Mobile Application Security Testing

Application Securityv1.0.0

Static analysis scanner for Android APK and iOS IPA files with 130+ SAST rules across 24 check modules, MASVS v2 mapping, and 39 dependency CVEs

130+
rules
24
modules
39
cves

01Overview

Mobile Application Security Testing (MAST) Scanner is a single-file, zero-dependency Python tool that performs static analysis of shipped Android APK and iOS IPA binaries — no source code, emulator, or SDK required. Point it at a build artifact and it unzips, parses the compiled formats (Android binary XML, DEX string pools, Mach-O binaries, Info.plist), and runs 24 check modules covering manifest misconfiguration, hardcoded secrets, weak cryptography, insecure transport, unsafe storage, WebView and IPC exposure, biometric and session flaws, missing binary/resilience protections, and privacy/tracking concerns.

Every finding is mapped to the OWASP Mobile Top 10 2024, MASVS v2 (22 of 24 controls spanning all eight groups), and CWE — so results speak the language a mobile security program already reports against. A bundled dependency-CVE engine matches version strings pulled from DEX, Mach-O, and native libraries against a curated database of 39 CVEs across 29 libraries (OkHttp, Retrofit, Jackson, Log4j, Bouncy Castle, libwebp, OpenSSL, AFNetworking, Alamofire, Firebase, and more), flagging Log4Shell, the libwebp heap overflow, cert-pinning bypasses, and insecure-deserialization RCEs hiding inside third-party code.

It is built for AppSec engineers, pentesters, and DevSecOps teams who need fast, offline triage of mobile builds without standing up a heavyweight platform. Four output formats — coloured console, JSON, a dark-themed HTML report with MASVS coverage, and SARIF v2.1.0 — make it equally at home on an analyst's laptop and in a CI pipeline, where a non-zero exit on CRITICAL/HIGH findings can gate a release.

Because the whole scanner is one ~2,800-line Python file that runs on the 3.8+ standard library alone, it drops into air-gapped labs, ephemeral CI runners, and bug-bounty workflows with nothing to install and no network calls.

02Key Capabilities

Dual-platform static analysis

Analyzes both Android APK and iOS IPA artifacts with automatic platform detection from file extension or ZIP contents.

Custom binary parsers, no toolchain needed

Decodes Android compiled binary XML, extracts DEX string pools, and reads Mach-O strings and Info.plist directly — no apktool, jadx, or Xcode required.

123 SAST rules across 24 modules

Runs 24 dedicated check modules covering manifest, secrets, crypto, network, storage, WebView, components, auth, resilience, code quality, and privacy for each platform.

Dependency CVE scanning

Version-matches embedded libraries against 39 curated CVEs across Android, iOS, and native libraries, catching Log4Shell, libwebp overflow, and cert-pinning bypasses in third-party code.

Hardcoded secret detection

Regex-based hunting for AWS keys, Google/Stripe/Twilio/SendGrid API keys, Firebase URLs, OAuth secrets, private keys, and bearer tokens across DEX and binary strings.

MASVS v2 + OWASP Mobile Top 10 mapping

Every finding carries MASVS v2 control, OWASP Mobile Top 10 2024 category, and CWE identifiers for standards-aligned reporting.

Authentication & resilience checks

Detects biometric bypass, insecure credential storage, missing root/jailbreak, anti-debug, tamper, and obfuscation protections.

Binary hardening analysis

Inspects iOS Mach-O binaries for PIE, ARC, and stack-canary flags and Android builds for ProGuard/R8 obfuscation gaps.

Privacy & tracking analysis

Surfaces advertising IDs, device fingerprinting, tracking/analytics SDKs, background location, and missing App Tracking Transparency.

Four output formats

Emits coloured console summaries, machine-readable JSON, a dark-themed HTML report with MASVS coverage, and SARIF v2.1.0 for code-scanning dashboards.

CI/CD-ready gating

Returns exit code 1 when CRITICAL or HIGH findings are present, and supports a minimum-severity filter to fail builds on policy violations.

Zero dependencies, offline by design

One ~2,800-line file on the Python 3.8+ standard library — runs air-gapped with no installs and no network calls.

03Architecture

A single-file pipeline: the MASTScanner orchestrator auto-detects the platform, hands the artifact to an APKAnalyzer or IPAAnalyzer that unzips it and invokes custom binary parsers, then fans the extracted manifest, strings, and metadata across 24 check modules plus a dependency-CVE engine, each returning typed Finding objects that are deduplicated, severity-sorted, and rendered into console, JSON, HTML, and SARIF reports.

1
CLI & Orchestrator (main / MASTScanner)
Parses arguments, auto-detects Android vs iOS, runs the platform's check set, deduplicates and severity-sorts findings, applies the severity filter, and sets the CI exit code.
2
Artifact Analyzers (APKAnalyzer / IPAAnalyzer)
Open the ZIP container and extract the manifest/Info.plist, DEX and Mach-O string pools, native .so libraries, entitlements, and file listings into a normalized dict.
3
Binary Parsers
parse_android_binary_xml decodes compiled AndroidManifest.xml chunk streams, extract_dex_strings reads DEX string tables, and extract_macho_strings pulls printable strings from Mach-O and native binaries.
4
SAST Check Modules (24)
Per-domain functions (manifest, secrets, crypto, network, storage, webview, components, auth, resilience, code, privacy, plus iOS and common variants) each return List[Finding] tagged with severity, CWE, OWASP, and MASVS.
5
Dependency CVE Engine
ANDROID_LIB_CVES, IOS_LIB_CVES, and NATIVE_LIB_CVES databases matched via regex version patterns and _parse_ver / _version_in_range range comparison to flag known-vulnerable library versions.
6
Reporting Layer
print_report, save_json, save_html, and save_sarif render the finding set as coloured console output, JSON, a dark-themed MASVS-coverage HTML report, and SARIF v2.1.0.

04Project Structure

mast_scanner.pyThe entire scanner — ~2,827 lines: parsers, analyzers, 24 check modules, CVE databases, and reporters (version 2.1.0).
README.mdFull documentation: rule tables, MASVS/OWASP coverage matrices, CLI reference, and quick-start commands.
CLAUDE.mdArchitecture notes — key classes, check-module inventory, CVE databases, and conventions.
create_test_apk.pyGenerates an intentionally vulnerable synthetic APK for smoke-testing the scanner.
tests/sample_manifest.xmlIntentionally vulnerable AndroidManifest fixture for validating Android manifest checks.
tests/sample_plist.xmlIntentionally vulnerable iOS Info.plist fixture for validating iOS plist checks.
tests/mast_report.jsonExample JSON report output from scanning a fixture.
banner.svgProject banner rendered at the top of the README.
LICENSEMIT license.
.gitignorePython-oriented ignore rules for build and secret artifacts.

05Security Controls

Android manifest misconfiguration
12 rules for debuggable/backup flags, exported activities/services/receivers/providers without permission, cleartext traffic, low min SDK, dangerous permissions, SYSTEM_ALERT_WINDOW, missing network security config, and task affinity.
Hardcoded secret detection
Android (8) + common (6) rules for AWS access/secret keys, Google/Stripe/Twilio/SendGrid API keys, Firebase URLs, hardcoded passwords, private keys, OAuth client secrets, and bearer tokens.
Insecure cryptography
Android crypto (5) + common crypto (5) rules for MD5/SHA1/DES/ECB, insecure random, hardcoded keys and IVs, and Base64 pseudo-encryption.
Network & transport security
Android network (7) + iOS transport (4) rules for TrustManager and hostname-verifier bypass, cleartext HTTP, missing cert pinning, weak TLS/SSL versions, custom SSLSocketFactory, and iOS ATS exception weaknesses.
Insecure data storage
8 storage rules for world-accessible files, external storage, unencrypted SQLite, clipboard leakage, missing screenshot prevention, and keyboard cache exposure.
WebView & IPC exposure
WebView (5) and component (5) rules for JavaScript/file access and debugging, PendingIntent mutability, dynamic code loading, URI permission grants, and dynamic loadUrl input.
Authentication & biometrics
Android auth (5) + iOS auth (4) rules for BiometricPrompt without CryptoObject, deprecated FingerprintManager, auth state in SharedPreferences/UserDefaults, missing session timeout, and Keychain items without access control.
Resilience & binary hardening
Android resilience (6) + iOS resilience (5) + iOS binary (4) rules for missing obfuscation, root/jailbreak/emulator/debugger detection, tamper/integrity verification, hooking-framework references, and PIE/ARC/stack-canary flags.
Privacy & tracking
Android privacy (5) + iOS privacy (4) rules for advertising IDs/IDFA, tracking and analytics SDKs, device fingerprinting, background location, and missing PrivacyInfo.xcprivacy / App Tracking Transparency.
Vulnerable dependency CVEs
39 CVEs across 29 Android, iOS, and native libraries — including Log4Shell (CVE-2021-44228), the libwebp/ExoPlayer heap overflow (CVE-2023-4863), OkHttp cert-pinning bypass, and Facebook SDK deserialization RCE — matched by embedded version strings.

06Technology Stack

Language
Python 3.8+
Dependencies
None — standard library only (zipfile, plistlib, xml.etree, struct, re, hashlib, base64, argparse)
Parsing
Custom parsers for Android binary XML (AXML), DEX string pools, and Mach-O binaries
Output formats
Console (ANSI), JSON, dark-themed HTML, SARIF v2.1.0
Testing
Synthetic vulnerable APK generator (create_test_apk.py) + sample manifest/plist fixtures (no automated pytest suite or CI)
Distribution
Single-file script (~2,827 lines), version 2.1.0, MIT licensed

07Quick Start

$ python mast_scanner.py app-debug.apk --html report.html --json report.json
$ python mast_scanner.py MyApp.ipa --severity HIGH --sarif results.sarif
$ python mast_scanner.py app-release.apk -v
$ python mast_scanner.py <APK_OR_IPA> --platform android   # force platform if auto-detect fails
$ python create_test_apk.py && python mast_scanner.py test_vulnerable.apk   # generate and scan a synthetic vulnerable APK

08Compliance & Frameworks

OWASP Mobile Top 10 2024
Findings mapped across all ten categories M1–M10, from Improper Credential Usage to Insufficient Cryptography.
MASVS v2
22 of 24 controls covered across all eight groups (STORAGE, CRYPTO, AUTH, NETWORK, PLATFORM, CODE, RESILIENCE, PRIVACY); every finding carries a MASVS control.
CWE
Each finding is tagged with a Common Weakness Enumeration identifier.
SARIF v2.1.0
OASIS SARIF output with MASVS properties for GitHub/GitLab code-scanning ingestion.

09Integrations & Outputs

SARIF v2.1.0 output for GitHub/GitLab code scanningJSON output for programmatic ingestion and dashboardsHTML report with MASVS coverage for stakeholdersCI/CD gating via exit code 1 on CRITICAL/HIGH findingsConfigurable minimum-severity filter for pipeline policy

Explore Mobile Application Security Testing

Full source, documentation, and deployment guides live on GitHub.