ワンクリックでManusで任意のスキルを実行

$pwd:

mastg

Name: Mastg
Author: ChiChou

// Autonomous mobile security audit aligned with OWASP MASTG v2. Performs checklist-driven analysis across MASVS categories: storage, crypto, network, platform, code, resilience, privacy. Exports structured markdown report with MASTG test references.

Manusで実行

$ git log --oneline --stat

stars:1,324

forks:105

updated:2026年5月8日 23:33

SKILL.md

readonly

related-skills.json

同じリポジトリ

igf.md

from "ChiChou/grapefruit"

CLI interface for igf (Grapefruit) dynamic instrumentation server. Use to enumerate Frida devices, list apps, run hooks, query logs, access device file systems, inspect classes, dump memory, and perform mobile app security analysis.

2026-05-081.3k

package.json

"author": "ChiChou"

"repository": "ChiChou/grapefruit"

GitHub リポジトリを開く Creator のリポジトリを見る

$ install --global

$ download --local

Manusで実行

$ useful --forSOC

情報セキュリティアナリストコンピュータ・数学職15-1212L4

ワンクリックで任意のスキルを実行

name	mastg
description	Autonomous mobile security audit aligned with OWASP MASTG v2. Performs checklist-driven analysis across MASVS categories: storage, crypto, network, platform, code, resilience, privacy. Exports structured markdown report with MASTG test references.

MASTG Mobile Security Audit Skill

You are performing an autonomous security audit of a mobile application using igf (Grapefruit) dynamic instrumentation, aligned with OWASP MASTG v2 (Mobile Application Security Testing Guide).

Prerequisites

The igf server must be running (bun src/index.ts or igf). A device must be connected with the target app running.

Session Setup

Run igf device list to find connected devices
If user didn't specify a device, use the only one or ask
Confirm platform (droid or fruity) and bundle ID

Store as shell variables:

DEVICE="<device_id>"
PLATFORM="<droid|fruity>"
BUNDLE="<bundle_id>"
SESSION="-d $DEVICE --platform $PLATFORM -b $BUNDLE"

How to Execute

Use igf CLI via bash. The /igf skill documents all commands.

Rules:

Ask user before starting monitors or hooks (pin start, hook start)
Ask user before accessing paths outside app data directory
If a command fails, note the error and move on
Collect actual output as evidence for each finding
Reference MASTG test IDs in findings where applicable

Audit Checklist (OWASP MASTG v2 aligned)

Work through sections in order. Non-intrusive first (1-4, 6), hooks later (5, 7, 8).

Platform: [A] = Android, [I] = iOS, [*] = both.

1. MASVS-STORAGE — Data Storage & Privacy

Collect app info and filesystem roots: Run the platform-specific app metadata command plus the shared process/filesystem commands:

igf agent app process-info $SESSION
igf agent app info $SESSION      # Android
igf agent app plist $SESSION     # iOS
igf agent fs roots $SESSION

1.1 Logging [*] (MASWE-0001)

[A] MASTG-TEST-0231: Check for references to logging APIs in manifest/code
[A] MASTG-TEST-0203: Runtime use of logging APIs — igf log syslog $DEVICE $BUNDLE
[I] MASTG-TEST-0297: Insertion of sensitive data into logs
[I] MASTG-TEST-0296: Sensitive data exposure through insecure logging — igf log syslog $DEVICE $BUNDLE
Flag: tokens, passwords, PII in log output (HIGH)

1.2 Backup Exposure [*] (MASWE-0004)

[A] MASTG-TEST-0262: Check android:allowBackup in manifest — igf agent app manifest $SESSION
[A] MASTG-TEST-0216: Sensitive data not excluded from backup
[I] MASTG-TEST-0215: Sensitive data not marked for backup exclusion
[I] MASTG-TEST-0298: Runtime monitoring of files eligible for backup

1.3 Unencrypted Data in Private Storage [*] (MASWE-0006)

[A] MASTG-TEST-0207: Runtime storage of unencrypted data in app sandbox
[A] MASTG-TEST-0287: Sensitive data via SharedPreferences — igf agent fs ls <data_dir>/shared_prefs $SESSION then igf agent fs cat <file> $SESSION
[A] MASTG-TEST-0304: Sensitive data via SQLite — igf agent sqlite tables <path> $SESSION then igf agent sqlite dump <path> <table> $SESSION
[A] MASTG-TEST-0305: Sensitive data via DataStore
[A] MASTG-TEST-0306: Sensitive data via Room DB
[I] MASTG-TEST-0299: Data protection classes for files
[I] MASTG-TEST-0300/0301: Unencrypted data in private storage — igf agent ios userdefaults $SESSION
[I] MASTG-TEST-0302: Sensitive data unencrypted in private storage files
Flag: plaintext credentials, tokens, PII in databases or preferences (HIGH)

1.4 External/Shared Storage [*] (MASWE-0007)

[A] MASTG-TEST-0200: Files written to external storage
[A] MASTG-TEST-0201: Runtime use of external storage APIs
[A] MASTG-TEST-0202: References to external storage APIs/permissions
[I] MASTG-TEST-0303: Unencrypted data in shared storage
Browse: igf agent fs ls <data_dir> $SESSION

1.5 Keychain/Keystore [*]

[A] igf agent android keystore $SESSION — check key algorithms, purposes
[A] igf agent android keystore-info <alias> $SESSION — detailed attributes
[I] igf agent ios keychain $SESSION — check accessibility levels
[I] igf agent ios cookies $SESSION — session cookies without secure/httpOnly
Flag: kSecAttrAccessibleAlways (HIGH), weak key algorithms

2. MASVS-CRYPTO — Cryptography

2.1 Weak/Broken Algorithms [*] (MASWE-0020)

[A] MASTG-TEST-0221: Broken symmetric encryption algorithms
[A] MASTG-TEST-0232: Broken symmetric encryption modes (ECB)
[A] MASTG-TEST-0312: Explicit security provider usage
[I] MASTG-TEST-0210: Broken symmetric encryption algorithms
[I] MASTG-TEST-0211: Broken hashing algorithms (MD5, SHA1 for security)
[I] MASTG-TEST-0317: Broken symmetric encryption modes
Flag: DES, 3DES, RC4, ECB mode (HIGH), MD5/SHA1 for signatures

2.2 Hardcoded Keys [*] (MASWE-0014)

[A] MASTG-TEST-0212: Hardcoded cryptographic keys in code
[I] MASTG-TEST-0213: Hardcoded cryptographic keys in code
[I] MASTG-TEST-0214: Hardcoded cryptographic keys in files
Scan: igf agent symbol strings <main_module> $SESSION
Look for: base64 key-length strings, hex patterns, -----BEGIN.*KEY-----

2.3 Insufficient Key Sizes [*] (MASWE-0009)

[A] MASTG-TEST-0208: Insufficient key sizes
[I] MASTG-TEST-0209: Insufficient key sizes
Flag: <128-bit symmetric, <2048-bit RSA (HIGH)

2.4 IV Reuse [A] (MASWE-0022)

[A] MASTG-TEST-0309: References to reused IVs
[A] MASTG-TEST-0310: Runtime use of reused IVs
Flag: all-zero IVs, static IVs (HIGH)

2.5 Key Reuse [*] (MASWE-0012)

[A] MASTG-TEST-0307/0308: Asymmetric key pairs used for multiple purposes

2.6 Insecure Random [*] (MASWE-0027)

[A] MASTG-TEST-0204/0205: Insecure random / non-random sources
[I] MASTG-TEST-0311: Insecure random API usage

Runtime crypto monitoring (ask user first):

igf agent pin start crypto $SESSION
# wait for app interaction...
igf log crypto $DEVICE $BUNDLE --limit 100
igf agent pin stop crypto $SESSION

3. MASVS-NETWORK — Network Communication

3.1 Cleartext Traffic [*] (MASWE-0050)

[A] MASTG-TEST-0233: Hardcoded HTTP URLs
[A] MASTG-TEST-0235: Android configurations allowing cleartext
[A] MASTG-TEST-0237: Cross-platform framework cleartext config
[A] MASTG-TEST-0238: Runtime cleartext traffic
[A] MASTG-TEST-0239: Low-level socket APIs for custom HTTP
[I] MASTG-TEST-0321: Hardcoded HTTP URLs
[I] MASTG-TEST-0322: ATS configurations allowing cleartext — check NSAllowsArbitraryLoads in app info
[I] MASTG-TEST-0323: Low-level networking APIs for cleartext
Check manifest: igf agent app manifest $SESSION — look for usesCleartextTraffic=true
Flag: plaintext HTTP (HIGH), disabled ATS (HIGH)

3.2 Insecure TLS [*] (MASWE-0050)

[A] MASTG-TEST-0217: Insecure TLS protocols allowed in code
MASTG-TEST-0218: Insecure TLS in network traffic
[A] MASTG-TEST-0295: GMS security provider not updated
Flag: TLS 1.0/1.1 (HIGH), SSLv3 (CRITICAL)

3.3 Certificate Validation [*] (MASWE-0052)

[A] MASTG-TEST-0234: Missing hostname verification with SSLSockets
[A] MASTG-TEST-0282: Unsafe custom trust evaluation
[A] MASTG-TEST-0283: Incorrect hostname verification
[A] MASTG-TEST-0284: Incorrect SSL error handling in WebViews
[A] MASTG-TEST-0285: Outdated version trusting user CAs
[A] MASTG-TEST-0286: Network security config trusting user CAs

3.4 Certificate Pinning [*] (MASWE-0047)

[A] MASTG-TEST-0242: Missing pinning in network security config
[A] MASTG-TEST-0243: Expired certificate pins
MASTG-TEST-0244: Missing pinning in network traffic
Flag: no pinning (MEDIUM for L2)

Runtime HTTP monitoring (ask user first): Run the capture pin for the target platform:

igf agent pin start http $SESSION         # Android HTTP/WebSocket capture
igf agent pin start nsurl $SESSION        # iOS NSURLSession/WebSocket capture
igf agent pin start sslpinning $SESSION   # Android TLS validation monitoring
# wait for app interaction...
igf history http $DEVICE $BUNDLE --limit 100   # Android
igf history nsurl $DEVICE $BUNDLE --limit 100  # iOS
igf agent pin stop http $SESSION
igf agent pin stop nsurl $SESSION
igf agent pin stop sslpinning $SESSION

Flag: plaintext requests, API keys in headers/URLs, sensitive data in transit

4. MASVS-PLATFORM — Platform Interaction

4.1 WebView Security [A] (MASWE-0069)

[A] MASTG-TEST-0250/0251: Content provider access in WebViews
[A] MASTG-TEST-0252/0253: Local file access in WebViews
[A] MASTG-TEST-0227: Debugging enabled for WebViews (MASWE-0067)
[A] MASTG-TEST-0320: WebViews not cleaning up sensitive data (MASWE-0118)

4.2 Exported Components [A]

igf agent android activities $SESSION
igf agent android services $SESSION
igf agent android receivers $SESSION
igf agent android providers $SESSION

Flag: exported without permission protection (INFO-MEDIUM), content providers queryable (test with igf agent android provider-query <uri> $SESSION)

4.3 Sensitive UI Data Exposure [*] (MASWE-0053)

[A] MASTG-TEST-0258: Keyboard caching attributes
[A] MASTG-TEST-0316: Auth data in text input fields
[I] MASTG-TEST-0276-0280: Pasteboard security (general pasteboard, clearing, expiry, local-only)
[I] MASTG-TEST-0313/0314: Keyboard caching prevention

4.4 Screenshot/Screen Capture Prevention [*] (MASWE-0055)

[A] MASTG-TEST-0289: Sensitive content in screenshots during backgrounding
[A] MASTG-TEST-0291-0294: Screen capture prevention APIs
[I] MASTG-TEST-0290: Sensitive content in screenshots during backgrounding

4.5 Notification Data [A] (MASWE-0054)

[A] MASTG-TEST-0315: Sensitive data exposed via notifications

4.6 Deep Links / URL Schemes [I]

[I] igf agent app urls $SESSION — check for custom schemes accepting external input

5. MASVS-CODE — Code Quality

5.1 Binary Protections [*] (MASWE-0116)

igf agent checksec main $SESSION

[A] MASTG-TEST-0222: PIE not enabled
[A] MASTG-TEST-0223: Stack canaries not enabled
[I] MASTG-TEST-0228: PIE not enabled
[I] MASTG-TEST-0229: Stack canaries not enabled
[I] MASTG-TEST-0230: ARC not enabled
Flag: missing PIE (HIGH), missing canaries (MEDIUM), missing ARC (HIGH on iOS)

5.2 Dependencies [*] (MASWE-0076)

[A] MASTG-TEST-0272: Dependencies with known vulnerabilities
[I] MASTG-TEST-0273: Dependencies with known vulnerabilities
igf agent symbol modules $SESSION — identify third-party libraries

5.3 Debugging Symbols [*] (MASWE-0093)

[A] MASTG-TEST-0288: Debugging symbols in native binaries
[I] MASTG-TEST-0219: Testing for debugging symbols

5.4 Platform Version [A] (MASWE-0077)

[A] MASTG-TEST-0245: Platform version API references
Check: targetSdkVersion < 33 (MEDIUM)

6. MASVS-RESILIENCE — Reverse Engineering & Tampering

6.1 Debuggable [*] (MASWE-0067)

[A] MASTG-TEST-0226: android:debuggable=true in manifest — igf agent app manifest $SESSION
[I] MASTG-TEST-0261: get-task-allow entitlement — igf agent app entitlements $SESSION
Flag: debuggable in production (HIGH)

6.2 Code Signing [*] (MASWE-0104)

[A] MASTG-TEST-0224: Insecure signature version
[A] MASTG-TEST-0225: Insecure signature key size
[I] MASTG-TEST-0220: Outdated code signature format

6.3 Root/Jailbreak Detection [*] (MASWE-0097)

[A] MASTG-TEST-0324/0325: Root detection mechanisms
[I] MASTG-TEST-0240/0241: Jailbreak detection
igf agent class list $SESSION — search for root/jailbreak detection classes

6.4 Device Lock [*] (MASWE-0008)

[A] MASTG-TEST-0247/0249: Secure screen lock detection
[I] MASTG-TEST-0246/0248: Secure screen lock detection

6.5 StrictMode [A] (MASWE-0094)

[A] MASTG-TEST-0263-0265: StrictMode violations/APIs

6.6 Obfuscation Indicators [*]

igf agent class list $SESSION — short/randomized names = ProGuard/R8
igf agent symbol modules $SESSION — stripped symbols = obfuscation

7. MASVS-PRIVACY — User Privacy

7.1 Dangerous Permissions [A] (MASWE-0117)

[A] MASTG-TEST-0254: Dangerous app permissions — extract from manifest
[A] MASTG-TEST-0255: Permission requests not minimized
[A] MASTG-TEST-0256: Missing permission rationale
[A] MASTG-TEST-0257: Not resetting unused permissions
Flag: >= 8 dangerous permissions (MEDIUM)

7.2 SDK Data Handling [*] (MASWE-0112)

[A] MASTG-TEST-0318/0319: SDK APIs handling sensitive user data
[I] MASTG-TEST-0281: Undeclared known tracking domains

7.3 PII in Network Traffic [A] (MASWE-0108)

[A] MASTG-TEST-0206: Undeclared PII in network traffic capture

Runtime privacy monitoring (ask user first):

igf agent pin start privacy $SESSION
# wait for app interaction...
igf history privacy $DEVICE $BUNDLE --limit 100
igf agent pin stop privacy $SESSION

Categorize: microphone, camera, photos, sensors, bluetooth, wifi, location, health

8. Hardcoded Secrets (cross-cutting)

igf agent symbol modules $SESSION           # find main module
igf agent symbol strings <main_module> $SESSION

Search for:

API keys: sk_, pk_, api_, key_, token_, AIza, AKIA, ghp_, glpat-
Private keys: -----BEGIN.*PRIVATE KEY-----
URLs with credentials: ://.*:.*@
AWS/GCP/Azure patterns
Firebase config
Hardcoded IPs and internal hostnames

Also check:

[A] SharedPreferences XML files for credential-like keys
[I] igf agent ios userdefaults $SESSION for credential-like keys

Cleanup

Stop all active hooks:

igf agent pin list $SESSION
igf agent pin stop <id> $SESSION   # for each active pin
igf agent hook status $SESSION
igf agent hook stop <group> $SESSION   # for low-level hook groups, if used

Open Files / Network

igf agent lsof $SESSION

Flag unexpected network connections.

Report Format

Write to file the user specifies (default: mastg-report.md).

# Security Audit Report: {bundle}

| Field | Value |
|-------|-------|
| **Date** | {YYYY-MM-DD} |
| **Platform** | {Android/iOS} |
| **Device** | {device} |
| **Bundle** | {bundle} |
| **Standard** | OWASP MASTG v2 |

## Executive Summary

| Severity | Count |
|----------|-------|
| Critical | N |
| High | N |
| Medium | N |
| Info | N |
| Positive | N |

> **Risk Assessment:** {one sentence}

## Findings

### MASVS-STORAGE

#### [!] {Finding Title}

**Severity:** HIGH | **MASTG:** MASTG-TEST-XXXX | **MASWE:** MASWE-XXXX

{Description}

**Evidence:**

{actual igf command output}


**Recommendation:** {fix}

### MASVS-CRYPTO
### MASVS-NETWORK
### MASVS-PLATFORM
### MASVS-CODE
### MASVS-RESILIENCE
### MASVS-PRIVACY

## Positive Findings

- [+] **{title}** — {description}

## Recommendations Summary

1. **[CRITICAL]** {rec}
2. **[HIGH]** {rec}
...

Severity Guide

CRITICAL: Immediate exploitation risk (hardcoded credentials, SQL injection in exported provider)
HIGH: Significant weakness (debuggable, disabled ATS, plaintext credentials, weak crypto, missing PIE)
MEDIUM: Notable concern (excessive permissions, missing pinning, legacy storage)
INFO: Worth noting (exported components, missing network security config)
OK: Security control properly implemented

name	mastg
description	Autonomous mobile security audit aligned with OWASP MASTG v2. Performs checklist-driven analysis across MASVS categories: storage, crypto, network, platform, code, resilience, privacy. Exports structured markdown report with MASTG test references.

MASTG Mobile Security Audit Skill

You are performing an autonomous security audit of a mobile application using igf (Grapefruit) dynamic instrumentation, aligned with OWASP MASTG v2 (Mobile Application Security Testing Guide).

Prerequisites

The igf server must be running (bun src/index.ts or igf). A device must be connected with the target app running.

Session Setup

Run igf device list to find connected devices
If user didn't specify a device, use the only one or ask
Confirm platform (droid or fruity) and bundle ID

Store as shell variables:

DEVICE="<device_id>"
PLATFORM="<droid|fruity>"
BUNDLE="<bundle_id>"
SESSION="-d $DEVICE --platform $PLATFORM -b $BUNDLE"

How to Execute

Use igf CLI via bash. The /igf skill documents all commands.

Rules:

Ask user before starting monitors or hooks (pin start, hook start)
Ask user before accessing paths outside app data directory
If a command fails, note the error and move on
Collect actual output as evidence for each finding
Reference MASTG test IDs in findings where applicable

Audit Checklist (OWASP MASTG v2 aligned)

Work through sections in order. Non-intrusive first (1-4, 6), hooks later (5, 7, 8).

Platform: [A] = Android, [I] = iOS, [*] = both.

1. MASVS-STORAGE — Data Storage & Privacy

Collect app info and filesystem roots: Run the platform-specific app metadata command plus the shared process/filesystem commands:

igf agent app process-info $SESSION
igf agent app info $SESSION      # Android
igf agent app plist $SESSION     # iOS
igf agent fs roots $SESSION

1.1 Logging [*] (MASWE-0001)

[A] MASTG-TEST-0231: Check for references to logging APIs in manifest/code
[A] MASTG-TEST-0203: Runtime use of logging APIs — igf log syslog $DEVICE $BUNDLE
[I] MASTG-TEST-0297: Insertion of sensitive data into logs
[I] MASTG-TEST-0296: Sensitive data exposure through insecure logging — igf log syslog $DEVICE $BUNDLE
Flag: tokens, passwords, PII in log output (HIGH)

1.2 Backup Exposure [*] (MASWE-0004)

[A] MASTG-TEST-0262: Check android:allowBackup in manifest — igf agent app manifest $SESSION
[A] MASTG-TEST-0216: Sensitive data not excluded from backup
[I] MASTG-TEST-0215: Sensitive data not marked for backup exclusion
[I] MASTG-TEST-0298: Runtime monitoring of files eligible for backup

1.3 Unencrypted Data in Private Storage [*] (MASWE-0006)

[A] MASTG-TEST-0207: Runtime storage of unencrypted data in app sandbox
[A] MASTG-TEST-0287: Sensitive data via SharedPreferences — igf agent fs ls <data_dir>/shared_prefs $SESSION then igf agent fs cat <file> $SESSION
[A] MASTG-TEST-0304: Sensitive data via SQLite — igf agent sqlite tables <path> $SESSION then igf agent sqlite dump <path> <table> $SESSION
[A] MASTG-TEST-0305: Sensitive data via DataStore
[A] MASTG-TEST-0306: Sensitive data via Room DB
[I] MASTG-TEST-0299: Data protection classes for files
[I] MASTG-TEST-0300/0301: Unencrypted data in private storage — igf agent ios userdefaults $SESSION
[I] MASTG-TEST-0302: Sensitive data unencrypted in private storage files
Flag: plaintext credentials, tokens, PII in databases or preferences (HIGH)

1.4 External/Shared Storage [*] (MASWE-0007)

[A] MASTG-TEST-0200: Files written to external storage
[A] MASTG-TEST-0201: Runtime use of external storage APIs
[A] MASTG-TEST-0202: References to external storage APIs/permissions
[I] MASTG-TEST-0303: Unencrypted data in shared storage
Browse: igf agent fs ls <data_dir> $SESSION

1.5 Keychain/Keystore [*]

[A] igf agent android keystore $SESSION — check key algorithms, purposes
[A] igf agent android keystore-info <alias> $SESSION — detailed attributes
[I] igf agent ios keychain $SESSION — check accessibility levels
[I] igf agent ios cookies $SESSION — session cookies without secure/httpOnly
Flag: kSecAttrAccessibleAlways (HIGH), weak key algorithms

2. MASVS-CRYPTO — Cryptography

2.1 Weak/Broken Algorithms [*] (MASWE-0020)

[A] MASTG-TEST-0221: Broken symmetric encryption algorithms
[A] MASTG-TEST-0232: Broken symmetric encryption modes (ECB)
[A] MASTG-TEST-0312: Explicit security provider usage
[I] MASTG-TEST-0210: Broken symmetric encryption algorithms
[I] MASTG-TEST-0211: Broken hashing algorithms (MD5, SHA1 for security)
[I] MASTG-TEST-0317: Broken symmetric encryption modes
Flag: DES, 3DES, RC4, ECB mode (HIGH), MD5/SHA1 for signatures

2.2 Hardcoded Keys [*] (MASWE-0014)

[A] MASTG-TEST-0212: Hardcoded cryptographic keys in code
[I] MASTG-TEST-0213: Hardcoded cryptographic keys in code
[I] MASTG-TEST-0214: Hardcoded cryptographic keys in files
Scan: igf agent symbol strings <main_module> $SESSION
Look for: base64 key-length strings, hex patterns, -----BEGIN.*KEY-----

2.3 Insufficient Key Sizes [*] (MASWE-0009)

[A] MASTG-TEST-0208: Insufficient key sizes
[I] MASTG-TEST-0209: Insufficient key sizes
Flag: <128-bit symmetric, <2048-bit RSA (HIGH)

2.4 IV Reuse [A] (MASWE-0022)

[A] MASTG-TEST-0309: References to reused IVs
[A] MASTG-TEST-0310: Runtime use of reused IVs
Flag: all-zero IVs, static IVs (HIGH)

2.5 Key Reuse [*] (MASWE-0012)

[A] MASTG-TEST-0307/0308: Asymmetric key pairs used for multiple purposes

2.6 Insecure Random [*] (MASWE-0027)

[A] MASTG-TEST-0204/0205: Insecure random / non-random sources
[I] MASTG-TEST-0311: Insecure random API usage

Runtime crypto monitoring (ask user first):

igf agent pin start crypto $SESSION
# wait for app interaction...
igf log crypto $DEVICE $BUNDLE --limit 100
igf agent pin stop crypto $SESSION

3. MASVS-NETWORK — Network Communication

3.1 Cleartext Traffic [*] (MASWE-0050)

[A] MASTG-TEST-0233: Hardcoded HTTP URLs
[A] MASTG-TEST-0235: Android configurations allowing cleartext
[A] MASTG-TEST-0237: Cross-platform framework cleartext config
[A] MASTG-TEST-0238: Runtime cleartext traffic
[A] MASTG-TEST-0239: Low-level socket APIs for custom HTTP
[I] MASTG-TEST-0321: Hardcoded HTTP URLs
[I] MASTG-TEST-0322: ATS configurations allowing cleartext — check NSAllowsArbitraryLoads in app info
[I] MASTG-TEST-0323: Low-level networking APIs for cleartext
Check manifest: igf agent app manifest $SESSION — look for usesCleartextTraffic=true
Flag: plaintext HTTP (HIGH), disabled ATS (HIGH)

3.2 Insecure TLS [*] (MASWE-0050)

[A] MASTG-TEST-0217: Insecure TLS protocols allowed in code
MASTG-TEST-0218: Insecure TLS in network traffic
[A] MASTG-TEST-0295: GMS security provider not updated
Flag: TLS 1.0/1.1 (HIGH), SSLv3 (CRITICAL)

3.3 Certificate Validation [*] (MASWE-0052)

[A] MASTG-TEST-0234: Missing hostname verification with SSLSockets
[A] MASTG-TEST-0282: Unsafe custom trust evaluation
[A] MASTG-TEST-0283: Incorrect hostname verification
[A] MASTG-TEST-0284: Incorrect SSL error handling in WebViews
[A] MASTG-TEST-0285: Outdated version trusting user CAs
[A] MASTG-TEST-0286: Network security config trusting user CAs

3.4 Certificate Pinning [*] (MASWE-0047)

[A] MASTG-TEST-0242: Missing pinning in network security config
[A] MASTG-TEST-0243: Expired certificate pins
MASTG-TEST-0244: Missing pinning in network traffic
Flag: no pinning (MEDIUM for L2)

Runtime HTTP monitoring (ask user first): Run the capture pin for the target platform:

igf agent pin start http $SESSION         # Android HTTP/WebSocket capture
igf agent pin start nsurl $SESSION        # iOS NSURLSession/WebSocket capture
igf agent pin start sslpinning $SESSION   # Android TLS validation monitoring
# wait for app interaction...
igf history http $DEVICE $BUNDLE --limit 100   # Android
igf history nsurl $DEVICE $BUNDLE --limit 100  # iOS
igf agent pin stop http $SESSION
igf agent pin stop nsurl $SESSION
igf agent pin stop sslpinning $SESSION

Flag: plaintext requests, API keys in headers/URLs, sensitive data in transit

4. MASVS-PLATFORM — Platform Interaction

4.1 WebView Security [A] (MASWE-0069)

[A] MASTG-TEST-0250/0251: Content provider access in WebViews
[A] MASTG-TEST-0252/0253: Local file access in WebViews
[A] MASTG-TEST-0227: Debugging enabled for WebViews (MASWE-0067)
[A] MASTG-TEST-0320: WebViews not cleaning up sensitive data (MASWE-0118)

4.2 Exported Components [A]

igf agent android activities $SESSION
igf agent android services $SESSION
igf agent android receivers $SESSION
igf agent android providers $SESSION

Flag: exported without permission protection (INFO-MEDIUM), content providers queryable (test with igf agent android provider-query <uri> $SESSION)

4.3 Sensitive UI Data Exposure [*] (MASWE-0053)

[A] MASTG-TEST-0258: Keyboard caching attributes
[A] MASTG-TEST-0316: Auth data in text input fields
[I] MASTG-TEST-0276-0280: Pasteboard security (general pasteboard, clearing, expiry, local-only)
[I] MASTG-TEST-0313/0314: Keyboard caching prevention

4.4 Screenshot/Screen Capture Prevention [*] (MASWE-0055)

[A] MASTG-TEST-0289: Sensitive content in screenshots during backgrounding
[A] MASTG-TEST-0291-0294: Screen capture prevention APIs
[I] MASTG-TEST-0290: Sensitive content in screenshots during backgrounding

4.5 Notification Data [A] (MASWE-0054)

[A] MASTG-TEST-0315: Sensitive data exposed via notifications

4.6 Deep Links / URL Schemes [I]

[I] igf agent app urls $SESSION — check for custom schemes accepting external input

5. MASVS-CODE — Code Quality

5.1 Binary Protections [*] (MASWE-0116)

igf agent checksec main $SESSION

[A] MASTG-TEST-0222: PIE not enabled
[A] MASTG-TEST-0223: Stack canaries not enabled
[I] MASTG-TEST-0228: PIE not enabled
[I] MASTG-TEST-0229: Stack canaries not enabled
[I] MASTG-TEST-0230: ARC not enabled
Flag: missing PIE (HIGH), missing canaries (MEDIUM), missing ARC (HIGH on iOS)

5.2 Dependencies [*] (MASWE-0076)

[A] MASTG-TEST-0272: Dependencies with known vulnerabilities
[I] MASTG-TEST-0273: Dependencies with known vulnerabilities
igf agent symbol modules $SESSION — identify third-party libraries

5.3 Debugging Symbols [*] (MASWE-0093)

[A] MASTG-TEST-0288: Debugging symbols in native binaries
[I] MASTG-TEST-0219: Testing for debugging symbols

5.4 Platform Version [A] (MASWE-0077)

[A] MASTG-TEST-0245: Platform version API references
Check: targetSdkVersion < 33 (MEDIUM)

6. MASVS-RESILIENCE — Reverse Engineering & Tampering

6.1 Debuggable [*] (MASWE-0067)

[A] MASTG-TEST-0226: android:debuggable=true in manifest — igf agent app manifest $SESSION
[I] MASTG-TEST-0261: get-task-allow entitlement — igf agent app entitlements $SESSION
Flag: debuggable in production (HIGH)

6.2 Code Signing [*] (MASWE-0104)

[A] MASTG-TEST-0224: Insecure signature version
[A] MASTG-TEST-0225: Insecure signature key size
[I] MASTG-TEST-0220: Outdated code signature format

6.3 Root/Jailbreak Detection [*] (MASWE-0097)

[A] MASTG-TEST-0324/0325: Root detection mechanisms
[I] MASTG-TEST-0240/0241: Jailbreak detection
igf agent class list $SESSION — search for root/jailbreak detection classes

6.4 Device Lock [*] (MASWE-0008)

[A] MASTG-TEST-0247/0249: Secure screen lock detection
[I] MASTG-TEST-0246/0248: Secure screen lock detection

6.5 StrictMode [A] (MASWE-0094)

[A] MASTG-TEST-0263-0265: StrictMode violations/APIs

6.6 Obfuscation Indicators [*]

igf agent class list $SESSION — short/randomized names = ProGuard/R8
igf agent symbol modules $SESSION — stripped symbols = obfuscation

7. MASVS-PRIVACY — User Privacy

7.1 Dangerous Permissions [A] (MASWE-0117)

[A] MASTG-TEST-0254: Dangerous app permissions — extract from manifest
[A] MASTG-TEST-0255: Permission requests not minimized
[A] MASTG-TEST-0256: Missing permission rationale
[A] MASTG-TEST-0257: Not resetting unused permissions
Flag: >= 8 dangerous permissions (MEDIUM)

7.2 SDK Data Handling [*] (MASWE-0112)

[A] MASTG-TEST-0318/0319: SDK APIs handling sensitive user data
[I] MASTG-TEST-0281: Undeclared known tracking domains

7.3 PII in Network Traffic [A] (MASWE-0108)

[A] MASTG-TEST-0206: Undeclared PII in network traffic capture

Runtime privacy monitoring (ask user first):

igf agent pin start privacy $SESSION
# wait for app interaction...
igf history privacy $DEVICE $BUNDLE --limit 100
igf agent pin stop privacy $SESSION

Categorize: microphone, camera, photos, sensors, bluetooth, wifi, location, health

8. Hardcoded Secrets (cross-cutting)

igf agent symbol modules $SESSION           # find main module
igf agent symbol strings <main_module> $SESSION

Search for:

API keys: sk_, pk_, api_, key_, token_, AIza, AKIA, ghp_, glpat-
Private keys: -----BEGIN.*PRIVATE KEY-----
URLs with credentials: ://.*:.*@
AWS/GCP/Azure patterns
Firebase config
Hardcoded IPs and internal hostnames

Also check:

[A] SharedPreferences XML files for credential-like keys
[I] igf agent ios userdefaults $SESSION for credential-like keys

Cleanup

Stop all active hooks:

igf agent pin list $SESSION
igf agent pin stop <id> $SESSION   # for each active pin
igf agent hook status $SESSION
igf agent hook stop <group> $SESSION   # for low-level hook groups, if used

Open Files / Network

igf agent lsof $SESSION

Flag unexpected network connections.

Report Format

Write to file the user specifies (default: mastg-report.md).

# Security Audit Report: {bundle}

| Field | Value |
|-------|-------|
| **Date** | {YYYY-MM-DD} |
| **Platform** | {Android/iOS} |
| **Device** | {device} |
| **Bundle** | {bundle} |
| **Standard** | OWASP MASTG v2 |

## Executive Summary

| Severity | Count |
|----------|-------|
| Critical | N |
| High | N |
| Medium | N |
| Info | N |
| Positive | N |

> **Risk Assessment:** {one sentence}

## Findings

### MASVS-STORAGE

#### [!] {Finding Title}

**Severity:** HIGH | **MASTG:** MASTG-TEST-XXXX | **MASWE:** MASWE-XXXX

{Description}

**Evidence:**

{actual igf command output}


**Recommendation:** {fix}

### MASVS-CRYPTO
### MASVS-NETWORK
### MASVS-PLATFORM
### MASVS-CODE
### MASVS-RESILIENCE
### MASVS-PRIVACY

## Positive Findings

- [+] **{title}** — {description}

## Recommendations Summary

1. **[CRITICAL]** {rec}
2. **[HIGH]** {rec}
...

Severity Guide

CRITICAL: Immediate exploitation risk (hardcoded credentials, SQL injection in exported provider)
HIGH: Significant weakness (debuggable, disabled ATS, plaintext credentials, weak crypto, missing PIE)
MEDIUM: Notable concern (excessive permissions, missing pinning, legacy storage)
INFO: Worth noting (exported components, missing network security config)
OK: Security control properly implemented

mastg

このリポジトリの他の Skills

このリポジトリの他の Skills

MASTG Mobile Security Audit Skill

Prerequisites

Session Setup

How to Execute

Audit Checklist (OWASP MASTG v2 aligned)

1. MASVS-STORAGE — Data Storage & Privacy

2. MASVS-CRYPTO — Cryptography

3. MASVS-NETWORK — Network Communication

4. MASVS-PLATFORM — Platform Interaction

5. MASVS-CODE — Code Quality

6. MASVS-RESILIENCE — Reverse Engineering & Tampering

7. MASVS-PRIVACY — User Privacy

8. Hardcoded Secrets (cross-cutting)

Cleanup

Open Files / Network

Report Format

Severity Guide

MASTG Mobile Security Audit Skill

Prerequisites

Session Setup

How to Execute

Audit Checklist (OWASP MASTG v2 aligned)

1. MASVS-STORAGE — Data Storage & Privacy

2. MASVS-CRYPTO — Cryptography

3. MASVS-NETWORK — Network Communication

4. MASVS-PLATFORM — Platform Interaction

5. MASVS-CODE — Code Quality

6. MASVS-RESILIENCE — Reverse Engineering & Tampering

7. MASVS-PRIVACY — User Privacy

8. Hardcoded Secrets (cross-cutting)

Cleanup

Open Files / Network

Report Format

Severity Guide