Home / OWASP / mastg
Repository Analysis

OWASP/mastg

The OWASP Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes technical processes for verifying the OWASP Mobile Security Weakness Enumeration (MASWE) weaknesses, which are in alignment with the OWASP MASVS.

7.5 Low AI signal View on GitHub
7.5
Adjusted Score
7.5
Raw Score
100%
Time Factor
2026-05-30
Last Push
12,926
Stars
Python
Language
78,074
Lines of Code
1445
Files
107
Pattern Hits
2026-05-31
Scan Date

Score History

Severity Breakdown

CRITICAL 31HIGH 7MEDIUM 5LOW 64

Pattern Findings

107 matches across 13 categories. Click a row to expand file-level details.

Hallucination Indicators31 hits · 420 pts
SeverityFileLineSnippet
CRITICALtests/android/MASVS-PLATFORM/MASTG-TEST-0028.md285com.android.internal.os.ZygoteInit.main(ZygoteInit.java)
CRITICALdemos/android/MASVS-STORAGE/MASTG-DEMO-0060/output.json67 "com.google.crypto.tink.integration.android.SharedPrefKeysetWriter.write(SharedPrefKeysetWriter.java:70)",
CRITICALdemos/android/MASVS-STORAGE/MASTG-DEMO-0060/output.json68 "com.google.crypto.tink.KeysetHandle.writeWithAssociatedData(KeysetHandle.java:869)",
CRITICALdemos/android/MASVS-STORAGE/MASTG-DEMO-0060/output.json69 "com.google.crypto.tink.KeysetHandle.write(KeysetHandle.java:858)",
CRITICALdemos/android/MASVS-STORAGE/MASTG-DEMO-0060/output.json105 "com.google.crypto.tink.integration.android.SharedPrefKeysetWriter.write(SharedPrefKeysetWriter.java:70)",
CRITICALdemos/android/MASVS-STORAGE/MASTG-DEMO-0060/output.json106 "com.google.crypto.tink.KeysetHandle.writeWithAssociatedData(KeysetHandle.java:869)",
CRITICALdemos/android/MASVS-STORAGE/MASTG-DEMO-0060/output.json107 "com.google.crypto.tink.KeysetHandle.write(KeysetHandle.java:858)",
CRITICAL…mos/android/MASVS-PLATFORM/MASTG-DEMO-0082/output.json7com.android.webview.chromium.ContentSettingsAdapter.setDomStorageEnabled(Native Method)
CRITICAL…mos/android/MASVS-PLATFORM/MASTG-DEMO-0082/output.json20com.android.webview.chromium.e.deleteAllData(Native Method)
CRITICAL…oid/MASVS-CODE/MASTG-DEMO-0101/MastgTest_reversed.java56 at jadx.core.dex.visitors.regions.SwitchOverStringVisitor.restoreSwitchOverString(SwitchOverStringVisitor.java:109)
CRITICAL…oid/MASVS-CODE/MASTG-DEMO-0101/MastgTest_reversed.java57 at jadx.core.dex.visitors.regions.SwitchOverStringVisitor.visitRegion(SwitchOverStringVisitor.java:66)
CRITICAL…oid/MASVS-CODE/MASTG-DEMO-0101/MastgTest_reversed.java58 at jadx.core.dex.visitors.regions.DepthRegionTraversal.traverseIterativeStepInternal(DepthRegionTraversal.java:77)
CRITICAL…oid/MASVS-CODE/MASTG-DEMO-0101/MastgTest_reversed.java59 at jadx.core.dex.visitors.regions.DepthRegionTraversal.traverseIterativeStepInternal(DepthRegionTraversal.java:82)
CRITICAL…oid/MASVS-CODE/MASTG-DEMO-0101/MastgTest_reversed.java60 at jadx.core.dex.visitors.regions.DepthRegionTraversal.traverseIterative(DepthRegionTraversal.java:31)
CRITICAL…oid/MASVS-CODE/MASTG-DEMO-0101/MastgTest_reversed.java61 at jadx.core.dex.visitors.regions.SwitchOverStringVisitor.visit(SwitchOverStringVisitor.java:60)
CRITICALdemos/android/MASVS-PRIVACY/MASTG-DEMO-0081/output.json30 "com.google.firebase.analytics.FirebaseAnalytics.logEvent(Native Method)",
CRITICAL…os/android/MASVS-RESILIENCE/MASTG-DEMO-0037/output.txt2703-26 11:33:23.415 2340 2407 D StrictMode: at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(Continua
CRITICAL…os/android/MASVS-RESILIENCE/MASTG-DEMO-0037/output.txt3503-26 11:33:23.415 2340 2407 D StrictMode: at androidx.compose.ui.input.pointer.SuspendingPointerInputModifierNodeImp
CRITICAL…os/android/MASVS-RESILIENCE/MASTG-DEMO-0037/output.txt3903-26 11:33:23.415 2340 2407 D StrictMode: at androidx.compose.ui.input.pointer.Node.dispatchMainEventPass(HitPathTra
CRITICAL…os/android/MASVS-RESILIENCE/MASTG-DEMO-0037/output.txt4003-26 11:33:23.415 2340 2407 D StrictMode: at androidx.compose.ui.input.pointer.Node.dispatchMainEventPass(HitPathTra
CRITICAL…os/android/MASVS-RESILIENCE/MASTG-DEMO-0037/output.txt4103-26 11:33:23.415 2340 2407 D StrictMode: at androidx.compose.ui.input.pointer.NodeParent.dispatchMainEventPass(HitP
CRITICAL…os/android/MASVS-RESILIENCE/MASTG-DEMO-0037/output.txt4203-26 11:33:23.415 2340 2407 D StrictMode: at androidx.compose.ui.input.pointer.HitPathTracker.dispatchChanges(HitPat
CRITICAL…os/android/MASVS-RESILIENCE/MASTG-DEMO-0037/output.txt4603-26 11:33:23.415 2340 2407 D StrictMode: at androidx.compose.ui.platform.AndroidComposeView.dispatchTouchEvent(Andr
CRITICAL…os/android/MASVS-RESILIENCE/MASTG-DEMO-0037/output.txt5503-26 11:33:23.415 2340 2407 D StrictMode: at com.android.internal.policy.DecorView.superDispatchTouchEvent(DecorView
CRITICAL…os/android/MASVS-RESILIENCE/MASTG-DEMO-0037/output.txt5603-26 11:33:23.415 2340 2407 D StrictMode: at com.android.internal.policy.PhoneWindow.superDispatchTouchEvent(PhoneWi
CRITICAL…os/android/MASVS-RESILIENCE/MASTG-DEMO-0037/output.txt5803-26 11:33:23.415 2340 2407 D StrictMode: at com.android.internal.policy.DecorView.dispatchTouchEvent(DecorView.java
CRITICAL…os/android/MASVS-RESILIENCE/MASTG-DEMO-0037/output.txt8503-26 11:33:23.415 2340 2407 D StrictMode: at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:971)
CRITICALdemos/android/MASVS-CRYPTO/MASTG-DEMO-0072/output.txt14 kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
CRITICALdemos/android/MASVS-CRYPTO/MASTG-DEMO-0072/output.txt29 kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
CRITICALdemos/android/MASVS-CRYPTO/MASTG-DEMO-0072/output.txt45 kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
CRITICALdemos/android/MASVS-CRYPTO/MASTG-DEMO-0072/output.txt61 kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
Verbosity Indicators40 hits · 79 pts
SeverityFileLineSnippet
LOW.github/workflows/check-duplicate-ids.yml77 // Step 1: Try to clean up existing comments
LOW.github/workflows/check-duplicate-ids.yml111 // Step 2: Check if we need to post new notifications
LOW.github/workflows/check-duplicate-ids.yml119 // Step 3: Post notifications for each duplicate
LOW…SVS-STORAGE/MASTG-DEMO-0019/decompiled-o1-review.swift4 // Step 1: Retrieve the documents directory URL
LOW…SVS-STORAGE/MASTG-DEMO-0019/decompiled-o1-review.swift6 // Step 2: Create a file URL for "secret.txt" in the documents directory
LOW…SVS-STORAGE/MASTG-DEMO-0019/decompiled-o1-review.swift8 // Step 3: Define the content to write to the file
LOW…SVS-STORAGE/MASTG-DEMO-0019/decompiled-o1-review.swift12 // Step 4: Write the content to the file
LOW…SVS-STORAGE/MASTG-DEMO-0019/decompiled-o1-review.swift14 // Step 5: Set the 'isExcludedFromBackup' attribute to true
LOW…SVS-STORAGE/MASTG-DEMO-0019/decompiled-o1-review.swift18 // Step 6: Log a success message
LOW…SVS-STORAGE/MASTG-DEMO-0019/decompiled-o1-review.swift21 // Step 7: Log an error message if an exception occurs
LOWdemos/ios/MASVS-CRYPTO/MASTG-DEMO-0014/MastgTest.swift7 // Step 1: Use a hardcoded ECDSA P-256 private key (32 bytes for P-256) in bytes
LOWdemos/ios/MASVS-CRYPTO/MASTG-DEMO-0014/MastgTest.swift26 // Step 2: Sign the data with the hardcoded private key
LOWdemos/ios/MASVS-CRYPTO/MASTG-DEMO-0014/MastgTest.swift32 // Step 3: Verify the signature with the public key
LOW…ASVS-CRYPTO/MASTG-DEMO-0014/decompiled-o1-review.swift6 // Step 1: Load P256 Private Key from Embedded Data
LOW…ASVS-CRYPTO/MASTG-DEMO-0014/decompiled-o1-review.swift19 // Step 2: Extract Public Key
LOW…ASVS-CRYPTO/MASTG-DEMO-0014/decompiled-o1-review.swift22 // Step 3: Create Sample Data
LOW…ASVS-CRYPTO/MASTG-DEMO-0014/decompiled-o1-review.swift29 // Step 4: Sign the Data
LOW…ASVS-CRYPTO/MASTG-DEMO-0014/decompiled-o1-review.swift32 // Step 5: Verify the Signature
LOW…ASVS-CRYPTO/MASTG-DEMO-0014/decompiled-o1-review.swift35 // Step 6: Convert Keys and Signature to Hex Strings
LOW…ASVS-CRYPTO/MASTG-DEMO-0014/decompiled-o1-review.swift41 // Step 7: Construct an Output Message
LOW…ASVS-CRYPTO/MASTG-DEMO-0014/decompiled-o1-review.swift48 // Step 8: Update SwiftUI State Variable
LOWdemos/ios/MASVS-CRYPTO/MASTG-DEMO-0013/MastgTest.swift7 // Step 1: Use a hardcoded RSA private key (in DER format)
LOWdemos/ios/MASVS-CRYPTO/MASTG-DEMO-0013/MastgTest.swift80 // Step 2: Sign the data with the hardcoded private key
LOWdemos/ios/MASVS-CRYPTO/MASTG-DEMO-0013/MastgTest.swift94 // Step 3: Verify the signature with the public key
LOW…ASVS-CRYPTO/MASTG-DEMO-0013/decompiled-o1-review.swift6 // Step 1: Load RSA Private Key from Embedded Data
LOW…ASVS-CRYPTO/MASTG-DEMO-0013/decompiled-o1-review.swift35 // Step 2: Extract Public Key
LOW…ASVS-CRYPTO/MASTG-DEMO-0013/decompiled-o1-review.swift42 // Step 3: Create Sample Data
LOW…ASVS-CRYPTO/MASTG-DEMO-0013/decompiled-o1-review.swift49 // Step 4: Sign the Data
LOW…ASVS-CRYPTO/MASTG-DEMO-0013/decompiled-o1-review.swift61 // Step 5: Verify the Signature
LOW…ASVS-CRYPTO/MASTG-DEMO-0013/decompiled-o1-review.swift68 // Step 6: Convert Keys and Signature to Hex Strings
LOW…ASVS-CRYPTO/MASTG-DEMO-0013/decompiled-o1-review.swift77 // Step 7: Construct an Output Message
LOW…ASVS-CRYPTO/MASTG-DEMO-0013/decompiled-o1-review.swift84 // Step 8: Update SwiftUI State Variable
LOWdemos/ios/MASVS-CRYPTO/MASTG-DEMO-0011/MastgTest.swift7 // Step 1: Generate an RSA key pair with a 1024-bit key size
LOWdemos/ios/MASVS-CRYPTO/MASTG-DEMO-0011/MastgTest.swift48 // Step 2: Sign the data with the private key
LOWdemos/ios/MASVS-CRYPTO/MASTG-DEMO-0011/MastgTest.swift62 // Step 3: Verify the signature with the public key
LOW…ASVS-CRYPTO/MASTG-DEMO-0018/decompiled-o1-review.swift6 // Step 1: Define the key and input text
LOW…ASVS-CRYPTO/MASTG-DEMO-0018/decompiled-o1-review.swift10 // Step 2: Convert key and input text to Data
LOW…ASVS-CRYPTO/MASTG-DEMO-0018/decompiled-o1-review.swift17 // Step 3: Set up the output buffer
LOW…ASVS-CRYPTO/MASTG-DEMO-0018/decompiled-o1-review.swift21 // Step 4: Perform encryption
LOW…ASVS-CRYPTO/MASTG-DEMO-0018/decompiled-o1-review.swift43 // Step 5: Check the result and return encrypted data
Magic Placeholder Names6 hits · 45 pts
SeverityFileLineSnippet
HIGHtechniques/ios/MASTG-TECH-0133.md32$ dependency-check --enableExperimental -f SARIF --nvdApiKey <YOUR-API-KEY> -s Package.resolved
HIGHtechniques/ios/MASTG-TECH-0133.md32$ dependency-check --enableExperimental -f SARIF --nvdApiKey <YOUR-API-KEY> -s Package.resolved
HIGHtechniques/ios/MASTG-TECH-0133.md38$ dependency-check --enableExperimental -f SARIF --nvdApiKey <YOUR-API-KEY> -s Podfile.lock
HIGHtechniques/ios/MASTG-TECH-0133.md38$ dependency-check --enableExperimental -f SARIF --nvdApiKey <YOUR-API-KEY> -s Podfile.lock
HIGHtechniques/ios/MASTG-TECH-0133.md44$ dependency-check --enableExperimental -f SARIF --nvdApiKey <YOUR-API-KEY> -s Cartfile.resolved
HIGHtechniques/ios/MASTG-TECH-0133.md44$ dependency-check --enableExperimental -f SARIF --nvdApiKey <YOUR-API-KEY> -s Cartfile.resolved
Excessive Try-Catch Wrapping5 hits · 8 pts
SeverityFileLineSnippet
LOW…b/instructions/mastg-mitmproxy-scripts.instructions.md64 except Exception:
MEDIUM.github/skills/mastg-assign-ids/scripts/fix_ids.py33 print(f"Error: expected OLD=NEW, got: {arg}", file=sys.stderr)
MEDIUM…SVS-STORAGE/MASTG-DEMO-0019/decompiled-o1-review.swift22 print("Error creating file: \(error)")
LOWdemos/android/MASVS-PLATFORM/MASTG-DEMO-0030/server.py16 except Exception as e:
LOWsrc/scripts/tools_healthcheck.py15 except Exception:
Fake / Example Data8 hits · 8 pts
SeverityFileLineSnippet
LOW…0x04e-Testing-Authentication-and-Session-Management.md136{"sub":"1234567890","name":"John Doe","admin":true}
LOW…b/instructions/mastg-mitmproxy-scripts.instructions.md52 "name": "John Doe",
LOW…LATFORM/MASTG-DEMO-0097/MastgTestWebView_reversed.java94 editor$iv.putString(HintConstants.AUTOFILL_HINT_NAME, "John Doe").putString(NotificationCompat.CATEGORY_EMAIL, "
LOW…oid/MASVS-PLATFORM/MASTG-DEMO-0097/MastgTestWebView.kt199 putString("name", "John Doe")
LOW…/MASVS-PRIVACY/MASTG-DEMO-0009/MastgTest_reversed.java38 final Map SENSITIVE_DATA = MapsKt.mapOf(TuplesKt.to("precise_location_latitude", "37.7749"), TuplesKt.to("precis
LOW…mos/android/MASVS-PRIVACY/MASTG-DEMO-0009/MastgTest.kt20 "name" to "John Doe",
LOW…MASVS-PRIVACY/MASTG-DEMO-0009/mitm_sensitive_logger.py8 "name": "John Doe",
LOWtechniques/android/MASTG-TECH-0100.md20 "name": "John Doe",
Self-Referential Comments2 hits · 6 pts
SeverityFileLineSnippet
MEDIUM.github/workflows/check-duplicate-ids.yml38 # Create a file with the list of new files in this PR
MEDIUMsrc/scripts/tools_healthcheck.py30# Create the markdown table
Synthetic Comment Markers1 hit · 5 pts
SeverityFileLineSnippet
HIGH.github/PULL_REQUEST_TEMPLATE.md28Undisclosed use of AI tools will result in the PR being closed. Large rewrites or bulk changes generated by AI require e
Over-Commented Block3 hits · 3 pts
SeverityFileLineSnippet
LOW.github/workflows/codeql-analysis.yml1# For most projects, this workflow file will not need changing; you simply need
LOW.github/workflows/codeql-analysis.yml61
LOWtechniques/android/MASTG-TECH-0112.md41 // ** addr: 0x5961e0, size: 0x230
Redundant / Tautological Comments2 hits · 3 pts
SeverityFileLineSnippet
LOW.github/scripts/check_duplicate_ids.py76 # Check if key is in folder name or folder is in key
LOW.github/scripts/check_duplicate_ids.py156 # Check if this ID already exists
Hyper-Verbose Identifiers3 hits · 3 pts
SeverityFileLineSnippet
LOWdemos/android/MASVS-PLATFORM/MASTG-DEMO-0082/script.js1function enumerateDeleteAllDataMethod() {
LOWdemos/android/MASVS-PLATFORM/MASTG-DEMO-0082/script.js6function enumerateSetDomStorageEnabledMethod() {
LOWsrc/scripts/yaml_to_excel.py143def create_security_requirements_sheet(wb):
Deep Nesting3 hits · 3 pts
SeverityFileLineSnippet
LOWsrc/scripts/testcase_diff.py3
LOWsrc/scripts/yaml_to_excel.py143
LOWsrc/scripts/combine_data_for_checklist.py57
Slop Phrases1 hit · 2 pts
SeverityFileLineSnippet
MEDIUMdemos/android/MASVS-CRYPTO/MASTG-DEMO-0058/MastgTest.kt65 .setRandomizedEncryptionRequired(false) // For demonstration purposes, we disable randomized encryption
Unused Imports2 hits · 2 pts
SeverityFileLineSnippet
LOWsrc/scripts/yaml_to_excel.py1
LOWsrc/scripts/excel_styles_and_validation.py3