MASTG-TEST for dynamic analysis

sk3l10x1ng · sk3l10x1ng · commit 4cce45a5b8b3 · 2025-12-15T17:12:37.000+05:30
diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0x36/MASTG-DEMO-0x36.md b/demos/android/MASVS-CODE/MASTG-DEMO-0x36/MASTG-DEMO-0x36.md
@@ -3,7 +3,7 @@ platform: android
 title: Enforced Immediate Updates with Play Core API detected using semgrep
 id: MASTG-DEMO-0x36
 code: [kotlin]
-test: MASTG-TEST-0x336
+test: MASTG-TEST-0x36
 ---
 
 ### Sample
diff --git a/tests-beta/android/MASVS-CODE/MASTG-TEDT-0x36-1.md b/tests-beta/android/MASVS-CODE/MASTG-TEDT-0x36-1.md
@@ -0,0 +1,34 @@
+---
+title: Verifying Mandatory In-App Update Enforcement using MITM Proxy
+platform: android
+id: MASTG-TEST-0x36-1
+type: [dynamic]
+weakness: MASWE-0075
+profiles: [L2]
+---
+
+## Overview
+
+The goal of the test is to verify whether the app properly enforces mandatory updates, When using a MITM proxy to send a version that the backend considers unsupported and verify if the app correctly blocks access and requires the user to update before continuing.
+
+## Steps
+
+1. Set up a MITM proxy using @MASTG-TECH-0011 to intercept network traffic. Launch the app and identify API calls that transmit version information (e.g., `X-App-Version`, `version`, `build`, `minVersion` in headers, parameters, or request body).
+2. Modify the intercepted request to indicate that the current app version is unsupported (e.g., change `version` to an older version or set `minVersion` to a value higher than the current version). Forward the modified request to the backend.
+
+## Observation
+
+The output should contain the app's response when an unsupported version is sent to the backend:
+
+- The backend's response indicating the version is outdated (e.g., a response code, JSON field, or message stating the update is required).
+- Whether the app displays a blocking dialog or screen that prevents further use until the update is completed.
+- Whether the app calls Google Play or the in-app update API to enforce the mandatory update.
+- Whether the user can dismiss the update prompt and continue using the app, or if the app completely blocks access to functionality.
+
+## Evaluation
+
+The test case fails if:
+
+- The app does not block access to its main functionality when the backend indicates the version is unsupported.
+- The app does not trigger a mandatory update flow through either the backend-gated mechanism or the Play In-App Updates API.
+- The app proceeds normally without any enforcement action when presented with an unsupported version.
diff --git a/tests-beta/android/MASVS-CODE/MASTG-TEST-0x36.md b/tests-beta/android/MASVS-CODE/MASTG-TEST-0x36.md
@@ -21,4 +21,4 @@ The output should contain the locations where `startUpdateFlowForResult` with `A
 
 ## Evaluation
 
-The test fails if the app does not enforce updates and still allows users to skip or ignore them.
+The test fails if the app does not implement enforced updating uisng Play In-App Updates API.

Original file line number	Diff line number	Diff line change
@@ -21,4 +21,4 @@ The output should contain the locations where `startUpdateFlowForResult` with `A
`21`	`21`
`22`	`22`	`## Evaluation`
`23`	`23`
`24`		`-The test fails if the app does not enforce updates and still allows users to skip or ignore them.`
	`24`	`+The test fails if the app does not implement enforced updating uisng Play In-App Updates API.`