01Overview
Mobile Application Security Testing (MAST) Scanner is a single-file, zero-dependency Python tool that performs static analysis of shipped Android APK and iOS IPA binaries — no source code, emulator, or SDK required. Point it at a build artifact and it unzips, parses the compiled formats (Android binary XML, DEX string pools, Mach-O binaries, Info.plist), and runs 24 check modules covering manifest misconfiguration, hardcoded secrets, weak cryptography, insecure transport, unsafe storage, WebView and IPC exposure, biometric and session flaws, missing binary/resilience protections, and privacy/tracking concerns.
Every finding is mapped to the OWASP Mobile Top 10 2024, MASVS v2 (22 of 24 controls spanning all eight groups), and CWE — so results speak the language a mobile security program already reports against. A bundled dependency-CVE engine matches version strings pulled from DEX, Mach-O, and native libraries against a curated database of 39 CVEs across 29 libraries (OkHttp, Retrofit, Jackson, Log4j, Bouncy Castle, libwebp, OpenSSL, AFNetworking, Alamofire, Firebase, and more), flagging Log4Shell, the libwebp heap overflow, cert-pinning bypasses, and insecure-deserialization RCEs hiding inside third-party code.
It is built for AppSec engineers, pentesters, and DevSecOps teams who need fast, offline triage of mobile builds without standing up a heavyweight platform. Four output formats — coloured console, JSON, a dark-themed HTML report with MASVS coverage, and SARIF v2.1.0 — make it equally at home on an analyst's laptop and in a CI pipeline, where a non-zero exit on CRITICAL/HIGH findings can gate a release.
Because the whole scanner is one ~2,800-line Python file that runs on the 3.8+ standard library alone, it drops into air-gapped labs, ephemeral CI runners, and bug-bounty workflows with nothing to install and no network calls.
02Key Capabilities
Dual-platform static analysis
Analyzes both Android APK and iOS IPA artifacts with automatic platform detection from file extension or ZIP contents.
Custom binary parsers, no toolchain needed
Decodes Android compiled binary XML, extracts DEX string pools, and reads Mach-O strings and Info.plist directly — no apktool, jadx, or Xcode required.
123 SAST rules across 24 modules
Runs 24 dedicated check modules covering manifest, secrets, crypto, network, storage, WebView, components, auth, resilience, code quality, and privacy for each platform.
Dependency CVE scanning
Version-matches embedded libraries against 39 curated CVEs across Android, iOS, and native libraries, catching Log4Shell, libwebp overflow, and cert-pinning bypasses in third-party code.
Hardcoded secret detection
Regex-based hunting for AWS keys, Google/Stripe/Twilio/SendGrid API keys, Firebase URLs, OAuth secrets, private keys, and bearer tokens across DEX and binary strings.
MASVS v2 + OWASP Mobile Top 10 mapping
Every finding carries MASVS v2 control, OWASP Mobile Top 10 2024 category, and CWE identifiers for standards-aligned reporting.
Authentication & resilience checks
Detects biometric bypass, insecure credential storage, missing root/jailbreak, anti-debug, tamper, and obfuscation protections.
Binary hardening analysis
Inspects iOS Mach-O binaries for PIE, ARC, and stack-canary flags and Android builds for ProGuard/R8 obfuscation gaps.
Privacy & tracking analysis
Surfaces advertising IDs, device fingerprinting, tracking/analytics SDKs, background location, and missing App Tracking Transparency.
Four output formats
Emits coloured console summaries, machine-readable JSON, a dark-themed HTML report with MASVS coverage, and SARIF v2.1.0 for code-scanning dashboards.
CI/CD-ready gating
Returns exit code 1 when CRITICAL or HIGH findings are present, and supports a minimum-severity filter to fail builds on policy violations.
Zero dependencies, offline by design
One ~2,800-line file on the Python 3.8+ standard library — runs air-gapped with no installs and no network calls.
03Architecture
A single-file pipeline: the MASTScanner orchestrator auto-detects the platform, hands the artifact to an APKAnalyzer or IPAAnalyzer that unzips it and invokes custom binary parsers, then fans the extracted manifest, strings, and metadata across 24 check modules plus a dependency-CVE engine, each returning typed Finding objects that are deduplicated, severity-sorted, and rendered into console, JSON, HTML, and SARIF reports.
04Project Structure
mast_scanner.pyThe entire scanner — ~2,827 lines: parsers, analyzers, 24 check modules, CVE databases, and reporters (version 2.1.0).README.mdFull documentation: rule tables, MASVS/OWASP coverage matrices, CLI reference, and quick-start commands.CLAUDE.mdArchitecture notes — key classes, check-module inventory, CVE databases, and conventions.create_test_apk.pyGenerates an intentionally vulnerable synthetic APK for smoke-testing the scanner.tests/sample_manifest.xmlIntentionally vulnerable AndroidManifest fixture for validating Android manifest checks.tests/sample_plist.xmlIntentionally vulnerable iOS Info.plist fixture for validating iOS plist checks.tests/mast_report.jsonExample JSON report output from scanning a fixture.banner.svgProject banner rendered at the top of the README.LICENSEMIT license..gitignorePython-oriented ignore rules for build and secret artifacts.05Security Controls
06Technology Stack
- Language
- Python 3.8+
- Dependencies
- None — standard library only (zipfile, plistlib, xml.etree, struct, re, hashlib, base64, argparse)
- Parsing
- Custom parsers for Android binary XML (AXML), DEX string pools, and Mach-O binaries
- Output formats
- Console (ANSI), JSON, dark-themed HTML, SARIF v2.1.0
- Testing
- Synthetic vulnerable APK generator (create_test_apk.py) + sample manifest/plist fixtures (no automated pytest suite or CI)
- Distribution
- Single-file script (~2,827 lines), version 2.1.0, MIT licensed
07Quick Start
$ python mast_scanner.py app-debug.apk --html report.html --json report.json $ python mast_scanner.py MyApp.ipa --severity HIGH --sarif results.sarif $ python mast_scanner.py app-release.apk -v $ python mast_scanner.py <APK_OR_IPA> --platform android # force platform if auto-detect fails $ python create_test_apk.py && python mast_scanner.py test_vulnerable.apk # generate and scan a synthetic vulnerable APK
08Compliance & Frameworks
09Integrations & Outputs
Explore Mobile Application Security Testing
Full source, documentation, and deployment guides live on GitHub.