Posts
We continue the series of posts about different classes of solutions in AppSec/DevSecOps.…
November 3, 2025 at 8:06 PM•Max Knyazev is typing…Telegram mirror
We continue the series of posts about different classes of solutions in AppSec/DevSecOps. Today we are talking about MAST
📱
What is MAST?
MAST stands for Mobile Application Security Testing, or “mobile application security testing.” Essentially, the logic here is the same as SAST / DAST / IAST , but entirely tailored for mobile platforms - iOS and Android. If SAST looks at the sources, and DAST to an already deployed web application, then MAST checks the mobile application as a whole: the code, interaction with the API, and behavior on the device
📱
What is MAST used for?
Mobile applications today are a wallet, a passport, and a bank account in one package. They store a huge amount of personal data, payment details and access tokens. Therefore, MAST is needed to check how the application stores and encrypts data on the phone, as well as to find leaks in logs or through third-party libraries and to catch vulnerabilities in interaction with the server ( for example, incorrect TLS certificate validation )
💀
Unlike classic tests, MAST takes into account the specific features of mobile operating systems: access to hardware resources, application rights, working with system storage, etc.
How does it work?
Typically, MAST combines several approaches at once: static analysis of APK/IPA ( analysis of code and libraries ), dynamic analysis when running the application on a device or emulator, plus interactive checks
😎
The simplest example: we take a mobile banking application, install it on a test phone, launch MAST and start running scripts. At the same time, the agent looks at where the application goes, how it stores data, and how it reacts to changes in the environment ( for example, if the phone is jailbroken ). If the access token suddenly appears in clear text in the logs - hello, vulnerability
🤩
How to use MAST?
MAST is usually run either as a separate scanner ( you upload an APK or IPA to it and get a report ), or integrated into QA processes and CI/CD. In the second case, this gives confidence that before release in the store, the application is automatically checked for critical security bugs
👏
Tools for Implementing MAST
There is also both open source and commerce here.
🤑
Among the free and popular ones we can name MobSF , Drozer
K Commercial solutions: AppScan from HCL, NowSecure, Checkmarx MAST, Veracode Mobile. In Russia - Positive Technologies ( PT AI has a separate module for mobile phones ) and Solar appScreener ( he also knows how to analyze mobile applications )
👍
MAST is essentially the same test “like adults”, but taking into account the specifics of mobile software. And yes, mobile applications are one of the main security fronts in the coming years
🙂
#information_security #mast
Open original post on TelegramWhat is MAST?
MAST stands for Mobile Application Security Testing, or “mobile application security testing.” Essentially, the logic here is the same as SAST / DAST / IAST , but entirely tailored for mobile platforms - iOS and Android. If SAST looks at the sources, and DAST to an already deployed web application, then MAST checks the mobile application as a whole: the code, interaction with the API, and behavior on the device
What is MAST used for?
Mobile applications today are a wallet, a passport, and a bank account in one package. They store a huge amount of personal data, payment details and access tokens. Therefore, MAST is needed to check how the application stores and encrypts data on the phone, as well as to find leaks in logs or through third-party libraries and to catch vulnerabilities in interaction with the server ( for example, incorrect TLS certificate validation )
Unlike classic tests, MAST takes into account the specific features of mobile operating systems: access to hardware resources, application rights, working with system storage, etc.
How does it work?
Typically, MAST combines several approaches at once: static analysis of APK/IPA ( analysis of code and libraries ), dynamic analysis when running the application on a device or emulator, plus interactive checks
The simplest example: we take a mobile banking application, install it on a test phone, launch MAST and start running scripts. At the same time, the agent looks at where the application goes, how it stores data, and how it reacts to changes in the environment ( for example, if the phone is jailbroken ). If the access token suddenly appears in clear text in the logs - hello, vulnerability
How to use MAST?
MAST is usually run either as a separate scanner ( you upload an APK or IPA to it and get a report ), or integrated into QA processes and CI/CD. In the second case, this gives confidence that before release in the store, the application is automatically checked for critical security bugs
Tools for Implementing MAST
There is also both open source and commerce here.
Among the free and popular ones we can name MobSF , Drozer
K Commercial solutions: AppScan from HCL, NowSecure, Checkmarx MAST, Veracode Mobile. In Russia - Positive Technologies ( PT AI has a separate module for mobile phones ) and Solar appScreener ( he also knows how to analyze mobile applications )
MAST is essentially the same test “like adults”, but taking into account the specifics of mobile software. And yes, mobile applications are one of the main security fronts in the coming years
#information_security #mast
Discussion
Comments
Comments are available only to confirmed email subscribers. No separate registration or password is required: a magic link opens a comment session.
Join the discussion
Enter the same email that you already used for your site subscription. We will send you a magic link to open comments on this device.
There are no approved comments here yet.