Skip to main content

Automated MAST

Introduction

As part of our Business licenses, we offer an automated Mobile Application Security Testing (MAST) tool for a compelling and cost-effective DevSecOps solution. By harnessing the power of virtual devices, you can test your mobile applications on a wide range of devices without the need to purchase and maintain their physical counterparts.

By building on the scalability and convenience of our cloud-based virtual devices, Corellium's automated MAST solution drastically reduces the effort, cost and time of penetration testing; enabling you to invest more into your security processes and ship more secure apps.

How it Works

Our Automated MAST solution is designed to help you identify and address security issues with their apps early in the development process. This approach reduces the risk of security vulnerabilities in the virtualized mobile devices, providing a more secure experience for end-users.

1. Create a virtual device and install your app

Once your native app has finished building in your CI/CD pipeline, you can use our API to create new virtual device(s) and install your newly built app (IPA or APK). We will use this app to run security tests on the virtual device.

Get started using our UI.

When running MAST on Android, the device must be configured to use 4 cores. You can see how to configure this in CPU and RAM Settings.

2. Run user interactions

Once the app is installed, you can run a set of automated interactions on the device e.g. open the app, sign in using a test account, add items to cart, checkout, etc. These actions are designed to generate traffic and local data on the device, which can be used to identify runtime-level security issues.

3. Run automated security tests

After the user actions script has finished running, we will run a specialized set of automated security tests on the device which follow the Mobile OWASP Checklist. These tests are designed to identify security issues in the app, such as insecure data storage, insecure network communication, insecure authentication and more.

Learn more about automated security tests.

4. View results

Once the security tests have finished running, a report will be created on the CI instance. You can then upload this as an artifact to your CI/CD pipeline and view the results in your CI/CD dashboard.

Learn more about automated MAST reporting.

Benefits

  • Scalable: Virtual devices in the cloud inherently remove the need for device labs and make it easier to work with a team, distributed or on-site.
  • Cost-efficient: Virtual devices are much cheaper to run and remove the need for both upfront and maintenance costs, resulting in more predictable pricing.
  • Automated: CI/CD automation can bring security testing back in the SDLC and run continuously without human intervention.
  • Time-saving: A CI-based approach also runs asynchronously to the main work, removing the need for dedicated security testing time at the end of each cycle.
  • Simplified workflows: Our MAST offering removes the need to aggregate single-focus open-source tools. Plus, our platform allows you to jailbreak devices instantly.
  • Powerful tooling: Our MAST solution builds on top of our security research tools, giving you access to things like Snapshots for super fast rollbacks to saved states.

Known Issues

Android & iOS

  • Devices need to be created after February 1st, 2024 to be eligible for Automated MAST.

iOS only

  • Networking tests on iOS requires tcpdump to be installed on the device. This is not installed by default at this time and needs to be installed manually by running apt install tcpdump on the device. Otherwise these tests will return a false "Pass".

Android only

  • We’ve identified some inconsistencies in the results produced by MAST on Android 14. Our team is currently investigating this issue.
  • There are multiple issues running MAST on Android 8-10. We are currently working on a fix for this.
  • Android 7 does not support Corellium Cafe.