About Us

Varutra, headquartered in (Pune) India, is a pure play Information Security Consulting; Research and Training services firm, providing specialized security services for software, mobile and network. Varutra is a CERT-In empanelled qualified IT Security Auditor organization having clientele from India and overseas.

We are motivated to provide our customers with specially tailored services providing protection against internal as well as external threats and reduce business risk to improve security posture, achieve regulatory compliance and increase efficiency.

Our team comprises young, enthusiastic brilliant minds with experienced consultants contributing to the research and development at Varutra.

Our goal is to provide security in totality, which ensures that every possible facet of an information threat is covered during our engagement. We constantly strive to outdo ourselves for the best possible solution.

Our History

  • April 2013 – Varutra Consulting founded
  • July 2013 - Varutra Blog Site (KALP) launched
  • September 2013 – Launched Corporate Trainings
  • December 2013 – MVD Mobile Vulnerability Database website launched
  • January 2014 - MVD Mobile Application launched
  • November 2014 – OWASP KALP Project started
  • OCT 2014 - VSecure Workshops Initiated for colleges/Institutes
  • NOV 2014 - Developed OWASP KALP Project - Android App
  • DEC 2014 - Developed OWASP KALP Project - IOS App
  • April 2015 - Varutra got featured as 20 Most Promising Cyber Security Companies-2015
  • May 2015 - Launched Managed Security Services (MSSP) offering
  • July 2015 - Partnered with EC-Council as Accredited Training Center for IT Security Certifications
  • October 2015 - Varutra CERT-In Empanelment
  • March 2016 – Launched MASTS Mobile Application Security Testing Suite


MASTS (Mobile Application Security Testing Suite) is a patents filed product developed at Varutra from it’s extensive research and experience gain into Mobility and Applications Security.

The idea of MASTS was engineered with an aim to create an easy to use and intelligent automated solution, which simulates manual security testing as closely as possible. It reduces manual efforts, false positives and ensures effective testing results with minimal timelines.

MASTS allows to test the target mobile application with real world testing approaches such as Black Box, Gray Box.

MASTS is capable of identifying vulnerabilities by performing Static and Dynamic analysis of mobile applications. It conducts testing of applications by applying its test cases derived from OWASP Top 10 for mobile as well as custom test cases, which cannot be detected by a normal scanner.

MASTS facilitates the mobile application security testing by providing various other utilities a pentester can use during the testing/audit.

MASTS supports application platforms such as Native Mobile Application, Application-using SOAP/REST based Web Services, Mobile Browser Based as well as Hybrid Applications.

MASTS Architecture

Home Screen

MASTS Features

Application Static Analysis

Target mobile application will be tested for static code (APK level) security issues. User need not to authenticate with the target mobile application for scanning.

MASTS Logcat

Logcat captures device logs of the target mobile device and allows pentester to download it in plain text on local machine for further analysis.

Export Report

Exporting reports of the scan results, including completed scans and failed scans. Reports can be exported in PDF and HTML formats.

BlackBox Testing

Target mobile application will be tested for vulnerabilities without logging into the application.


SAND utility provides taking a Snapshot of the target device, provide details such as number of application installed, permissions on those application, files and databases created by the application, etc.

SAND Comparator

SAND Comparator provides the facility to compare any two Snapshots of the target devices to display details on any modifications done before and after installing the application or before and after login into the application, etc.

GrayBox Testing

Target mobile application will be tested for vulnerabilities by autheticating into the application. User must enter the valid credentials before MASTS conducts the testing.

TCP Sniffer

A TCP Sniffer acts like a proxy on the connection/communication in the network. TCP Sniffer captures the TCP traffic going from the target mobile application and coming from the server and analyze it.

Reverse Engineering

It extracts the source code of the application APK and analyze it for any known security issues under static testing. Also facilitates pentester in verifying reverse engineered code to check for possible modification and tampering.



Knowledge Base

Welcome to MASTS Knowledge Base section. You will find here the most recently updated articles from MASTS team.

Download PDFMASTS Trial Edition Walkthrough

Download PDFMASTS Professional Edition Walkthrough

File Name:MASTS APK (5 MB)
MD5: A2085E3443CCD6856E61CEBB65F5CF2B
SHA1: 3FA45FDB66FB5C547A466C2A7461182F0B8F0D06

Download MASTS & MASTS Agent APK

Welcome to MASTS download section. You can grab a Trial edition of MASTS and try it for a limited period of time. To buy MASTS, please contact our support team at masts[at]varutra[dot]com

Download MASTS MASTS Agent APK
File Name:MASTS_Trial_Edition_Setup.exe
MD5: D63C0D3FB9AD39B94F6C9F7F51970836
SHA1: 7613145A4B050F9E09DDE3C7520B82949E8E0B14

MASTS Licensing/Editions

MASTS Trial Edition

MASTS Trial Edition comes with limited vulnerabilities test cases, features of SAND and few utilities of the product. Trial edition is restricted to 5 scans only.

MASTS Professional Edition

MASTS Professional Edition comes with full vulnerabilities test cases, features of SAND and all utilities of the product. Professional edition offers unlimited scans. To know more about the licensing (per user/per machine/multiple machines) please contact MASTS support.

  • Features
  • Conduct Application Static Analysis
  • Conduct Black Box Penetration Testing
  • Conduct Gray Box Penetration Testing
  • SAND (Take snapshots of target device)
  • SAND Comparator
  • TCP Sniffer
  • Logcat
  • FILE Explorer
  • DB Explorer
  • PoC Screen Capture
  • APK Reverse Engineering
  • View Report
  • Export Report
  • Adding Manual Findings to Report
  • Resume Scan Report



MASTS stands for Mobile Application Security Testing Suite. It facilitates users in testing the mobile applications for vulnerabilities by static & dynamic analysis. MASTS adopt same approach of Black Box and Gray Box penetration testing which penetration testers follows. The reports can be generated in PDF and HTML Formats. MASTS has a set of built-in utilities such as TCP Traffic Sniffer, Logcat, Device File Explorer, Device DB Explorer, Screen Shooter for capturing PoC and SAND.
Application Static Analysis is an approach to check the target mobile application and its client side code for any security issues, non compliance to security best practices which may create security vulnerabilities in the application.
Black box penetration testing is an approach where penetration tester conducts the security testing of an application as an unknown entity/attacker targeting the application. Pentester do not login into the application and tries to uncover vulnerabilities in it to compromise the application. MASTS allow users to test the target mobile application with black box approach.
Gray box penetration testing is an approach where penetration tester conducts the security testing of an application as a malicious application user or the attacker who has authenticated to the application and having bad intentions. MASTS ask testers to login into the target application under testing and then conduct the runtime security testing.
MASTS conducts the security testing with Black box and Gray box approaches. Check the video on how to conduct security testing using MASTS.
Yes. MASTS provides secure authentication by implementing 2 factor authentication.
Only MASTS admin user can change the password and security pattern of other user. In case of issues contact MASTS support team.
MASTS provide detailed recommendations for your identified vulnerabilities patching. Based on the support agreements MASTS team can extend their assistance by performing manual assessment and give the recommendations.
MASTS updates are pulled from update server. If the Internet connectivity is present on the machine where MASTS is installed then it will check for new test plugins and update them.
All updates are listed on the website in MASTS TOUR module.
MASTS Agent is a developed as a part of MASTS, which gets installed on the mobile device and then authenticates user to conduct the testing as well as aids in entire testing. MASTS Agent connects to the server on default port i.e. 9091. This port can be changes on Server Manager to give custom port.
SAND is a short form of Snapshot of ANDroid. Shapshot means taking the state of the device at a specific time which includes every details such as device name, installed applications, hardware details, network details, application’s permissions, application’s files, application databases, etc. Every Snapshot contains details of each and every file present of the device. It does analysis of target application which is under testing by collecting information about the files the target application installs on the device, databases it creates, application permission, Network Information, OS Information, Hardware Information, Installed Browsers, Browser History etc. SAND compares any two snapshots at a given point of time and assists the security tester during the testing as well as forensic activity.
Yes. MASTS will run on the modified APK provided it is signed properly.
MASTS will do revere engineering of your APK automatically. Also it will sign the APK and upload to MASTS testing engine for further analysis and testing.
MASTS generate two types of reports. The main report is the security testing report for the target application. SAND utility also generate report for the target device which contains details such as application installed, DB & files the target application creates on the device, application permissions, Network Information, OS Information, Hardware Information, Installed Browsers, Browser History etc.
When logged into the MASTS dashboard, in Completed Scan module you can view the report as well as download them in PDF and HTML formats.
As per the licensing MASTS team can help you creating customized reports.
Yes. You can add manual findings into MASTS reporting engine and then generate the report for the target application you have tested. Once the new vulnerability has been added MASTS reporting engine will keep it in the database for next time.
MASTS provide detailed recommendations for your identified vulnerabilities patching. Based on the support agreements MASTS team can extend their assistance by performing manual assessment and give the recommendations.
You can get MASTS by just clicking on Buy Pro Edition button and fill in the details. For any queries contact MASTS support team.

Get in Touch

Thank you for your interest in MASTS services. Please provide the following information about your business needs to help us serve you better. This information will enable us to route your request to the respective team. You should receive a response within 48 hours.

Contact Information

Varutra Consulting Private Limited
2nd floor, West Wing, Marisoft III,
Kalyani Nagar, Pune 411014

Branch Office: Mumbai
14th Floor, D Wing, Empire Tower,
Reliable Tech Park, Airoli,
Navi Mumbai 400708

Email: masts[at]varutra[dot]com
Phone: (+91) 840 8891 911