mas.owasp.org
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-22.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-04-22 2026 | iOS Security Testing - OWASP MASTGMobile | Library for iOS security testing, detailing environment setup with macOS hosts, jailbroken devices, and tools like Burp Suite or OWASP ZAP. It covers obtaining device UDIDs via Finder or command-line tools such as `idevice_id` and `instruments`, and contrasts iOS simulators with emulators, noting the simulator's limitations for reverse engineering. The library also explains jailbreaking concepts, contrasting them with Android rooting, and highlights the benefits of privileged access for security testers, including root file system access and unrestricted debugging. It further categorizes jailbreak types (tethered, semi-tethered, semi-untethered, untethered) and discusses the challenges of maintaining jailbroken devices due to Apple's security hardening and signing mechanisms, mentioning exploits like CVE-2015-6794 and CVE-2015-7037. |
| 2026-04-11 2026 | MASTG-TEST-0070: Testing Universal LinksMobile | Guide to testing Universal Links on iOS applications, covering static analysis of the Associated Domains entitlement, retrieval of the Apple App Site Association file using tools like the AASA Validator, and verification of the link receiver method (`application:continueUserActivity:restorationHandler:`) and data handler method within the app delegate, emphasizing URL parameter validation and the use of HTTPS. |
| 2026-04-10 2026 | Frida - OWASP Mobile Application Security ToolMobile | Library for dynamic instrumentation, Frida enables JavaScript execution within native Android and iOS applications. It utilizes QuickJS for code injection via modes like Injected, Embedded, and Preloaded. Key APIs include Interceptor for inline hooking and Stalker for transparent, high-granularity tracing using JIT recompilation. Frida also offers specific APIs for Java and Objective-C interaction, alongside terminal tools such as `frida-ps` for process listing and `frida-trace` for function call tracing. Frida 17 introduces breaking changes, including the removal of bundled runtime bridges, necessitating separate installation via `frida-pm`, and API modifications for enhanced readability and performance. |
| 2026-04-10 2026 | OWASP MASTG Testing GuideMobile | OWASP MASTG Testing Guide |
| 2026-04-10 2026 | Mobile App Tampering and Reverse Engineering - OWASP MASTGMobile | Library detailing mobile application tampering and reverse engineering techniques. It addresses the increasing need for security testers to understand compiled apps, including methods for bypassing defenses like SSL pinning and root detection. The resource covers static and dynamic binary analysis, deobfuscation, and the use of tools and scripting for complex tasks, emphasizing practical experience for mastering these skills. |
| 2026-04-03 2026 | Bypassing Certificate Pinning | OWASP MASTGMobile | Technique for bypassing SSL pinning on Android applications, applicable when apps use standard API functions. Methods include dynamic bypassing using Frida or Objection's `android sslpinning disable` command, and static bypass by patching certificate hashes, replacing certificate files, or modifying truststore files within the decompiled application. The MASTG also details finding and patching custom certificate pinning logic within native libraries and obfuscated frameworks like OkHTTP3. |
| 2026-04-03 2026 | OWASP Mobile Application Security (MAS)Mobile | Library defining the industry standard for mobile application security. It provides the OWASP MASVS (mobile application security verification standard), OWASP MASWE (mobile application security and privacy weaknesses), and OWASP MASTG (mobile application security testing guide). The MASTG includes comprehensive processes, techniques, tools, and test cases for consistent and complete mobile app security testing. |