # 💬 Connect with Us 2 | 3 |
4 |
5 | You can follow and reach out to the OWASP MAS team in many ways.
6 |
7 | - Send us your questions and ideas to GitHub Discussions
8 | - Stay always up-to-date by following us on Twitter.
9 | - Join our Slack community
10 |
11 | If you'd like to contribute, take a look at our [Contributions page](contributing.md) or reach out to the project leaders Carlos or Sven.
12 |
13 | [:material-github:](https://github.com/OWASP/owasp-mastg/discussions)
14 | [:material-twitter:](https://twitter.com/OWASP_MAS)
15 | [:material-slack:](https://owasp.slack.com/archives/C1M6ZVC6S)
16 |
17 | > [Request an invitation](https://owasp.slack.com/join/shared_invite/zt-g398htpy-AZ40HOM1WUOZguJKbblqkw#) to join our Slack channel `#project-mobile-app-security`
18 |
19 | 20 | 21 | ## OWASP MAS Project Leaders 22 | 23 | ## Carlos Holguera 24 | 25 |
26 |
27 | Carlos is a mobile security research engineer who has gained many years of hands-on experience in the field of security testing for mobile apps and embedded systems such as automotive control units and IoT devices. He is passionate about reverse engineering and dynamic instrumentation of mobile apps and is continuously learning and sharing his knowledge.
28 |
29 | [:material-github:](https://github.com/cpholguera)
30 | [:material-twitter:](https://twitter.com/grepharder)
31 | [:material-slack:](https://owasp.slack.com/team/U5LRFEGR5)
32 | [:material-email:](mailto:Carlos.Holguera@owasp.org)
33 | [:material-linkedin:](https://linkedin.com/in/carlos-holguera)
34 |
35 | 36 | 37 | ## Sven Schleier 38 | 39 |
40 |
41 | Sven is an experienced web and mobile penetration tester and assessed everything from historic Flash applications to progressive mobile apps. He is also a security engineer that supported many projects end-to-end during the SDLC to "build security in". He was speaking at local and international meetups and conferences and is conducting hands-on workshops about web application and mobile app security.
42 |
43 | [:material-github:](https://github.com/sushi2k)
44 | [:material-twitter:](https://twitter.com/bsd_daemon)
45 | [:material-slack:](https://owasp.slack.com/team/U1M6X5WCU)
46 | [:material-email:](mailto:Sven.Schleier@owasp.org)
47 | [:material-linkedin:](https://linkedin.com/in/sven-schleier)
48 |
49 | 50 | -------------------------------------------------------------------------------- /docs/contributing.md: -------------------------------------------------------------------------------- 1 | # Contributing to the MAS Project 2 | 3 | _First of all,_ [⭐ Give us a Star in GitHub](https://github.com/OWASP/owasp-mastg)! 4 | 5 |
6 |
7 | 8 | 9 | The MAS project is an open source effort and we welcome all kinds of contributions and feedback. 10 | 11 | **Help us improve & join our community:** 12 | 13 | - 🐞 [Report an error (typos, grammar)](contributing/1_How_Can_You_Contribute.md#create-issues) or [fix it on a Pull Request](contributing/1_How_Can_You_Contribute.md#open-a-pull-request). 14 | - 💬 Give feedback ([MASTG](https://github.com/OWASP/owasp-mastg/discussions/categories/general)/[MASVS](https://github.com/OWASP/owasp-masvs/discussions/categories/general)). 15 | - 🙏 Ask questions ([MASTG](https://github.com/OWASP/owasp-mastg/discussions/categories/q-a)/[MASVS](https://github.com/OWASP/owasp-masvs/discussions/categories/q-a)). 16 | 17 | **Contribute with content:** 18 | 19 | - 💡 Propose ideas or suggest improvements ([MASTG](https://github.com/OWASP/owasp-mastg/discussions/categories/ideas)/[MASVS](https://github.com/OWASP/owasp-masvs/discussions/categories/ideas)). If it qualifies we'll promote it to an Issue. 20 | - 📄 [Create a Pull Request](contributing/1_How_Can_You_Contribute.md#open-a-pull-request) for concrete fixes (e.g. grammar/typos) or content already approved by the core team. 21 | 22 | Before you start contributing, please check our pages ["How Can You Contribute?"](contributing/1_How_Can_You_Contribute.md) and ["Getting Started"](contributing/2_Getting_Started.md). If you have any doubts [please contact us](contact.md). 23 | 24 | ## Contribution Credit / Acknowledgments 25 | 26 | Contributors are added to the acknowledgments section based on their contributions logged by GitHub and/or by applying to a certain role and consistently demonstrating their commitment. Acknowledgements are visible in: 27 | 28 | - [OWASP MASTG Authors & Co-Authors sections](MASTG/Intro/0x02a-Frontispiece.md#authors) 29 | - [OWASP MASTG Contributors section](MASTG/Intro/0x02c-Acknowledgements.md#contributors) 30 | - [OWASP MASTG printed version](https://www.lulu.com/shop/jeroen-willemsen-and-sven-schleier-and-bernhard-müller-and-carlos-holguera/owasp-mobile-security-testing-guide/paperback/product-1kw4dp4k.html) 31 | 32 | Contributors are categorized as follows: 33 | 34 | - **Project Leader / Author**: Manage the development of the guide continuously and write a large amount of new content. Project Leadership cannot be achieved if any violations of the Code of Conduct occurred in the past. Be aware that you'll be expected to invest lots of time over several months. 35 | - **Reviewer**: People that continuously monitor and review our [Pull Requests](https://github.com/OWASP/owasp-mastg/pulls) or given useful feedback and suggesting changes. 36 | - **Most Helpful Discussions contributor**: actively participate in our GitHub Discussions. Contributors with the most answers marked as "The Answer" will get recognized as "Most Helpful" in our official repos. 37 | - **Co-Author**: Consistently contribute quality content, [at least 2,000 additions logged](https://github.com/OWASP/owasp-mastg/graphs/contributors "Co-author"). 38 | - **Top Contributor**: Consistently contribute quality content, [at least 500 additions logged](https://github.com/OWASP/owasp-mastg/graphs/contributors "Top Contributor"). 39 | - **Contributor**: Any form of contribution, [at least 50 additions logged](https://github.com/OWASP/owasp-mastg/graphs/contributors "Contributor"). 40 | - **Mini-contributor**: Everything below 50 additions, e.g. committing a single word or sentence. 41 | 42 | [Contact us](contact.md) if you are planning to become an Author/Co-Author/Reviewer, are missing from the acknowledgements (note that we make updates frequently, but not in realtime). 43 | 44 | ## 🚫 What not to do 45 | 46 | Although we greatly appreciate any and all contributions to the project, there are a few things that you should take into consideration: 47 | 48 | - **No advertisement**: The OWASP mobile Security Project cannot be used as a platform for advertisement of commercial tools, companies or individuals. Technical content such as the implementation of certain techniques or tests should be written with free and open-source tools in mind. Commercial tools are typically not accepted, but might be referenced in some specific cases. 49 | - **No unnecessary self-promotion of tools or blog posts**: If you have a relation with one of the URLs or tools you are referencing, please state so in the PR so that we can verify that the reference is in line with the rest of the guide. 50 | 51 | Please be sure to take a careful look at our [Code of Conduct](https://github.com/OWASP/owasp-mastg/blob/master/CODE_OF_CONDUCT.md "Code of Conduct") for all the details and [ask us](contact.md) in case of doubt. 52 | 53 |
54 | -------------------------------------------------------------------------------- /docs/contributing/1_How_Can_You_Contribute.md: -------------------------------------------------------------------------------- 1 | # How Can You Contribute? 2 | 3 | You can directly contribute to the MASVS or MASTG in many different ways! First, go ahead and create a GitHub account for free on the [GitHub homepage](https://github.com/). 4 | 5 | ## Contribution Flow 6 | 7 | ```mermaid 8 | flowchart LR 9 | A(Open Discussion) -->|discuss| C{qualifies?} 10 | C -->|Yes| D(Issue) 11 | C -->|No| E[Close] 12 | D -->|open PR| F(Pull Request) 13 | F -->|review| G{approved?} 14 | F -->|make changes| F 15 | G -->|Yes| H[Merge] 16 | G -->|No| I[Close] 17 | ``` 18 | 19 | ## 💬 Participate in Discussions 20 | 21 | Our GitHub [Discussions](https://github.com/OWASP/owasp-mastg/discussions) are the first place to go to ask questions, give feedback, and propose new ideas. If your proposal qualifies for the MASTG/MASVS, we'll convert it into an "Issue" (the discussion might take a while). 22 | 23 | ## 🎯 Create Issues 24 | 25 | Before creating a PR, first create an [Issue](https://github.com/OWASP/owasp-masvs/issues "MASVS Issues") to be discussed for missing requirements, content or errors. 26 | 27 | - To avoid multiple people duplicating effort on the same issue, project leaders will assign it to only a few that will own it. 28 | - Explain what you think is missing in the issue, including references (if available) and suggest where it could be added. 29 | 30 | ## 📝 Open a Pull Request 31 | 32 | You can contribute with content or corrections by opening a Pull Request (PR). 33 | 34 | - Your PR may be merged after review. 35 | - Be sure to follow our [style guide](5_Style_Guide.md) when writing content. 36 | 37 | > Learn how to open a PR [here](3_PRs_and_Reviews.md#how-to-open-a-pr). 38 | 39 | ## ✅ Become a Reviewer 40 | 41 | You can [Review Pull Requests (PRs)](https://github.com/OWASP/owasp-masvs/pulls) and also gain contributions. If you are a fluent speaker in any of the different languages that the MASVS is available in, feel free to give feedback on any of the submitted PRs. 42 | 43 | After your PR or issue has been submitted, we will review it as quickly as possible which typically only takes a few days. If you think we have forgotten about it, feel free to give us a nudge after 7 days have passed. 44 | 45 | > Learn how to review a PR [here](3_PRs_and_Reviews.md#how-to-review-a-pr). 46 | 47 | ## 🔎 Proof-reading 48 | 49 | If you do proof-reading, these are the things we’re looking for: 50 | 51 | - Content [cohesion & coherence](https://writing.chalmers.se/chalmers-writing-guide/writing-a-text/coherence-cohesion/) 52 | - is there a good linkage of ideas? 53 | - does the paragraph make sense? 54 | - does it make sense with the next one? think that hundreds of people have written in here, often without considering the surroundings of the text they were including). 55 | - Reducing the content to a minimum (people tend to be very verbose/wordy) and in such a document we need clear and short/concise statements 56 | - Optimize for _scannability_ (maybe instead of a big paragraph it would be better to have a bullet point list). 57 | - Any passive voice sentences? Convert to active voice. 58 | - Does each paragraph focus on a single topic? 59 | - Are key points stated at the start of each section? 60 | - Are commas, parentheses, colons, em-dashes, and semicolons used properly? 61 | 62 | Refer to Google Technical Writing trainings for more info: 63 | 64 | - [Google Technical Writing One](https://developers.google.com/tech-writing/one) 65 | - [Google Technical Writing Two](https://developers.google.com/tech-writing/two) 66 | 67 | ## 🌐 Translating the MASVS 68 | 69 | Translating the MASVS in a new language is another great way to contribute. This helps the project to reach to more people around the world. 70 | 71 | Before starting a translation please consider the following: 72 | 73 | - **First of all** contact us on Slack or via email. 74 | - We need your commitment. After the first translation is done, we will ask for your help to translate any new changes, so your translation can remain up to date. 75 | - We need a second translator who can verify that the English version of the MASVS has been translated properly. 76 | - Once you are all set, go to your fork and follow [these steps](4_Add_new_Language.md). 77 | -------------------------------------------------------------------------------- /docs/contributing/3_PRs_and_Reviews.md: -------------------------------------------------------------------------------- 1 | # Pull Requests & Reviews 2 | 3 | ## How to Open a PR 4 | 5 | You can create a Pull Request (PR) by following [these steps](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request-from-a-fork). Remember that: 6 | 7 | - The target branch should be `master`. 8 | - If your PR closes and issue, write ["Closes `#
41 |
42 | **Always prefer making "Suggested Changes"** using the `±` button:
43 |
44 | 
45 |
46 | If the suggestion you'd like to make cannot be expressed using "suggested changes" please enter a clear comment explaining what should be fixed (e.g. some paragraphs don't link properly or some essential information cannot be found and should be added).
47 |
48 | > Using "Suggested Changes" saves you as a reviewer and the PR author a lot of time. And you get _points_ (attributions) for the changes that you suggested (if the author commits them you become a co-author of those commits). If you're constant with your reviewer work you can apply to be recognize as an official reviewer in our Acknowledgements page.
49 |
50 | ### Step 2: Submit your Review
51 |
52 | Once you went through the whole PR you can [submit your review](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review)
53 |
54 | 1. Click on "Review changes".
55 | 2. Enter a comment for the contributor.
56 | 3. Select the type of review you'd like to leave (Comment, Approve or Request Changes).
57 | 4. Click on "Submit review".
58 |
59 | > Learn more: ["(GitHub Docs) Reviewing proposed changes in a pull request"](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request).
60 |
--------------------------------------------------------------------------------
/docs/contributing/4_Add_new_Language.md:
--------------------------------------------------------------------------------
1 | # Add a New Language
2 |
3 | ## MASTG Translations
4 |
5 | The MASTG is a living document that changes and adapts to the most recent security recommendations every day. While we do want to reach the maximum audience possible, our past experience shows that **maintaining translations has proven to be an extremely challenging task**. Therefore, please understand that **any PRs containing MASTG translations will be declined**, but you're free to do them on your own forks.
6 |
7 | > 🇯🇵 A translation of the MASTG into Japanese is available on Github: 48 | -------------------------------------------------------------------------------- /docs/donate.md: -------------------------------------------------------------------------------- 1 | # Donations 2 | 3 | While both the MASVS and the MASTG are created and maintained by the community on a voluntary basis, sometimes a little bit of outside help is required. 4 | 5 | **Monetary Donations:** You can donate any amount you like, no matter how small, anyone can help. From 500$ up you may select a [Donation Package](donate/packages.md) and be listed as a donator. 6 | 7 | 100% of the funds go to the OWASP Foundation and allow us funding our project activities such as contracting technical editors, graphic designers, software developers, purchasing test devices, creating swag, etc. 8 | 9 |
30 |
31 | 32 | -------------------------------------------------------------------------------- /docs/donate/packages.md: -------------------------------------------------------------------------------- 1 | # Donation Packages 2 | 3 | These types of public recognition shall be online no less than one year, or no less than the next major release, whichever is greater. 4 | 5 | :warning: The Donation Packages have a maximum duration, **once expired the logos will be removed** and the donator will still be listed as supporter on the project website, GitHub and in the printed and digital versions. This can be renewed anytime. 6 | 7 |
- :material-check: Listed as a supporter.
- :material-check: Small company logo.
- :material-clock: 1 year
- :material-book-open-variant: 1 Paperback Book (optional)
- :material-check: Listed as a supporter.
- :material-check: Medium company logo
- :material-clock: 2 year
- :material-book-open-variant: 3 Paperback Books (optional)
- :material-check: Listed as a supporter.
- :material-check:Large company logo.
- :material-clock: 3 years
- :material-book-open-variant: 5 Paperback Books (optional)
6 |
7 | Click the button to make your donation directly in the official OWASP website:
8 |
9 | :warning: Fill in the form and be sure to **select the option** _"Publicly list me as a supporter of OWASP Mobile Application Security"_
10 |
11 | 16 | 17 | ## 2. Register your Donation Package (optional) 18 | 19 |
20 |
21 | If your donation is above USD 500 you may opt-in for a [Donation Package](#donation-packages) by registering it. We will then, together with the OWASP Foundation, verify and process it.
22 |
23 | 28 | -------------------------------------------------------------------------------- /docs/images/release_header.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MobSF/owasp-mstg/aec82a15a6e96b77d17074fdf1ec87f34b84d366/docs/images/release_header.png -------------------------------------------------------------------------------- /docs/index.md: -------------------------------------------------------------------------------- 1 | --- 2 | hide: 3 | - navigation 4 | - toc 5 | title: "Home" 6 | --- 7 | 8 | 9 | # OWASP Mobile Application Security 10 | 11 | ## Our Mission 12 | 13 |
14 |
15 |
22 | 
23 |
24 |
25 |
26 |
27 |
16 |
20 |
21 | "Define the industry standard for mobile application security."17 | 18 |
The OWASP Mobile Application Security (MAS) flagship project provides a security standard for mobile apps (OWASP MASVS) and a comprehensive testing guide (OWASP MASTG) that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.
19 |
23 |
28 |
29 |
30 |
31 | 
34 |
35 |
36 | 37 | Download the MASVS 38 | 39 |
40 |
41 |
42 | 
45 |
46 |
47 | 48 | Download the MASTG 49 | 50 |
51 |
52 |
53 |
54 |
57 | 58 |
59 |
60 |
61 | 62 | Download the Checklist 63 | 64 |
65 |
66 |
67 |
68 | OWASP MASVS
32 | 33 |
34 |
35 | 36 | 37 | Download the MASVS 38 | 39 |
OWASP MASTG
43 | 44 |
45 |
46 | 47 | 48 | Download the MASTG 49 | 50 |
OWASP MAS Checklist
55 | 56 |57 | 58 |
59 |
60 | 61 | 62 | Download the Checklist 63 | 64 |
69 | 70 | ## Trusted by ... 71 | 72 | The OWASP MASVS and MASTG are trusted by the following platform providers and standardization, governmental and educational institutions. [Learn more](MASTG/Intro/0x02b-MASVS-MASTG-Adoption.md). 73 | 74 | 75 |
76 |
77 |
78 | 79 | 80 | ## 🥇 MAS Advocates 81 | 82 | 83 |
84 |
85 |
86 | MAS Advocates are industry adopters of the OWASP MASVS and MASTG who have invested a significant and consistent amount of resources to push the project forward by providing consistent high-impact contributions and continuously spreading the word. [Learn more](MASTG/Intro/0x02c-Acknowledgements.md).
87 |
88 | 89 | -------------------------------------------------------------------------------- /docs/javascripts/tablesorts.js: -------------------------------------------------------------------------------- 1 | document$.subscribe(function() { 2 | var tables = document.querySelectorAll("article table:not([class])") 3 | tables.forEach(function(table) { 4 | new Tablesort(table) 5 | }) 6 | }) -------------------------------------------------------------------------------- /docs/stylesheets/extra.css: -------------------------------------------------------------------------------- 1 | :root { 2 | --md-primary-fg-color: #499FFF; 3 | } 4 | 5 | @keyframes pump { 6 | 0%, 40%, 80%, 100% { 7 | transform: scale(1); 8 | } 9 | 20%, 60% { 10 | transform: scale(1.15); 11 | } 12 | } 13 | 14 | .mas-chip { 15 | border: solid 1px var(--md-primary-fg-color); 16 | outline:none; 17 | text-decoration:none; 18 | border-radius: 1.2em; 19 | min-width: 5.5em; 20 | max-height: 1.6em; 21 | padding-left: 0.5em; 22 | padding-right: 0.4em; 23 | } 24 | 25 | .mas-dot-blue { 26 | height: 1.5em; 27 | width: 1.5em; 28 | background-color: #33CCCC; 29 | border-radius: 50%; 30 | display: inline-block; 31 | } 32 | 33 | .mas-dot-green { 34 | height: 1.5em; 35 | width: 1.5em; 36 | background-color: #99CC00; 37 | border-radius: 50%; 38 | display: inline-block; 39 | } 40 | 41 | .mas-dot-orange { 42 | height: 1.5em; 43 | width: 1.5em; 44 | background-color: #FF9900; 45 | border-radius: 50%; 46 | display: inline-block; 47 | } 48 | 49 | .md-footer__inner:not([hidden]){ 50 | display: none; 51 | } 52 | 53 | .mas-blue-hue { 54 | filter: sepia(100%) hue-rotate(190deg) saturate(500%); 55 | } 56 | 57 | .mas-mini-app { 58 | border-radius: 5px; 59 | } 60 | 61 | .mas-app-row { 62 | display: flex; 63 | flex-direction: row; 64 | margin-top: 1em; 65 | } 66 | 67 | .mas-apps-container { 68 | display: flex; 69 | flex-direction: column; 70 | flex-basis: 100%; 71 | margin-left: 20px; 72 | } 73 | 74 | .mas-flex-container { 75 | display: flex; 76 | flex-direction: row; 77 | } 78 | 79 | @media (max-width: 800px) { 80 | .mas-flex-container { 81 | flex-direction: column; 82 | } 83 | } 84 | 85 | .pump { 86 | animation: pump 1000ms ease-out; 87 | } 88 | 89 | .grow:hover { transform: scale(1.05); transition: 0.2s;} 90 | -------------------------------------------------------------------------------- /docs/talks.md: -------------------------------------------------------------------------------- 1 | --- 2 | hide: 3 | - navigation 4 | - toc 5 | --- 6 | 7 | # 🎙 Talks 8 | 9 | -------------------------------------------------------------------------------- /mkdocs.yml: -------------------------------------------------------------------------------- 1 | site_name: OWASP Mobile Application Security 2 | repo_url: https://github.com/OWASP/owasp-mastg 3 | repo_name: OWASP/owasp-mastg 4 | # use_directory_urls: false # only set for mkdocs build 5 | edit_uri: "" # disable edit button 6 | 7 | nav: 8 | - Home: index.md 9 | - MASTG: 10 | - MASTG.md 11 | - Intro: MASTG/Intro 12 | - General Guide: MASTG/General 13 | - Android: MASTG/Android 14 | - iOS: MASTG/iOS 15 | - Tools: MASTG/Tools 16 | - References: MASTG/References 17 | - MASVS: 18 | - MASVS.md 19 | - Intro: MASVS/Intro 20 | - Controls: MASVS/Controls 21 | - Appendix: MASVS/Appendix 22 | - "MAS Checklist": MAS_checklist.md 23 | - "MAS Crackmes": 24 | - crackmes.md 25 | - crackmes 26 | - news.md 27 | - talks.md 28 | - "⭐ Contribute": 29 | - contributing.md 30 | - contributing 31 | - "💙 Donate": 32 | - donate.md 33 | - donate 34 | - contact.md 35 | 36 | copyright: | 37 |
38 | 
39 |
40 |
41 | © OWASP Foundation 2022. This work is licensed under
42 | CC-BY-4.0. For any reuse or distribution, you must make clear to others the license terms of this work.
43 |
39 | OWASP ® is a registered trademark of the OWASP Foundation, Inc. 44 |
Made with Material for MkDocs | Website designed by Carlos Holguera.
45 |
46 | theme:
47 | name: material
48 | # custom_dir: docs/overrides
49 | logo: assets/logo_circle.png
50 | favicon: assets/logo_circle.png
51 | icon:
52 | repo: fontawesome/brands/github
53 | features:
54 | - search.suggest
55 | - search.share
56 | - toc.integrate
57 | - navigation.instant
58 | # - navigation.expand
59 | - navigation.tabs
60 | - navigation.tabs.sticky
61 | - navigation.top
62 | - navigation.tracking
63 |
64 | palette:
65 | # - primary: #499FFF
66 | - scheme: default
67 | toggle:
68 | icon: material/weather-night
69 | name: Switch to dark mode
70 | - scheme: slate
71 | toggle:
72 | icon: material/weather-sunny
73 | name: Switch to light mode
74 |
75 | extra_css:
76 | - stylesheets/extra.css
77 | extra_javascript:
78 | - https://unpkg.com/tablesort@5.3.0/dist/tablesort.min.js
79 | - javascripts/tablesort.js
80 | plugins:
81 | - search
82 | - include_dir_to_nav
83 | - mermaid2
84 | markdown_extensions:
85 | - meta
86 | - toc:
87 | permalink: true
88 | - attr_list
89 | - admonition
90 | - tables
91 | - pymdownx.details
92 | - pymdownx.superfences
93 | - pymdownx.emoji:
94 | emoji_index: !!python/name:materialx.emoji.twemoji
95 | emoji_generator: !!python/name:materialx.emoji.to_svg
96 | - pymdownx.progressbar
97 | - pymdownx.superfences:
98 | custom_fences:
99 | - name: mermaid
100 | class: mermaid
101 | format: !!python/name:pymdownx.superfences.fence_code_format
102 |
103 | extra:
104 | generator: false # removed but recreated in copyright above
105 | analytics:
106 | provider: google
107 | property: G-KWZRJV0S4P
108 | social:
109 | - icon: fontawesome/brands/slack
110 | link: https://owasp.slack.com/messages/project-mobile_omtg/details/
111 | - icon: fontawesome/brands/twitter
112 | link: https://twitter.com/OWASP_MAS
113 | - icon: fontawesome/brands/github
114 | link: https://github.com/OWASP/owasp-mastg/discussions
115 | # - icon: fontawesome/solid/paper-plane
116 | # link: mailto:carlos.holguera@owasp.org
117 | # name: Carlos Holguera
118 | # - icon: fontawesome/solid/paper-plane
119 | # link: mailto:sven.schleier@owasp.org
120 | # name: Sven Schleier
121 |
--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | mkdocs
2 | mkdocs-material
3 | mkdocs-mermaid2-plugin
4 | mkdocs-include-dir-to-nav
5 | pandas
6 | pyyaml
7 | tabulate
8 | requests
--------------------------------------------------------------------------------
/tools/Apply_Link_Check.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # Script taken from https://github.com/OWASP/CheatSheetSeries/blob/master/scripts/Apply_Link_Check.sh
3 | # Script in charge of auditing the released MD files in order to detect dead links
4 |
5 | cd ../Document
6 | if test -f "../link-check-result.out"; then
7 | rm ../link-check-result.out
8 | fi
9 | find . -name \*.md -exec markdown-link-check -q -c ../.github/workflows/config/mlc_config.json {} \; 1>../link-check-result.out 2>&1
10 | errors=`grep -c "ERROR:" ../link-check-result.out`
11 | content=`cat ../link-check-result.out`
12 | if [[ $errors != "0" ]]
13 | then
14 | echo "[!] Error(s) found by the Links validator: $errors pages have dead links! Verbose output in /link-check-result.out"
15 | exit $errors
16 | else
17 | echo "[+] No error found by the Links validator."
18 | rm ../link-check-result.out
19 | fi
20 |
--------------------------------------------------------------------------------
/tools/Apply_Linter_Check.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # Script taken from https://github.com/OWASP/CheatSheetSeries/blob/master/scripts/Apply_Linter_Check.sh
3 | # Script in charge of auditing the released MD files with the linter policy defined at project level
4 |
5 | cd ../
6 | if test -f "linter-result.out"; then
7 | rm linter-result.out
8 | fi
9 | markdownlint -c .markdownlint.json -o linter-result.out Document
10 | errors=`wc -m linter-result.out | cut -d' ' -f1`
11 | content=`cat linter-result.out`
12 | if [[ $errors != "0" ]]
13 | then
14 | echo "[!] Error(s) found by the Linter: $content"
15 | exit $errors
16 | else
17 | echo "[+] No error found by the Linter."
18 | rm linter-result.out
19 | fi
--------------------------------------------------------------------------------
/tools/README.md:
--------------------------------------------------------------------------------
1 | # Tools
2 |
3 | ## Overview
4 |
5 | This directory is for tools that are used to generate the necessary files for our release-channels.
6 |
7 | Channels:
8 |
9 | - Gitbook: currently using @sushi2k's repository (\n", "docs/talks.md") 27 | 28 | # checklists.md 29 | 30 | masvs_full_en = requests.get("https://github.com/OWASP/owasp-mastg/releases/latest/download/masvs_full_en.yaml", stream=True) 31 | data = yaml.safe_load(masvs_full_en.raw) 32 | data_list = [] 33 | for _, value in data.items(): 34 | 35 | # levels 36 | value['L1'] = "" if value['L1'] == True else "" 37 | value['L2'] = "" if value['L2'] == True else "" 38 | value['R'] = "" if value['R'] == True else "" 39 | 40 | # tests 41 | value["common"] = "" 42 | value["android"] = "" 43 | value["ios"] = "" 44 | if links:=value.get("links"): 45 | for link in value.get("links"): 46 | value["common"] += f"[Test Case]({link})
" if "0x04" in link else "" 47 | value["android"] += f"[Test Case]({link})
" if "0x05" in link else "" 48 | value["ios"] += f"[Test Case]({link})
" if "0x06" in link else "" 49 | del value["links"] 50 | data_list.append(value) 51 | 52 | append_to_file("\n
\n\n" + dict_to_md(data_list) + "\n\n
\n", "docs/MAS_checklist.md") 53 | -------------------------------------------------------------------------------- /tools/scripts/requirements.txt: -------------------------------------------------------------------------------- 1 | lxml 2 | bs4 3 | openpyxl 4 | Pillow -------------------------------------------------------------------------------- /tools/scripts/structure_mastg.sh: -------------------------------------------------------------------------------- 1 | mkdir docs/MASTG 2 | mkdir docs/MASTG/Intro 3 | mkdir docs/MASTG/General 4 | mkdir docs/MASTG/Android 5 | mkdir docs/MASTG/iOS 6 | mkdir docs/MASTG/Tools 7 | mkdir docs/MASTG/References 8 | cp Document/0x0*.md docs/MASTG 9 | mv docs/MASTG/0x0[1-3]*.md docs/MASTG/Intro 10 | mv docs/MASTG/0x04*.md docs/MASTG/General 11 | mv docs/MASTG/0x05*.md docs/MASTG/Android 12 | mv docs/MASTG/0x06*.md docs/MASTG/iOS 13 | mv docs/MASTG/0x08*.md docs/MASTG/Tools 14 | mv docs/MASTG/0x09*.md docs/MASTG/References -------------------------------------------------------------------------------- /tools/scripts/structure_masvs.sh: -------------------------------------------------------------------------------- 1 | mkdir docs/MASVS 2 | mkdir docs/MASVS/Intro 3 | mkdir docs/MASVS/Controls 4 | mkdir docs/MASVS/Appendix 5 | cp owasp-masvs/Document/0x*.md docs/MASVS 6 | mv docs/MASVS/0x0[1-4]*.md docs/MASVS/Intro 7 | mv docs/MASVS/0x*V[1-8]*.md docs/MASVS/Controls 8 | mv docs/MASVS/0x9*.md docs/MASVS/Appendix -------------------------------------------------------------------------------- /tools/scripts/testcase_diff.py: -------------------------------------------------------------------------------- 1 | import yaml 2 | 3 | def main(): 4 | import argparse 5 | 6 | parser = argparse.ArgumentParser(description="Diff the MASTG test cases covered.") 7 | parser.add_argument("-o", "--old", required=True) 8 | parser.add_argument("-n", "--new", required=True) 9 | 10 | args = parser.parse_args() 11 | 12 | MASVS_OLD = yaml.safe_load(open(args.old)) 13 | MASVS_NEW = yaml.safe_load(open(args.new)) 14 | 15 | updated = 0 16 | added = 0 17 | removed = 0 18 | 19 | print("OWASP MAS Checklists Changes") 20 | 21 | for mstg_id, req in MASVS_NEW.items(): 22 | old_links = MASVS_OLD[mstg_id].get("links") 23 | new_links = req.get("links") 24 | 25 | if old_links and new_links: 26 | diff = list(set(new_links) - set(old_links)) 27 | updated += 1 28 | if diff: 29 | print(f"- [UPDATED] {mstg_id}:") 30 | for link in diff: 31 | print(f" - {link}") 32 | print("\n") 33 | elif old_links is None and new_links: 34 | added += 1 35 | print(f"- [ADDED] {mstg_id}:") 36 | for link in new_links: 37 | print(f" - {link}") 38 | print("\n") 39 | elif old_links and new_links is None: 40 | removed += 1 41 | print(f"- [REMOVED] {mstg_id}\n") 42 | 43 | print(f"\nSUMMARY: removed ({removed}) added ({added}) updated ({updated})") 44 | 45 | if __name__ == "__main__": 46 | main() -------------------------------------------------------------------------------- /tools/scripts/transform_files.py: -------------------------------------------------------------------------------- 1 | import re, os 2 | from pathlib import Path 3 | 4 | EMOJIS_regex = r"🥇 |🎁 |📝 |❗ " 5 | 6 | def transform_links(file_text): 7 | # print("[*] Regex Substitutions ../Document to MASTG/") 8 | found = re.findall(r'(\(0x.*\.md/*)', file_text) 9 | 10 | # TODO FIX we must find a better solution to this 11 | while len(found) > 0: 12 | print(f" Found: {found}") 13 | file_text = re.sub(r"\((0x0[1-3].*\.md)", r"(../Intro/\1", file_text) 14 | file_text = re.sub(r"\((0x04.*\.md)", r"(../General/\1", file_text) 15 | file_text = re.sub(r"\((0x05.*\.md)", r"(../Android/\1", file_text) 16 | file_text = re.sub(r"\((0x06.*\.md)", r"(../iOS/\1", file_text) 17 | file_text = re.sub(r"\((0x08.*\.md)", r"(../Tools/\1", file_text) 18 | file_text = re.sub(r"\((0x09.*\.md)", r"(../References/\1", file_text) 19 | 20 | found = re.findall(r'(\(0x.*\.md/*)', file_text) 21 | 22 | return file_text 23 | 24 | def remove_emojis(file_text): 25 | print("[*] Regex Substitutions for emojis") 26 | found = re.findall(EMOJIS_regex, file_text) 27 | print(f" Found: {found}") 28 | return re.sub(EMOJIS_regex, r"", file_text) 29 | 30 | def transform(folder, functions): 31 | print(f"[*] Applying transforms to {folder}") 32 | for root, dirname, filenames in os.walk(folder): 33 | if len(filenames): 34 | files = Path(root).glob('*.md') 35 | 36 | for file in files: 37 | file_obj = Path(file) 38 | print(f" - File {file_obj.as_posix()}") 39 | file_text = file_obj.read_text() 40 | 41 | new_text = None 42 | for function in functions: 43 | if new_text is None: 44 | new_text = function(file_text) 45 | else: 46 | new_text = function(new_text) 47 | 48 | file_obj.write_text(new_text) 49 | 50 | transform("docs/MASTG", [transform_links]) 51 | # transform("docs/MASTG", [remove_emojis]) -------------------------------------------------------------------------------- /tools/updateLeanpub.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | echo "There is a publishing API available https://leanpub.com/help/api." 3 | 4 | echo "As of now (26th July 2021) the API of Leanpub is only available to Pro Customers, which would costs 12.99 USD per month. For now we do it manullay at https://leanpub.com/owasp-mastg/upload" 5 | -------------------------------------------------------------------------------- /tools/updateLulu.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | echo "Will be created when we have full support from Lulu. For now do it manullay at https://leanpub.com/mobile-security-testing-guide/upload" 3 | 4 | echo "At the moment (26th July 2021) it's only possible to use the API for ordering books, but not releasing a new version, https://api.lulu.com/docs/#section/Getting-Started/Generate-a-Token" --------------------------------------------------------------------------------