First Update to MAS and MASTG (#2179)

* add announcement and first update to MAS

* fixing MASTG vs MSTG

* add project name

* fix links

.github/ISSUE_TEMPLATE/bug-report-app.yml

@@ -1,5 +1,5 @@
-name: 🪲📲 Bug in MSTG crackmes / challenges Apps
-description: Create a report to help us improve the MSTG.
+name: 🪲📲 Bug in MASTG crackmes / challenges Apps
+description: Create a report to help us improve the MASTG.
 title: "[Bug] "
 labels: ["bug"]
 

.github/ISSUE_TEMPLATE/bug-report.yml

@@ -1,5 +1,5 @@
-name: 🪲📘 Bug report / error in MSTG report
-description: Create a report to help us improve the MSTG.
+name: 🪲📘 Bug report / error in MASTG report
+description: Create a report to help us improve the MASTG.
 title: "[Bug] "
 labels: ["bug"]
 
@@ -18,7 +18,7 @@ body:
   - type: input
     id: chapter
     attributes:
-      label: MSTG Chapter
+      label: MASTG Chapter
       description: Which chapter contains the bug?
       placeholder: e.g. 0x05f-Testing-Local-Authentication.md line 30
     validations:

.github/ISSUE_TEMPLATE/make-donation.yml

@@ -1,5 +1,5 @@
-name: 💲 Donate to the OWASP Mobile Security Project
-description: Thanks for donating to the MSTG project!
+name: 💲 Donate to the OWASP Mobile Application Security Project
+description: Thanks for donating to the MAS project!
 title: "💲🎉 New Donation"
 labels: ["org", "donation"]
 assignees:
@@ -56,17 +56,17 @@ body:
       description: Which Donator Package would you like to request?
       options:
         - Standard Donation / No package (Donation < USD 500)
-        - Good Samaritan (USD 500; 1 year;  1 paperback MSTG)
-        - Honourable Benefactor (USD 2000 / 8 Available; 2 years; 3 paperback MSTGs)
-        - God Mode Donator (USD 4000 / 5 Available; 3 years; 5 paperback MSTGs)
+        - Good Samaritan (USD 500; 1 year;  1 paperback MASTG)
+        - Honourable Benefactor (USD 2000 / 8 Available; 2 years; 3 paperback MASTGs)
+        - God Mode Donator (USD 4000 / 5 Available; 3 years; 5 paperback MASTGs)
     validations:
       required: true
 
   - type: dropdown
     id: paperback
     attributes:
-      label: 📘 MSTG Paperback Copies
-      description: Would you like to receive the paperback copies of the MSTG as indicated in your Donation Package?
+      label: 📘 MASTG Paperback Copies
+      description: Would you like to receive the paperback copies of the MASTG as indicated in your Donation Package?
       options:
         - 🌱 No, please save the money for the project and help the environment and climate.
         - 📮 Yes, please send them to me.

.github/release.yml

@@ -3,16 +3,16 @@ changelog:
     labels:
       - "ignore-for-release"
   categories:
-    - title: 🧪 MSTG Test Cases
+    - title: 🧪 MASTG Test Cases
       labels:
         - "tests"
-    - title: 📖 MSTG Testing Fundamentals
+    - title: 📖 MASTG Testing Fundamentals
       labels:
         - "fundamentals"
-    - title: ✨ MSTG Testing Techniques
+    - title: ✨ MASTG Testing Techniques
       labels:
         - "techniques"
-    - title: 🪄 MSTG Testing Tools
+    - title: 🪄 MASTG Testing Tools
       labels:
         - "tools"
     - title: 🐞 Errata Corrections

.github/workflows/build-website.yml

@@ -14,17 +14,17 @@ jobs:
           python-version: 3.x
       - run: pip install -r requirements.txt
 
-      - run: mkdir docs/MSTG
-      - run: mkdir docs/MSTG/General
-      - run: mkdir docs/MSTG/Android
-      - run: mkdir docs/MSTG/iOS
-      - run: mv Document/0x0*.md docs/MSTG
-      - run: mv docs/MSTG/0x04*.md docs/MSTG/General
-      - run: mv docs/MSTG/0x05*.md docs/MSTG/Android
-      - run: mv docs/MSTG/0x06*.md docs/MSTG/iOS
+      - run: mkdir docs/MASTG
+      - run: mkdir docs/MASTG/General
+      - run: mkdir docs/MASTG/Android
+      - run: mkdir docs/MASTG/iOS
+      - run: mv Document/0x0*.md docs/MASTG
+      - run: mv docs/MASTG/0x04*.md docs/MASTG/General
+      - run: mv docs/MASTG/0x05*.md docs/MASTG/Android
+      - run: mv docs/MASTG/0x06*.md docs/MASTG/iOS
       - run: mv Document/Images/ docs/assets/Images/
-      - run: sed -i "s#<img src=\"Images/#<img src=\"../../assets/Images/#g" docs/MSTG/*.md
-      - run: sed -i "s#<img src=\"Images/#<img src=\"../../../assets/Images/#g" docs/MSTG/*/*.md
+      - run: sed -i "s#<img src=\"Images/#<img src=\"../../assets/Images/#g" docs/MASTG/*.md
+      - run: sed -i "s#<img src=\"Images/#<img src=\"../../../assets/Images/#g" docs/MASTG/*/*.md
 
       - run: mkdir docs/MASVS
       - run: mkdir docs/assets/Images/MASVS

.github/workflows/docgenerator.yml

@@ -13,7 +13,7 @@ on:
 
 jobs:
 
-  Generate-MSTG-Documents:
+  Generate-MASTG-Documents:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
@@ -33,8 +33,8 @@ jobs:
     - name: Upload Artifacts
       uses: actions/upload-artifact@v2
       with:
-        name: OWASP_MSTG-${{env.VERSION}}
-        path: OWASP_MSTG-${{env.VERSION}}*
+        name: OWASP_MASTG-${{env.VERSION}}
+        path: OWASP_MASTG-${{env.VERSION}}*
 
   Generate-Checklists:
     runs-on: ubuntu-latest
@@ -48,21 +48,21 @@ jobs:
     - name: Listing repo recursive
       run: ls -lR
 
-    - name: Set MSTG_VERSION to env 
-      # run: echo "MSTG_VERSION=$(git describe --tags `git rev-list --tags --max-count=1`)" >> $GITHUB_ENV
-      run: echo "MSTG_VERSION=$(curl -s https://api.github.com/repos/OWASP/owasp-mstg/tags | jq '.[0].name' | sed 's/\"//g')" >> $GITHUB_ENV
+    - name: Set MASTG_VERSION to env 
+      # run: echo "MASTG_VERSION=$(git describe --tags `git rev-list --tags --max-count=1`)" >> $GITHUB_ENV
+      run: echo "MASTG_VERSION=$(curl -s https://api.github.com/repos/OWASP/owasp-mstg/tags | jq '.[0].name' | sed 's/\"//g')" >> $GITHUB_ENV
 
     - name: Set DEV VERSION if it's not a tag
       if: ${{ !startsWith(github.ref, 'refs/tags/') }}
-      run: echo "MSTG_VERSION=${{env.MSTG_VERSION}}-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
+      run: echo "MASTG_VERSION=${{env.MASTG_VERSION}}-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
 
-    - name: Confirm MSTG Current Tag
-      run: echo ${{env.MSTG_VERSION}}
+    - name: Confirm MASTG Current Tag
+      run: echo ${{env.MASTG_VERSION}}
 
-    - name: Get MSTG Current Commit ID
-      run: echo "MSTG_COMMIT=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
-    - name: Confirm MSTG Current Commit ID
-      run: echo ${{env.MSTG_COMMIT}}
+    - name: Get MASTG Current Commit ID
+      run: echo "MASTG_COMMIT=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
+    - name: Confirm MASTG Current Commit ID
+      run: echo ${{env.MASTG_COMMIT}}
 
     - name: Get Latest MASVS Release Tag
       run: echo "MASVS_VERSION=$(curl -s https://api.github.com/repos/OWASP/owasp-masvs/releases/latest | jq '.tag_name' | sed 's/\"//g')" >> $GITHUB_ENV
@@ -79,7 +79,7 @@ jobs:
 
     - name: Get MASVS Current Commit ID
       run: cd tools/scripts/owasp-masvs && echo "MASVS_COMMIT=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
-    - name: Confirm MSTG Current Commit ID
+    - name: Confirm MASTG Current Commit ID
       run: echo ${{env.MASVS_COMMIT}}
 
     - name: Listing of scripts directory
@@ -91,14 +91,14 @@ jobs:
     - name: Show openpyxl Version
       run: pip3 show openpyxl
 
-    - name: Convert MSTG Testing Chapters to HTML
+    - name: Convert MASTG Testing Chapters to HTML
       run: . tools/scripts/mstg_to_html.sh
 
-    - name: List MSTG HTML
+    - name: List MASTG HTML
       run: ls -l tools/scripts/generated/html/
 
-    - name: Export YAML, enhance with MSTG and generate Excel
-      run: cd tools/scripts && ./gen_all_excel.sh ${{env.MSTG_VERSION}} ${{env.MSTG_COMMIT}} ${{env.MASVS_VERSION}} ${{env.MASVS_COMMIT}}
+    - name: Export YAML, enhance with MASTG and generate Excel
+      run: cd tools/scripts && ./gen_all_excel.sh ${{env.MASTG_VERSION}} ${{env.MASTG_COMMIT}} ${{env.MASVS_VERSION}} ${{env.MASVS_COMMIT}}
 
     - name: Upload Enhanced MASVS YAML
       uses: actions/upload-artifact@v2
@@ -114,12 +114,12 @@ jobs:
 
   release:
     runs-on: ubuntu-latest
-    needs: [Generate-MSTG-Documents, Generate-Checklists]
+    needs: [Generate-MASTG-Documents, Generate-Checklists]
     if: startsWith(github.ref, 'refs/tags/') && (github.actor == 'cpholguera' || github.actor == 'sushi2k')
     steps:
       - uses: actions/download-artifact@v2
       - name: List Downloaded document (sampling of download-artifact)
-        run: ls -l OWASP_MSTG*
+        run: ls -l OWASP_MASTG*
 
       - name: print working directory
         run: pwd 
@@ -134,9 +134,9 @@ jobs:
           generate_release_notes: true
           discussion_category_name: Announcements
           files: |
-            OWASP_MSTG-*/OWASP_MSTG-*.pdf
-            OWASP_MSTG-*/OWASP_MSTG-*.epub
-            OWASP_MSTG-*/OWASP_MSTG-*.docx
+            OWASP_MASTG-*/OWASP_MASTG-*.pdf
+            OWASP_MASTG-*/OWASP_MASTG-*.epub
+            OWASP_MASTG-*/OWASP_MASTG-*.docx
             Checklists/*.xlsx
             Enhanced-MASVS-YAML-Files/*.yaml
         env:

.gitignore

@@ -10,4 +10,6 @@ OWASP_MSTG-SNAPSHOT-*
 logs
 *.pdf
 *.docx
-*.epub
+*.epub
+docs/MASVS
+docs/MASTG

CITATION.cff

@@ -1,6 +1,6 @@
 # YAML 1.2
 ---
-abstract: "The MSTG is a comprehensive manual for mobile app security testing and reverse engineering. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS)."
+abstract: "The MASTG is a comprehensive manual for mobile app security testing and reverse engineering. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS)."
 authors: 
   -
     family-names: Holguera
@@ -26,8 +26,8 @@ keywords:
   - "iOS security"
   - "mobile pentesting"
 license: "CC-BY-SA-4.0"
-message: "If you use the MSTG, please cite it using these metadata."
+message: "If you use the MASTG, please cite it using these metadata."
 repository-code: "https://github.com/OWASP/owasp-mstg/"
-title: "OWASP Mobile Security Testing Guide"
+title: "OWASP Mobile Application Security Testing Guide"
 version: "1.2"
 ...

CODE_OF_CONDUCT.md

@@ -31,15 +31,15 @@ Project maintainers have the right and responsibility to remove, edit, or reject
 
 ## Disclaimer
 
-The MSTG and its materials are conceived for educational and research purposes only, or if you are a professional security tester that is analyzing mobile apps with approval of the app owner (e.g. as part of a penetration test or a bug bounty program).
+The OWAPS MAS and its materials are conceived for educational and research purposes only, or if you are a professional security tester that is analyzing mobile apps with approval of the app owner (e.g. as part of a penetration test or a bug bounty program).
 
-Refrain from violating the laws in your country by carefully consulting them before executing any tests against mobile apps when utilizing the MSTG materials.
+Refrain from violating the laws in your country by carefully consulting them before executing any tests against mobile apps when utilizing the OWAPS MAS materials.
 
-The MSTG project is also NOT supporting unethical activities in any way. If you come across such requests, please reach out to the project leaders and raise this to them.
+The OWAPS MAS project is also NOT supporting unethical activities in any way. If you come across such requests, please reach out to the project leaders and raise this to them.
 
-Neither OWASP, the MSTG project leaders, authors or anyone else involved in this project is going to take responsibility for your actions.
+Neither OWASP, the OWAPS MAS project leaders, authors or anyone else involved in this project is going to take responsibility for your actions.
 
-The intention of the MSTG is not to encourage hacking or malicious activities! Instead, the goal of the project is to document different attacks against mobile apps and its risk, and offer ways to reduce or mitigate that risk.
+The intention of the OWAPS MAS project is not to encourage hacking or malicious activities! Instead, the goal of the project is to document different attacks against mobile apps and its risk, and offer ways to reduce or mitigate that risk.
 
 ## Scope
 

Crackmes/README.md

@@ -12,7 +12,7 @@ This app holds a secret inside. Can you find it?
 
 - Objective: A secret string is hidden somewhere in this app. Find a way to extract it.
 - Author: [Bernhard Mueller](https://github.com/muellerberndt "Bernhard Mueller").
-- Maintained by the OWASP MSTG leaders.
+- Maintained by the OWASP MAS leaders.
 
 #### Installation
 
@@ -40,7 +40,7 @@ This app holds a secret inside. May include traces of native code.
 - Objective: A secret string is hidden somewhere in this app. Find a way to extract it.
 - Author: [Bernhard Mueller](https://github.com/muellerberndt "Bernhard Mueller").
 - Special thanks to Michael Helwig for finding and fixing an oversight in the anti-tampering mechanism.
-- Maintained by the OWASP MSTG leaders.
+- Maintained by the OWASP MAS leaders.
 
 #### Installation
 
@@ -66,7 +66,7 @@ The crackme from hell!
 - Objective: A secret string is hidden somewhere in this app. Find a way to extract it.
 - Author: [Bernhard Mueller](https://github.com/muellerberndt "Bernhard Mueller").
 - Special thanks to Eduardo Novella for testing, feedback and pointing out flaws in the initial build(s).
-- Maintained by the OWASP MSTG leaders.
+- Maintained by the OWASP MAS leaders.
 
 #### Installation
 
@@ -104,9 +104,9 @@ $ adb install r2pay-v0.9.apk
 ```
 
 #### Versions
-- `v0.9` - Release for `OWASP MSTG`.
+- `v0.9` - Release for OWASP MAS.
   - Source code is available and the compilation has been softened in many ways to make the challenge easier and more enjoyable for newcomers.
-- `v1.0` - Release for `R2con CTF 2020`.
+- `v1.0` - Release for R2con CTF 2020.
   - No source code is available and many extra protections are in place.
 
 #### Solutions R2pay v0.9
@@ -123,7 +123,7 @@ A brand new Android app sparks your interest. Of course, you are planning to pur
 
 - Objective: Generate a valid serial key that is accepted by this app.
 - Author: [Bernhard Mueller](https://github.com/muellerberndt "Bernhard Mueller").
-- Maintained by the OWASP MSTG leaders.
+- Maintained by the OWASP MAS leaders.
 
 #### Installation
 
@@ -156,7 +156,7 @@ This app holds a secret inside. Can you find it?
 
 - Objective: A secret string is hidden somewhere in this binary. Find a way to extract it. The app will give you a hint when started.
 - Author: [Bernhard Mueller](https://github.com/muellerberndt "Bernhard Mueller")
-- Maintained by the OWASP MSTG leaders.
+- Maintained by the OWASP MAS leaders.
 
 #### Installation
 
@@ -177,7 +177,7 @@ This app holds a secret inside - and this time it won't be tampered with!
 
 - Objective: Find the secret code - it is related to alcoholic beverages.
 - Author: [Bernhard Mueller](https://github.com/muellerberndt "Bernhard Mueller").
-- Maintained by the OWASP MSTG leaders.
+- Maintained by the OWASP MAS leaders.
 
 Note: Due to its anti-tampering the app won't run correctly if the main executable is modified and/or re-signed. You'll need to trust the developer run it the standard way on a non-jailbroken device (General Settings -> Profile & Device Management) and to verify the solution.
 
@@ -192,10 +192,10 @@ Note: The IPA is signed with an Enterprise distribution certificate. You'll need
 - [Solution by Ryan Teoh](http://www.ryantzj.com/cracking-owasp-mstg-ios-crackme-the-uncrackable.html "Solution by Ryan Teoh").
 - [Solution by Pietro Oliva](https://0xsysenter.github.io/ios/reversing/arm64/mobile/ipa/frida/instrumentation/crackme/2021/02/08/ios-apps-reverse-engineering-solving-crackmes-part-2.html "Solution by Pietro Oliva").
 
-## MSTG Hacking Playground
+## MASTG Hacking Playground
 
-Did you enjoy working with the Crackmes? There is more! Go to [the MSTG Hacking Playground](https://github.com/OWASP/MSTG-Hacking-Playground "MSTG-playground") and find out!
+Did you enjoy working with the Crackmes? There is more! Go to [the MASTG Hacking Playground](https://github.com/OWASP/MSTG-Hacking-Playground "MASTG-playground") and find out!
 
 ## Issues with the Crackmes
 
-If the app does not boot, or if there is another bug: file an issue at this repository or at [the one you should not go to (SPOILER ALERT!)](https://github.com/OWASP/mstg-crackmes "OWASP MSTG Crackmes").
+If the app does not boot, or if there is another bug: file an issue at this repository or at [the one you should not go to (SPOILER ALERT!)](https://github.com/OWASP/mstg-crackmes "OWASP MASTG Crackmes").

Document/0x01-Foreword.md

@@ -10,10 +10,10 @@ If you have feedback or suggestions, or want to contribute, create an issue on G
 
 On a beautiful summer day, a group of ~7 young men, a woman, and approximately three squirrels met in a Woburn Forest villa during the OWASP Security Summit 2017. So far, nothing unusual. But little did you know, within the next five days, they would redefine not only mobile application security, but the very fundamentals of book writing itself (ironically, the event took place near Bletchley Park, once the residence and work place of the great Alan Turing).
 
-Or maybe that's going too far. But at least, they produced a proof-of-concept for an unusual security book. The Mobile Security Testing Guide (MSTG) is an open, agile, crowd-sourced effort, made of the contributions of dozens of authors and reviewers from all over the world.
+Or maybe that's going too far. But at least, they produced a proof-of-concept for an unusual security book. The Mobile Application Security Testing Guide (MASTG) is an open, agile, crowd-sourced effort, made of the contributions of dozens of authors and reviewers from all over the world.
 
 Because this isn't a normal security book, the introduction doesn't list impressive facts and data proving importance of mobile devices in this day and age. It also doesn't explain how mobile application security is broken, and why a book like this was sorely needed, and the authors don't thank their beloved ones without whom the book wouldn't have been possible.
 
-We do have a message to our readers however! The first rule of the OWASP Mobile Security Testing Guide is: Don't just follow the OWASP Mobile Security Testing Guide. True excellence at mobile application security requires a deep understanding of mobile operating systems, coding, network security, cryptography, and a whole lot of other things, many of which we can only touch on briefly in this book. Don't stop at security testing. Write your own apps, compile your own kernels, dissect mobile malware, learn how things tick. And as you keep learning new things, consider contributing to the MSTG yourself! Or, as they say: "Do a pull request".
+We do have a message to our readers however! The first rule of the OWASP Mobile Security Testing Guide is: Don't just follow the OWASP Mobile Security Testing Guide. True excellence at mobile application security requires a deep understanding of mobile operating systems, coding, network security, cryptography, and a whole lot of other things, many of which we can only touch on briefly in this book. Don't stop at security testing. Write your own apps, compile your own kernels, dissect mobile malware, learn how things tick. And as you keep learning new things, consider contributing to the MASTG yourself! Or, as they say: "Do a pull request".
 
 <img src="Images/summit-team.jpg" width="100%" />