Mobile Application Security Hygiene (MASH) – A Security Scanner for Mobile Applications | Singapore Government Developer Portal
Have feedback? Please

MASH header banner

MASH is a GovTech-developed Static Application Security Testing (SAST) tool that can be used to identify common vulnerabilities or unnecessary exposures in mobile applications.

MASH takes an “outside-in” approach, by extracting content from iOS (.ipa) and Android OS (.apk) files to identify potential vulnerabilities and the unintended exposure of sensitive data such as hardcoded secret keys, debugging information and Application Programming Interface (API) key strings. Support for Android OS .aab files will be added in a future release.

Additionally, MASH has the functionality to test mobile-specific settings, such as analysing the P-list file for iOS configurations, or the AndroidManifest.xml file for Android configurations. For Android applications, MASH will attempt to decompile the APK file for deeper analysis.

MASH is a part of the Singapore Government Tech Stack (SGTS) and can be integrated with SHIP-HATS. Developers are encouraged to use MASH as a security hygiene check before their applications undergo Vulnerability Assessment and Penetration Testing (VAPT).

Key Features

  • Platform-agnostic accessibility
  • Continuous Integration, Continuous Delivery/Deployment (CI/CD) integration
  • Leverages industry standards

Contact Us

Reach out to the product team with your queries or feedback through this form.

Last updated 03 April 2023

Was this article useful?
Send this page via email
Share on Facebook
Share on Linkedin
Tweet this page