This integration is configured through the Invicti ASPM product.
MAST overview
What is MAST?
Mobile Application Security Testing (MAST) identifies security vulnerabilities in mobile applications for iOS and Android platforms. MAST tools combine static analysis (examining app binaries and source code) with dynamic analysis (testing running apps) to provide comprehensive coverage of mobile-specific security risks that standard SAST and DAST tools are not designed to address.
Invicti AppSec Core includes a preconfigured Invicti SCA scanner that is automatically activated with your package. The integrations on this page are for teams using Invicti ASPM who want to connect their own SCA tools instead. See AppSec Core scanners overview for details on the built-in scanner.
How it works
MAST tools analyze mobile applications using a combination of approaches:
- Static binary analysis — decompiles and analyzes app binaries (.apk, .ipa) without executing them to find hardcoded secrets, insecure API calls, and vulnerable code patterns.
- Dynamic analysis — instruments and executes the app on a real device or emulator to observe runtime behavior, network traffic, and data storage.
- API communication analysis — inspects traffic between the mobile app and its backend APIs for insecure transport, authentication weaknesses, and sensitive data exposure.
- Permissions analysis — checks for overly broad or unnecessary permission requests that could expose user data.
What it can discover
MAST detects risks across the following categories:
| Category | Examples |
|---|---|
| Insecure data storage | Sensitive data stored in plaintext on device, unprotected SharedPreferences, insecure SQLite databases |
| Hardcoded secrets | API keys, credentials, and tokens embedded in app binaries |
| Insecure communication | Cleartext HTTP traffic, improper SSL/TLS certificate validation, missing certificate pinning |
| Weak authentication | Insecure biometric implementations, weak local authentication, session management issues |
| Overly broad permissions | Unnecessary access to contacts, camera, location, or storage |
| Client-side injection | JavaScript injection in WebViews, SQL injection in local databases |
| Reverse engineering risks | Missing code obfuscation, debuggable build flags left enabled |
Supported MAST tools
The following MAST integration is available through Invicti ASPM:
| Tool | Type | Authentication | Platforms |
|---|---|---|---|
| eShard esChecker | Connection | API token | iOS, Android |
MAST coverage through ASPM currently supports eShard esChecker. Additional MAST tools may be added in future releases. For broader mobile SAST coverage, MobSF is also available as a SAST integration — see SAST overview.
Need help?
The Invicti Support team is ready to provide technical assistance. Go to Help Center