The full list of mobile app security tests in the MSTG. Detailed how-tos will be linked from here as they become available (see the README for links to other sections of the guide). You can also download this as a simple Excel checklist.
| ID | Name | Howto | MASVS | | --- | --- | --- | --- | --- | --- | | OMTG-DATAST-001 | Test local data storage | Android iOS | Data Storage V2.1 | | OMTG-DATAST-002 | Test for sensitive data in logs | Android iOS | Data Storage V2.2 | | OMTG-DATAST-003 | Test for sensitive data in cloud storage | Android iOS | Data Storage V2.3 | | OMTG-DATAST-004 | Test if sensitive data is sent to third parties | Android iOS |Data Storage V2.4 | | OMTG-DATAST-005 | Test for sensitive data in the keyboard cache | Android iOS | Data Storage V2.5 | | OMTG-DATAST-006 | Test for sensitive data in the clipboard | Android iOS | Data Storage V2.6 | | OMTG-DATAST-007 | Test if sensitive data is exposed via IPC mechanisms | Android iOS| Data Storage V2.7 | | OMTG-DATAST-008 | Test for sensitive data in screenshots | Android iOS | Data Storage V2.8 | | OMTG-DATAST-009 | Test for sensitive data in backups | Android iOS | Data Storage V2.9 | | OMTG-DATAST-010 | Test if memory is cleared when the app is backgrounded | Android iOS | Data Storage V2.10 | | OMTG-DATAST-011 | Test for sensitive data in memory | Android iOS| Data Storage V2.11 | | OMTG-DATAST-012 | Test if local storage is wiped upon remote locking | Android iOS | Data Storage V2.12 | | OMTG-DATAST-013 | Test enforcement of device-access-security policy | Android iOS | Data Storage V2.13 | | OMTG-CRYPTO-001 | Test cryptographic modules | Android iOS | Cryptography V3.1 - V3.5 | | OMTG-CRYPTO-002 | Verify that random values are generated using a sufficiently secure random number generator | Android iOS| Cryptography V3.6 | | OMTG-CRYPTO-003 | Verify that all keys and passwords are changeable, and are generated or replaced at installation time | Android iOS | Cryptography V3.7 | | OMTG-AUTH-001 | Test user authentication | Android iOS | Authentication V4.1 | | OMTG-AUTH-002 | Test session management | Android iOS | Authentication V4.2 - V4.5 | | OMTG-AUTH-003 | Test user account lock/ exponential back-off in response to excessive login attempts | Android iOS | Authentication V4.6| | OMTG-AUTH-004 | Test biometric authentication | Android iOS | Authentication V.4.7 | | OMTG-AUTH-005 | Test 2-factor authentication | Android iOS | Authentication V.4.8 | | OMTG-AUTH-006 | Test step-up authentication | Android iOS | Authentication V.4.9 | | OMTG-AUTH-007 | Test for session hijacking | Android iOS | Authentication V.4.10 | | OMTG-AUTH-008 | Test user device management | Android iOS | Authentication V.4.11 | | OMTG-NET-001 | Test for unencrypted sensitive data on the network | Android iOS | Network V5.1 | | OMTG-NET-002 | Test X.509 certificate verification | Android iOS | Network V5.2 | | OMTG-NET-003 | Test SSL pinning | Android iOS | Network V5.3 | | OMTG-NET-004 | Test the SSL configuration | Android iOS | Network V5.4 | | OMTG-NET-005 | Test whether insecure, external communication channels are used | Android iOS | Network V5.5 | | OMTG-NET-006 | Test PKI mutual authentication | Android iOS | Network V5.6| | OMTG-ENV-001 | Test app permissions | Android iOS | Environment V6.1 | | OMTG-ENV-002 | Test validation of input from external sources | Android iOS | Environment V6.2 | | OMTG-ENV-003 | Test validation of user input | Android iOS | Environment V6.3 | | OMTG-ENV-004 | Test custom URL schemes | Android iOS | Environment V6.4 | | OMTG-ENV-005 | Test IPC functionality | Android iOS | Environment V6.5 | | OMTG-ENV-006 | Test WebViews | Android iOS | Environment V6.6 - V6.10 | | OMTG-ENV-007 | Verify that the app forces updates of outdated system components | Android iOS | Environment V6.11 | | OMTG-ENV-008 | Verify that the app checks its installation source | Android iOS | Environment V6.12 | | OMTG-ENV-009 | Test basic root / jailbreak detection | Android iOS | Environment V6.13 | | OMTG-CODE-001 | Verify the app signature | Android iOS | Code V7.1 | | OMTG-CODE-002 | Test if the app is debuggable | Android iOS | Code V7.2 | | OMTG-CODE-003 | Test for debugging symbols | Android iOS | Code V7.3 | | OMTG-CODE-004 | Test for debugging code and verbose error logging | Android iOS | Code V7.4 | | OMTG-CODE-005 | Test exception handling | Android iOS | Code V7.5 - V7.6 | | OMTG-CODE-007 | Test for code injection | Android iOS | Code V7.7 | | OMTG-CODE-008 | Test for memory management bugs | Android iOS | Code V7.8 | | OMTG-CODE-009 | Verify that compiler security features are activated | Android iOS | Code V7.9 | | OMTG-CODE-010 | Verify that Java bytecode has been minified. | Android iOS | Code V7.10 | | OMTG-RARE-001 | Test the custom keyboard | Android iOS | Resiliency V9.1 | | OMTG-RARE-002 | Test custom UI components | Android iOS | Resiliency V9.2 | | OMTG-RARE-003 | Test advanced root/jailbreak detection | Android iOS | Resiliency V9.3 | | OMTG-RARE-004 | Test debugging defenses | Android iOS | Resiliency V9.4 | | OMTG-RARE-005 | Test file tampering defenses | Android iOS | Resiliency V9.5 | | OMTG-RARE-006 | Test detection of commonly used reverse engineering tools | Android iOS | Resiliency V9.6| | OMTG-RARE-007 | Test basic emulator detection | Android iOS | Resiliency V.9.7 | | OMTG-RARE-008 | Test memory integrity monitoring | Android iOS | Resiliency V.9.8 | | OMTG-RARE-009 | Test variability of tampering responses | Android iOS | Resiliency V.9.9 | | OMTG-RARE-010 | Test trivial static analysis | Android iOS | Resiliency V.9.10 | | OMTG-RARE-011 | Verify that obfuscations and functional defenses are integrated | Android iOS | Resiliency V.9.11 | | OMTG-RARE-012| Test device binding | Android iOS | Resiliency V9.12 | | OMTG-RARE-013 | Test advanced emulator detection | Android iOS | Resiliency V9.13 | | OMTG-RARE-014 | Test advanced obfuscation | Android iOS | Resiliency V9.14 - V9.15 |