docs: Mark Xamarin as end of support

Document/0x04a-Mobile-App-Taxonomy.md

@@ -26,7 +26,6 @@ The most obvious disadvantage of _native apps_ is that they are limited to one s
 
 Here are some cross-platform mobile frameworks that allow developers to compile a single codebase for different targets, including both Android and iOS:
 
-- [Xamarin](https://dotnet.microsoft.com/apps/xamarin "Xamarin")
 - [MAUI](https://dotnet.microsoft.com/en-us/apps/maui ".NET MAUI")
 - [Flutter](https://flutter.dev/ "Google Flutter")
 - [React Native](https://reactnative.dev/ "React Native")

knowledge/android/MASVS-CODE/MASTG-KNOW-0004.md

@@ -15,4 +15,4 @@ These libraries can lead to unwanted side-effects:
 - A library can no longer be maintained or hardly be used, which is why no vulnerabilities are reported and/or fixed. This can lead to having bad and/or vulnerable code in your application through the library.
 - A library can use a license, such as LGPL2.1, which requires the application author to provide access to the source code for those who use the application and request insight in its sources. In fact the application should then be allowed to be redistributed with modifications to its sourcecode. This can endanger the intellectual property (IP) of the application.
 
-Please note that this issue can hold on multiple levels: When you use webviews with JavaScript running in the webview, the JavaScript libraries can have these issues as well. The same holds for plugins/libraries for Cordova, React-native and Xamarin apps.
+Please note that this issue can hold on multiple levels: When you use webviews with JavaScript running in the webview, the JavaScript libraries can have these issues as well. The same holds for plugins/libraries for Cordova, React-native and Xamarin (End of Support) apps.

knowledge/android/MASVS-NETWORK/MASTG-KNOW-0015.md

@@ -93,4 +93,4 @@ That said, this approach requires significant security expertise and a careful d
 
 ## Pinning in Cross-Platform Frameworks
 
-Cross-platform frameworks like Flutter, React Native, Cordova, and Xamarin often require special considerations for certificate pinning, as they may not use the same network stack as native apps. For example, Flutter relies on its own Dart `HttpClient` (with BoringSSL) instead of the platform's networking stack, while Cordova makes network requests through JavaScript in a WebView. As a result, pinning behavior varies—some frameworks provide built-in configuration options, others rely on third-party plugins, and some offer no direct support but allow manual implementation via APIs. Understanding how a framework handles networking is crucial for ensuring proper pinning enforcement.
+Cross-platform frameworks like Flutter, React Native, Cordova, and Xamarin (End of Support) often require special considerations for certificate pinning, as they may not use the same network stack as native apps. For example, Flutter relies on its own Dart `HttpClient` (with BoringSSL) instead of the platform's networking stack, while Cordova makes network requests through JavaScript in a WebView. As a result, pinning behavior varies—some frameworks provide built-in configuration options, others rely on third-party plugins, and some offer no direct support but allow manual implementation via APIs. Understanding how a framework handles networking is crucial for ensuring proper pinning enforcement.

knowledge/ios/MASVS-CODE/MASTG-KNOW-0059.md

@@ -23,4 +23,4 @@ These libraries can lead to unwanted side-effects:
 - A library can no longer be maintained or hardly be used, which is why no vulnerabilities are reported and/or fixed. This can lead to having bad and/or vulnerable code in your application through the library.
 - A library can use a license, such as LGPL2.1, which requires the application author to provide access to the source code for those who use the application and request insight in its sources. In fact the application should then be allowed to be redistributed with modifications to its source code. This can endanger the intellectual property (IP) of the application.
 
-Please note that this issue can hold on multiple levels: When you use webviews with JavaScript running in the webview, the JavaScript libraries can have these issues as well. The same holds for plugins/libraries for Cordova, React-native and Xamarin apps.
+Please note that this issue can hold on multiple levels: When you use webviews with JavaScript running in the webview, the JavaScript libraries can have these issues as well. The same holds for plugins/libraries for Cordova, React-native and Xamarin (End of Support) apps.

techniques/android/MASTG-TECH-0011.md

@@ -228,7 +228,7 @@ Once you have done this, all proxy traffic on your Android phone will be going t
 
 Once you have set up an interception proxy and have a MITM position, you might still not be able to see anything. This is mainly due to the following reasons:
 
-- The app is using a framework like Xamarin that simply does not use the proxy settings of the Android OS or
+- The app is using a framework like Xamarin (End of Support) that simply does not use the proxy settings of the Android OS or
 - The app you are testing is verifying if a proxy is set and is not allowing any communication.
 
 In both scenarios, you would need additional steps to finally be able to see the traffic. In the sections below, we are describing two different solutions, bettercap and iptables.

techniques/generic/MASTG-TECH-0122.md

@@ -11,7 +11,7 @@ Passive eavesdropping is particularly useful in the following scenarios:
 
 - **Troubleshooting active MITM issues**: Identifying TLS handshake errors, certificate validation failures, and routing anomalies that may cause active interception techniques to fail.
 - **Analyzing plaintext non-HTTP traffic**: Monitoring protocols such as XMPP, MQTT, DNS, SMB, and custom UDP/TCP protocols used by the app. Also useful for analyzing push notification traffic from services like Google Cloud Messaging (GCM) / Firebase Cloud Messaging (FCM) on Android or Apple Push Notification Service (APNS) on iOS.
-- **Analyzing traffic from non-proxy-aware apps**: Some mobile apps ignore system proxy settings (e.g., those built with [Xamarin](https://www.xamarin.com/platform "Xamarin")) or actively detect and block MITM proxies. Passive eavesdropping allows monitoring without triggering detection mechanisms.
+- **Analyzing traffic from non-proxy-aware apps**: Some mobile apps ignore system proxy settings (e.g., those built with Xamarin(End of Support)) or actively detect and block MITM proxies. Passive eavesdropping allows monitoring without triggering detection mechanisms.
 - **Investigating network anomalies and unintended data leaks**: Passive monitoring can help detect unexpected third-party communication, data leakage via DNS requests, or unusual outbound connections. Additionally, even if TLS encryption prevents direct payload inspection, metadata leaks (e.g., request size, timing patterns, domain names, or packet sequences) can still provide valuable insights and may be useful for side-channel attacks.
 
 ## How Does It Work?

techniques/generic/MASTG-TECH-0125.md

@@ -1,15 +1,15 @@
 ---
-title: Intercepting Xamarin Traffic
+title: Intercepting Xamarin (End of Support) Traffic
 platform: generic
 ---
 
-Xamarin is a mobile app development platform that allows developers to create [native Android](https://docs.microsoft.com/en-us/xamarin/android/get-started/ "Getting Started with Android") and [iOS apps](https://docs.microsoft.com/en-us/xamarin/ios/get-started/ "Getting Started with iOS") using Visual Studio and C#.
+Xamarin (End of Support) is a mobile app development platform that allows developers to create native Android and iOS apps using Visual Studio and C#.
 
-When testing a Xamarin app, setting the system proxy in the Device Wi-Fi settings will not capture any HTTP requests in your interception proxy. This is because Xamarin apps do not use the local proxy settings of your device. There are three ways to bypass this limitation:
+When testing a Xamarin (End of Support) app, setting the system proxy in the Device Wi-Fi settings will not capture any HTTP requests in your interception proxy. This is because Xamarin (End of Support) apps do not use the local proxy settings of your device. There are three ways to bypass this limitation:
 
-## Option 1: Manipulating Xamarin's Network Stack Default Proxy
+## Option 1: Manipulating Xamarin (End of Support)'s Network Stack Default Proxy
 
-Patch the app to use a [default proxy](https://developer.xamarin.com/api/type/System.Net.WebProxy/ "System.Net.WebProxy Class") by adding the following code in the `OnCreate` or `Main` method:
+Patch the app to use a default proxy by adding the following code in the `OnCreate` or `Main` method:
 
 ```cs
 WebRequest.DefaultWebProxy = new WebProxy("192.168.11.1", 8080);

tests/android/MASVS-CODE/MASTG-TEST-0042.md

@@ -46,7 +46,7 @@ The report will be in `build/reports` unless otherwise configured. Use the repor
 
 Please be advised that the plugin requires to download a vulnerability feed. Consult the documentation in case issues arise with the plugin.
 
-Lastly, please note that for hybrid applications, one will have to check the JavaScript dependencies with RetireJS. Similarly for Xamarin, one will have to check the C# dependencies.
+Lastly, please note that for hybrid applications, one will have to check the JavaScript dependencies with RetireJS. Similarly for Xamarin(End of Support), one will have to check the C# dependencies.
 
 When a library is found to contain vulnerabilities, then the following reasoning applies:
 

tests/android/MASVS-NETWORK/MASTG-TEST-0019.md

@@ -33,7 +33,7 @@ Next, you should ensure that the app is not allowing cleartext HTTP traffic. Sin
 - Setting the [`android:usesCleartextTraffic`](https://developer.android.com/guide/topics/manifest/application-element#usesCleartextTraffic "Android documentation - usesCleartextTraffic flag") attribute of the `<application>` tag in the AndroidManifest.xml file. Note that this flag is ignored in case the Network Security Configuration is configured.
 - Configuring the Network Security Configuration to enable cleartext traffic by setting the `cleartextTrafficPermitted` attribute to true on `<domain-config>` elements.
 - Using low-level APIs (e.g. [`Socket`](https://developer.android.com/reference/java/net/Socket "Socket class")) to set up a custom HTTP connection.
-- Using a cross-platform framework (e.g. Flutter, Xamarin, ...), as these typically have their own implementations for HTTP libraries.
+- Using a cross-platform framework (e.g. Flutter, Xamarin (End of Support), ...), as these typically have their own implementations for HTTP libraries.
 
 All of the above cases must be carefully analyzed as a whole. For example, even if the app does not permit cleartext traffic in its Android Manifest or Network Security Configuration, it might actually still be sending HTTP traffic. That could be the case if it's using a low-level API (for which Network Security Configuration is ignored) or a badly configured cross-platform framework.
 

tests/android/MASVS-NETWORK/MASTG-TEST-0022.md

@@ -94,14 +94,14 @@ myWebView.setWebViewClient(new WebViewClient(){
 
 Alternatively, it is better to use an OkHttpClient with configured pins and let it act as a proxy overriding `shouldInterceptRequest` of the `WebViewClient`.
 
-### Xamarin Applications
+### Xamarin (End of Support) Applications
 
-Applications developed in Xamarin will typically use `ServicePointManager` to implement pinning.
+Applications developed in Xamarin (End of Support) will typically use `ServicePointManager` to implement pinning.
 
 Normally a function is created to check the certificate(s) and return the boolean value to the method `ServerCertificateValidationCallback`:
 
 ```cs
-[Activity(Label = "XamarinPinning", MainLauncher = true)]
+[Activity(Label = "XamarinPinning (End of Support)", MainLauncher = true)]
     public class MainActivity : Activity
     {
         // SupportedPublicKey - Hexadecimal value of the public key.
@@ -115,7 +115,7 @@ Normally a function is created to check the certificate(s) and return the boolea
                 SslPolicyErrors sslPolicyErrors
             )
         {
-            //Log.Debug("Xamarin Pinning",chain.ChainElements[X].Certificate.GetPublicKeyString());
+            //Log.Debug("Xamarin (End of Support) Pinning",chain.ChainElements[X].Certificate.GetPublicKeyString());
             //return true;
             return SupportedPublicKey == chain.ChainElements[1].Certificate.GetPublicKeyString();
         }
@@ -132,13 +132,13 @@ Normally a function is created to check the certificate(s) and return the boolea
 
 In this particular example we are pinning the intermediate CA of the certificate chain. The output of the HTTP response will be available in the system logs.
 
-Sample Xamarin app with the previous example can be obtained on the [MASTG repository](https://github.com/OWASP/mastg/raw/master/Samples/Android/02_CertificatePinning/certificatePinningXamarin.apk "Xamarin app with certificate pinning")
+Sample Xamarin (End of Support) app with the previous example can be obtained on the MASTG repository
 
 After decompressing the APK file, use a .NET decompiler like dotPeak, ILSpy or dnSpy to decompile the app dlls stored inside the 'Assemblies' folder and confirm the usage of the ServicePointManager.
 
 Learn more:
 
-- Certificate and Public Key Pinning with Xamarin - <https://thomasbandt.com/certificate-and-public-key-pinning-with-xamarin>
+- Certificate and Public Key Pinning with Xamarin (End of Support)
 - ServicePointManager - <https://msdn.microsoft.com/en-us/library/system.net.servicepointmanager(v=vs.110).aspx>
 
 ### Cordova Applications

tests/ios/MASVS-CODE/MASTG-TEST-0085.md

@@ -102,7 +102,7 @@ In case frameworks are added manually as linked libraries:
 
 In the case of copy-pasted sources: search the header files (in case of using Objective-C) and otherwise the Swift files for known method names for known libraries.
 
-Next, note that for hybrid applications, you will have to check the JavaScript dependencies with [RetireJS](https://retirejs.github.io/retire.js/ "RetireJS"). Similarly for Xamarin, you will have to check the C# dependencies.
+Next, note that for hybrid applications, you will have to check the JavaScript dependencies with [RetireJS](https://retirejs.github.io/retire.js/ "RetireJS"). Similarly for Xamarin (End of Support), you will have to check the C# dependencies.
 
 Last, if the application is a high-risk application, you will end up vetting the library manually. In that case there are specific requirements for native code, which are similar to the requirements established by the MASVS for the application as a whole. Next to that, it is good to vet whether all best practices for software engineering are applied.
 

tests/ios/MASVS-NETWORK/MASTG-TEST-0065.md

@@ -34,7 +34,7 @@ Identify the network APIs used by the app and see if it uses any low-level netwo
 
 > **Apple Recommendation: Prefer High-Level Frameworks in Your App**: "ATS doesn't apply to calls your app makes to lower-level networking interfaces like the Network framework or CFNetwork. In these cases, you take responsibility for ensuring the security of the connection. You can construct a secure connection this way, but mistakes are both easy to make and costly. It's typically safest to rely on the URL Loading System instead" (see [source](https://developer.apple.com/documentation/security/preventing_insecure_network_connections)).
 
-If the app uses any low-level APIs such as [`Network`](https://developer.apple.com/documentation/network) or [`CFNetwork`](https://developer.apple.com/documentation/cfnetwork), you should carefully investigate if they are being used securely. For apps using cross-platform frameworks (e.g. Flutter, Xamarin, ...) and third party frameworks (e.g. Alamofire) you should analyze if they're being configured and used securely according to their best practices.
+If the app uses any low-level APIs such as [`Network`](https://developer.apple.com/documentation/network) or [`CFNetwork`](https://developer.apple.com/documentation/cfnetwork), you should carefully investigate if they are being used securely. For apps using cross-platform frameworks (e.g. Flutter, Xamarin (End of Support), ...) and third party frameworks (e.g. Alamofire) you should analyze if they're being configured and used securely according to their best practices.
 
 Make sure that the app: