MASH is a GovTech-developed Static Application Security Testing (SAST) tool that can be used to identify common vulnerabilities or unnecessary exposures in mobile applications.
MASH takes an “outside-in” approach, by extracting content from iOS (.ipa) and Android OS (.apk) files to identify potential vulnerabilities and the unintended exposure of sensitive data such as hardcoded secret keys, debugging information and Application Programming Interface (API) key strings. Support for Android OS .aab files will be added in a future release.
Additionally, MASH has the functionality to test mobile-specific settings, such as analysing the P-list file for iOS configurations, or the AndroidManifest.xml file for Android configurations. For Android applications, MASH will attempt to decompile the APK file for deeper analysis.
MASH is a part of the Singapore Government Tech Stack (SGTS) and can be integrated with SHIP-HATS. Developers are encouraged to use MASH as a security hygiene check before their applications undergo Vulnerability Assessment and Penetration Testing (VAPT).
- Platform-agnostic accessibility
- Continuous Integration, Continuous Delivery/Deployment (CI/CD) integration
- Leverages industry standards
Reach out to the product team with your queries or feedback through this form.
Last updated 03 April 2023
Thanks for letting us know that this page is useful for you!
If you've got a moment, please tell us what we did right so that we can do more of it.
Thanks for letting us know that this page still needs work to be done.
If you've got a moment, please tell us how we can make this page better.