📋 Capability Reference

Everything mSAS Can Do

An exhaustive inventory of every analysis engine, security rule, scanner, parser, and export format across all three tools — APK Auditor, IPA Auditor, and ADB Auditor.

📱

APK Auditor

Deep static analysis for Android applications. Parses DEX bytecode, AndroidManifest.xml, certificates, and applies 150+ OWASP-aligned security rules — all client-side.

Launch APK Auditor → Source Code
150+Security Rules
DEXBytecode Analysis
AXMLManifest Parser
SARIFExport Format
5Export Types
🔬

Binary & Bytecode Parsing

6 parsers
  • DEX bytecode reader — parses classes.dex, classes2.dex+ (multi-dex support), extracts opcodes, string references, type IDs, method/field references, and proto IDs
  • AXML (Android XML) decoder — binary XML to human-readable format for manifest, layout, and resource XML files
  • ARSC parser — decodes resources.arsc for app resource table analysis (string pools, packages, types, configs)
  • AndroidManifest.xml extractor — decompiles binary manifest to structured JSON, extracts all elements and attributes
  • Native library detector — identifies .so files packaged for armeabi-v7a, arm64-v8a, x86, x86_64
  • APK entry lister — full inventory of all files inside APK, organized by directory
🔐

Certificate & Signature Analysis

4 checks
  • JAR signing (v1) verification — validates META-INF/MANIFEST.MF, .SF, .RSA/.DSA/.EC signature files
  • APK Signature Scheme v2/v3 — verifies block-based signature scheme with APK Signing Block parsing
  • Certificate chain extraction — issuer, subject, serial number, validity period (notBefore/notAfter), signature algorithm
  • Signing method detection — identifies JAR, v2, v3, and v4 signature schemes and their combinations
📋

AndroidManifest.xml Analysis

12+ checks
  • Permission audit — lists all <uses-permission> and <permission> declarations, flags dangerous/ signature/privileged permissions
  • Component enumeration — extract all <activity>, <service>, <receiver>, <provider> with their attributes
  • Exported component detection — flags components with android:exported="true" or intent filters without explicit export=false
  • Intent filter analysis — extracts all intent actions, categories, MIME types, data schemes, and authorities
  • Debuggable flag check — detects android:debuggable="true"
  • Backup flag detection — identifies android:allowBackup="true" (data exfiltration risk)
  • Network security config — detects android:networkSecurityConfig attribute and parses referenced config
  • Extract native flag — checks android:extractNativeLibs
  • Full backup check — identifies android:fullBackupContent
  • Min/target SDK version — extracts and evaluates min & target SDK version against best practices
  • App component alias — resolves <activity-alias> declarations
  • Custom permissions — detects app-defined permissions with their protection levels
🛡️

Security Rules Engine

150+ rules · OWASP MASVS
  • OWASP MASVS L1+L2 coverage — rules mapped to OWASP Mobile Application Security Verification Standard MASVS
  • CWE mapping — each finding references Common Weakness Enumeration IDs CWE
  • MSTG references — linked to OWASP Mobile Security Testing Guide test cases MSTG
  • Multi-severity system — findings classified as Critical, High, Medium, Low, or Info
  • Scoped patterns — rules define applicable file patterns (e.g., *.dex, AndroidManifest.xml, *.xml, *.so)
  • String-level scanning — matches regex patterns against DEX string pool entries
  • Configurable severity — rules have configurable severity levels
  • Rule deduplication — intelligent de-dupe of same rule across multi-dex
⚠️

Detected Vulnerability Categories

15 categories
  • Cryptography flaws — weak algorithms (MD5, SHA1, RC4, DES), hardcoded keys/IVs, ECB mode, custom crypto implementations
  • Insecure storage — SQLite databases, SharedPreferences, internal storage with world-readable/writable flags, getDir() calls
  • Code execution — Runtime.exec(), ProcessBuilder, WebView addJavascriptInterface() with JS enabled, URLClassLoader, DexClassLoader
  • Network & TLS — cleartext traffic allowed, WebView ignoring SSL errors (onReceivedSslError), hostname verification disabled, custom TrustManager, X509TrustManager
  • Logging & debug — Log.v/d/i/w/e calls, System.out/err, android.util.Log, debug certificate detection, debuggable manifest flag
  • Intent & IPC — implicit intents, PendingIntent misuse, exported content providers, service leaks, broadcast theft scenarios
  • File operations — world-readable/writable file creation, MODE_WORLD_READABLE, MODE_WORLD_WRITABLE, openFileOutput with public modes
  • WebView risks — JavaScript enabled, file:// access, remote webpage loading, addJavascriptInterface bridge, WebChromeClient
  • Backup & data leaks — allowBackup enabled, fullBackupContent, clipboard access, screenshot blocking (FLAG_SECURE)
  • Native code — System.loadLibrary() calls, JNI functions, native library detection, potentially unsafe native functions
  • Hardcoded secrets — API keys, tokens, passwords, secret keys, authentication tokens in DEX strings via entropy scanner
  • Binder/Service — AIDL interface exposure, bound service leaks
  • Notification abuse — NotificationListenerService, accessibility service risks
  • Account & auth — AccountManager usage, OAuth token handling, authentication bypass patterns
  • Provider injection — SQL injection via content providers, directory traversal in providers
🎲

Entropy-Based Secrets Detection

Shannon entropy engine
  • String pool scanning — extracts all strings from DEX bytecode and applies entropy analysis
  • Shannon entropy calculation — computes per-string entropy; flags strings with entropy > 4.5 (high probability of being secrets)
  • Context-aware filtering — skips low-value strings (short strings, common English, file paths, XML fragments)
  • Pattern-based candidate scoring — scores candidates by entropy value + character class distribution
  • API key / token / password detection — identifies base64-encoded, hex-encoded, and raw high-entropy strings matching secret patterns
  • False positive reduction — ignores strings containing common keywords, JSON/XML fragments, and natural language text
  • Severity tagging — high-entropy secrets flagged as High/Critical severity
📤

Export & Reporting

5 formats
  • SARIF 2.1.0 — Standardized OASIS Static Analysis Results Interchange Format for CI/CD pipeline integration
  • JSON — structured findings with rule metadata, severity, CWE, file location, and code snippets
  • CSV — tabular export for spreadsheet analysis and filtering
  • PDF — styled report with executive summary, finding breakdown by severity, rule details, timestamp, and tool metadata
  • Inline HTML display — findings rendered directly on page with severity badges, rule descriptions, and code location links
🍎

IPA Auditor

Deep static analysis for iOS applications. Inspects Mach-O binaries, property lists, provisioning profiles, entitlements, and ATS configurations with 80+ security rules.

Launch IPA Auditor → Source Code
80+Security Rules
Mach-OBinary Parser
PlistMetadata Analysis
ATSTransport Security
8Export Types
⚙️

Mach-O Binary Analysis

Fat binary + slice parsing
  • Fat binary header parsing — detects universal (fat) binaries with 32/64-bit slice enumeration
  • Architecture detection — identifies armv7, arm64, arm64e, x86_64 slices
  • Mach-O header decoding — parses magic bytes, CPU type/subtype, file type (MH_EXECUTE, MH_DYLIB, MH_BUNDLE), ncmds, flags
  • Load command enumeration — extracts all load commands (LC_SEGMENT_64, LC_SYMTAB, LC_CODE_SIGNATURE, LC_ENCRYPTION_INFO, etc.)
  • Encryption info extraction — parses LC_ENCRYPTION_INFO_64 to detect encrypted vs unencrypted binaries, crypt ID/offset/size
  • Segment & section listing — enumerates __TEXT, __DATA, __LINKEDIT segments with section details (__objc_classlist, __cfstring, __cstring, __const, etc.)
  • Shared library dependencies — extracts LC_LOAD_DYLIB commands for linked frameworks/libraries
  • Symbol table parsing — reads LC_SYMTAB for exported and imported symbol listing
  • Routine enumeration — lists LC_ROUTINES_64 for entry point analysis
  • Source version extraction — reads LC_SOURCE_VERSION load command
📄

Info.plist Analysis

15+ keys parsed
  • Bundle identification — extracts CFBundleIdentifier, CFBundleName, CFBundleDisplayName, CFBundleVersion, CFBundleShortVersionString
  • SDK & deployment target — parses DTPlatformVersion, DTSDKName, MinimumOSVersion, UIDeviceFamily
  • URL scheme enumeration — extracts all CFBundleURLTypesCFBundleURLSchemes for custom URL handlers
  • Query scheme detection — reads LSApplicationQueriesSchemes for canOpenURL: usage
  • Document type identification — parses CFBundleDocumentTypes and UTImportedTypeDeclarations for supported file types/UTIs
  • Background mode analysis — enumerates UIBackgroundModes (audio, location, voip, fetch, remote-notification, processing, etc.)
  • Privacy permission keys — detects all NS*UsageDescription keys (camera, photos, location, contacts, microphone, calendar, reminders, bluetooth, Siri, health, home, motion, face ID, media library, nearby interaction, tracking, etc.)
  • App transport security — reads NSAppTransportSecurity dictionary
  • Supported orientations — extracts UISupportedInterfaceOrientations (iPad + iPhone specific)
  • Status bar & UI settings — parses UIStatusBarStyle, UIViewControllerBasedStatusBarAppearance, UIRequiresFullScreen
  • iCloud & storage — detects NSUbiquitousContainers, UIFileSharingEnabled, LSSupportsOpeningDocumentsInPlace
  • Watch & extension detection — identifies WatchKit app references, WKCompanionAppBundleIdentifier
  • Font & accessory setup — lists UIAppFonts and UIAccessoryProtocols
📜

Provisioning Profile & Entitlements

6 analysis areas
  • Profile metadata — extracts Name, UUID, AppIDName, TeamName, TeamIdentifier, CreationDate, ExpirationDate
  • Platform support — identifies target platform (iOS, tvOS, watchOS, macOS)
  • Certificate chain — enumerates DeveloperCertificates (DER-encoded X.509 certs) with SHA-1 fingerprint
  • Provisioned devices — lists device UDIDs for development profiles; flags when absent (App Store distribution)
  • Entitlements extraction — parses the full entitlements dictionary embedded in the provisioning profile
  • Expiry monitoring — calculates days until expiration; flags expired or expiring profiles as warning
🌐

ATS & Network Security Audit

10+ checks
  • NSAppTransportSecurity analysis — full ATS dictionary parsing and evaluation
  • ATS disabled detection — flags NSAllowsArbitraryLoads = true (critical finding)
  • Per-domain exceptions — enumerates NSExceptionDomains with per-domain ATS settings
  • Minimum TLS version — checks NSExceptionMinimumTLSVersion against best practices (TLS 1.2+)
  • Forward secrecy requirement — evaluates NSExceptionRequiresForwardSecrecy
  • Arbitrary loads in web views — flags NSAllowsArbitraryLoadsInWebContent when enabled
  • Local network exemptions — detects NSAllowsLocalNetworking for local network access
  • Third-party cookie exceptions — checks NSExceptionAllowsInsecureHTTPLoads per domain
  • Certificate transparency — evaluates NSRequiresCertificateTransparency settings
  • ATS Pinning requirements — checks if NSExceptionDomains use NSRequiresCertificateTransparency
🛡️

iOS Security Rules Engine

80+ rules
  • OWASP MASVS coverage — rules mapped to iOS-specific MASVS requirements MASVS
  • CWE reference — every rule tagged with applicable CWE IDs CWE
  • Multi-severity system — Critical, High, Medium, Low, Info severity classification
  • Plist-sourced rules — rules that inspect Info.plist values against security best practices
  • Mach-O-sourced rules — rules that analyze binary properties (encryption, architecture, entitlements)
  • ATS-sourced rules — network security transport rules from NSAppTransportSecurity
  • Entitlement-based rules — security checks on embedded entitlements (keychain access groups, iCloud, push notifications, etc.)
  • Provisioning-based rules — profile integrity and expiry checks
  • Privacy compliance rules — detects missing or incomplete privacy usage descriptions
⚠️

Detected Vulnerability Categories

12 categories
  • ATS bypass — arbitrary network loads allowed, insecure HTTP loads permitted
  • Insecure TLS configuration — weak TLS versions, missing forward secrecy, missing certificate transparency
  • Missing encryption — unencrypted binary (no FairPlay encryption detected), exposing binary analysis surface
  • Privacy compliance — missing or incomplete NS*UsageDescription keys required for privacy-sensitive APIs
  • Insecure data storage — UIFileSharingEnabled, supports opening documents in place without proper safeguards
  • Exposed URL schemes — custom URL schemes that could be intercepted or invoked by malicious apps
  • Excessive background modes — unnecessary background modes draining battery and increasing attack surface
  • Expired provisioning — expired or soon-to-expire provisioning profiles
  • Jailbreak detection gaps — absence of jailbreak detection checks
  • Keychain accessibility — keychain access group analysis, detecting weak accessibility constraints
  • Third-party SDK risks — identification of known vulnerable or data-collecting SDKs from linked frameworks
  • Insecure plist values — misconfigured plist key/values that weaken security posture
🎲

Entropy Analysis & Export

Entropy + 5 export formats
  • Entropy-based string analysis — Shannon entropy scanning of extracted strings from Mach-O __cstring and __cfstring sections
  • High-entropy candidate identification — flags potential API tokens, encryption keys, and hardcoded secrets in binary strings
  • SARIF 2.1.0 export — standardized OASIS format for CI integration
  • JSON export — structured findings with full rule metadata, severity, CWE, and location
  • CSV export — flat table for spreadsheet and data analysis workflows
  • PDF report — styled multi-page report with severity breakdown, finding details, and audit metadata
  • Inline results — on-page rendering with severity-colored badges, expandable findings, and rule documentation
🤖

ADB Auditor

Browser-based Android device security auditing over WebUSB. Connect live devices, browse filesystems, run shell commands, and execute OWASP-aligned security scans — all from your browser.

Launch ADB Auditor → Source Code
WebUSBDevice Connection
ADBProtocol Engine
ShellCommand Execution
AuditSecurity Scanner
PDFReport Export
🔌

WebUSB ADB Protocol Engine

Full ADB implementation
  • WebUSB device enumeration — browser-based discovery of Android devices over USB via navigator.usb.requestDevice()
  • ADB protocol implementation — complete ADB wire protocol (version 1.0.32) including framing, checksum, magic bytes
  • Authentication handshake — RSA public key authentication with OpenSSL-compatible key generation, token signing, and retry logic
  • Shell protocol (v2) — implements the ADB shell protocol with PTY allocation, exit code retrieval, and unbuffered I/O
  • Multi-device management — enumerates and manages connections to multiple ADB devices simultaneously
  • Connection health monitoring — keepalive, reconnection, and timeout handling for stable long-running sessions
  • Service command routing — dispatches ADB service commands (shell, transport, framebuffer, sync, reboot, remount, root, etc.)
📊

Device & App Analysis

10+ analysis areas
  • Device info retrieval — model, manufacturer, Android version, SDK level, build fingerprint, serial, security patch level
  • Installed package listing — enumerates all pm list packages with filterable output (system vs third-party, disabled, etc.)
  • App permission analysis — extracts dumpsys package <pkg> permission groups, granted/denied permissions, runtime permissions
  • APK path resolution — locates base APK and split APK paths for any installed package
  • App version extraction — versionName, versionCode, firstInstallTime, lastUpdateTime from package manager
  • Process listing — enumerates running processes via ps with PID, user, and memory info
  • Storage analysis — internal storage vs SD card, app data directory sizes, cache sizes
  • Network connection audit — lists active TCP/UDP connections with netstat or proc/net
  • Service & broadcast receiver enumeration — dumps registered services and receivers per package
📁

File System Browser

Interactive file manager
  • Directory listingls -la style output with file permissions, owner/group, size, modification time
  • File content readingcat for text files, with size limit protection for large files
  • Navigation with breadcrumbs — interactive path traversal with clickable directory hierarchy
  • Root-mode file access — when device is rooted, switches to su-based file access for protected paths (/data/data)
  • Application data directory scanning — browses /data/data/<pkg>/ for databases, shared preferences, cache, files, code cache
  • File permission analysis — flags world-readable/writable files and directories with permission string decoding
  • File type identification — distinguishes directories, regular files, symlinks, sockets, and named pipes
  • Quick-access shortcuts — predefined paths for common security-relevant locations (/data/system, /data/local/tmp, storage, etc.)
💻

Shell & System Access

Interactive + command execution
  • Interactive shell terminal — full interactive shell session over WebUSB with command history, PTY allocation
  • Pre-built command palette — one-click commands: id, uname -a, getprop, mount, df -h, ps -A, netstat -tlnp, dmesg, logcat, pm list packages
  • Root mode toggle — attempts su -c prefix for commands requiring elevated privileges; shows root availability status
  • Command output capture — captures stdout/stderr with proper encoding handling and large output truncation
  • Screenshot capture — executes screencap via ADB, retrieves raw framebuffer, and renders as PNG in browser
  • Logcat viewer — captures and filters logcat output with buffer selection (main, system, events, crash)
  • Bugreport generation — triggers bugreport for comprehensive device diagnostic dump
  • Package installation/deletionpm install and pm uninstall commands via shell
🛡️

Device Security Audit Engine

OWASP MASTG aligned
  • ADB over network check — detects if device is listening on TCP port 5555 for remote ADB connections
  • Root/jailbreak detection — checks for su binary presence, /system/xbin/su, Magisk, and test-keys build fingerprint
  • USB debugging status — verifies ADB debugging is enabled/disabled and evaluates risk context
  • Screen lock assessment — checks if device has active screen lock (PIN, pattern, password, or biometric)
  • Encryption status — verifies full-disk encryption or file-based encryption is active
  • Developer options check — flags when developer options and USB debugging are enabled
  • Unknown sources / sideloading — checks if install_non_market_apps or similar is enabled
  • Security patch level — evaluates ro.build.version.security_patch against current date for patch age
  • Verified boot status — checks ro.boot.verifiedbootstate (green/yellow/orange/red)
  • ADB over network port scanning — probes TCP 5555 from device-side to detect if remote ADB is exposed
  • SELinux mode — checks getenforce output (Enforcing vs Permissive mode)
  • Dangerous permission audit — identifies apps holding SMS, Contacts, Location, Camera, Microphone, and Calendar permissions
  • Verification summary — risk-scored per check with detailed remediation advice
📤

Export & Reporting

PDF · JSON · CSV · SARIF
  • PDF security report — comprehensive styled report with device info summary, audit finding breakdown by severity, MASTG reference mapping, and timestamp
  • JSON export — structured device audit results with all findings, metadata, and rule references
  • CSV export — tabular findings suitable for spreadsheet analysis and team workflows
  • SARIF 2.1.0 — integrated into OASIS standard format for CI/CD security pipeline integration
  • Screenshot capture & display — live device screenshot with automatic refresh capability
  • Clipboard-aware exports — copy findings as formatted text with one-click copy buttons
🔗

Shared Features

Capabilities common to all three tools that unify the mSAS experience.

🌙

Dark/Light Theme

Persistent theme toggle with system preference detection. Smooth transitions and full design system variant for both modes.

📱

Fully Responsive

Adaptive layout from phone to ultrawide. Touch-friendly controls, proper viewport handling, and accessible tap targets.

🔒

100% Client-Side

Zero data leaves your device. All analysis, parsing, and scanning happens in your browser via Web Workers. No servers, no uploads, no telemetry.

Web Worker Architecture

Heavy computation offloaded to background Web Workers. UI stays responsive during analysis. Multi-worker parallel processing where applicable.

📦

No Installation Required

Open in any modern browser and start analyzing. No downloads, no dependencies, no command-line tools needed (except ADB WebUSB requires Chrome).

📜

SARIF 2.1 Export

All three tools export findings in standardized OASIS SARIF 2.1.0 format, ready for integration with GitHub Code Scanning, Azure DevOps, or any SARIF-compatible tool.

📋

Accessible UI

Keyboard navigation, screen reader support with ARIA labels, focus-visible indicators, reduced motion support, and skip-to-content links.

🔍

Comprehensive CWE/MASVS Mapping

Every security finding cross-referenced to CWE, OWASP MASVS, and MSTG. Built-in documentation for each rule with mitigation guidance.

🔄

Multi-Format Export

PDF (styled reports), JSON (structured data), CSV (spreadsheets), SARIF 2.1 (CI/CD). Download or copy findings with one click.

Back to Dashboard