Scope of Demos With Regard to OS API

[bernhste]

Hi everyone

The following two points are from the disclaimers stated in the "MASTG Demos (v2 Beta)" page:

• Scope and Purpose of MASTG Artifacts: Each new release of the MASTG will include a collection of testing resources such as Static Application Security Testing (SAST) rules, Dynamic Application Security Testing (DAST) scripts, and other relevant artifacts. However, it's crucial to understand that these resources are not intended to provide a comprehensive solution for all your security testing needs.
• Baseline: The resources provided in the MASTG serve as a baseline or starting point. They are designed to be used as references and learning tools in the field of mobile application security. While they offer valuable insights and guidelines, they should be used as a foundation upon which you can build and tailor your own specific automation and security testing processes.

Of course, it is not possible to implement an exhaustive library of demos and tests in every case. Test of weaknesses which regard the business logic of the app cannot be standardized. However, testing the insecure usage of the OS API can be. Examples are:

• Usage of the various internal and external plain text storage APIs
• Insecure initialization of key material using OS key store / chain
• Requesting insecure random numbers
• Usage of deprecated cryptographic primitives provided by the OS
• Using various plain text protocol provided by the OS
• Not using TLS pinning
• Insecure configuration of WebView
• Not using IPC validators provided by the OS
• Not testing for current OS/App version
• Not using resilience techniques provided by the OS
• Not using privacy preserving Ad-Ids
• Accessing personal data using OS API

My question is if the mid to long term goal is to develop a "body of tests" to test the weaknesses which are related to the (relatively) static OS API. I think this would be great, but I'm not sure if it would break the intended scope. Was this discussed already?