Skip to content

Reference applications

The applications listed below can be used as training materials. Note: only the MASTG apps and Crackmes are tested and maintained by the MAS project.


Android Crackmes

A set of apps to test your Android application hacking skills -

Android UnCrackable L1

Available at

Android UnCrackable L2

Available at

Android UnCrackable L3

Available at

Android UnCrackable L4

Available at

Android License Validator

Available at


An open source vulnerable/insecure app using Kotlin. This app has a wide range of vulnerabilities related to certificate pinning, custom URL schemes, Android Network Security Configuration, WebViews, root detection and over 20 other vulnerabilities -


A hybrid mobile app (for Android) that intentionally contains vulnerabilities -


A vulnerable app created in 2015, which can be used on older Android platforms -

DIVA Android

An app intentionally designed to be insecure which has received updates in 2016 and contains 13 different challenges -


An insecure Android app from 2015 -


A vulnerable Android app made for security enthusiasts and developers to learn the Android insecurities by testing a vulnerable application. It has been updated in 2018 and contains a lot of vulnerabilities -

MASTG Hacking Playground

A vulnerable Android app with vulnerabilities similar to the test cases described in this document

MASTG Hacking Playground (Java)

Available at

MASTG Hacking Playground (Kotlin)

Available at


An Android app that aggregates all the platform’s known and popular security vulnerabilities -


iOS Crackmes

A set of applications to test your iOS application hacking skills -

iOS UnCrackable L1

Available at

iOS UnCrackable L2

Available at


A vulnerable iOS app with iOS security challenges -


A vulnerable iOS app written in Objective-C which provides a platform to mobile security enthusiasts/professionals or students to test their iOS penetration testing skills -


A vulnerable iOS app, written in Swift with over 15 vulnerabilities -


An iOS Objective-C app serving as a learning tool for iOS developers (iPhone, iPad, etc.) and mobile app pentesters. It was inspired by the WebGoat project, and has a similar conceptual flow to it -


A Swift version of original iGoat project -


An iOS app that aggregates all the platform’s known and popular security vulnerabilities -


UnSAFE Bank is a core virtual banking application designed with the aim to incorporate the cybersecurity risks and various test cases such that newbie, developers, and security analysts can learn, hack and improvise their vulnerability assessment and penetration testing skills. -