Feedback |
powered by

ImmuniWeb® Mobile App Scanner

0 tests running
  apps tested

Test security and privacy of your mobile application (iOS & Android), detect OWASP Mobile Top 10 and other weaknesses:

or
   
Provided "as is" without any warranty of any kind
Provided "as is" without any warranty of any kind

Android Applications

All you need is a valid APK archive for the application. APK's can either be compiled from the application source code, or, if already in Google Play market, downloaded via F-Droid or androidappsapk.co.

Please follow the steps below to test Android APK:

  • Click on "Choose file" button and select the APK, file upload will start immediately.
  • Once uploaded, the test will take approximately ten minutes, depending on application size and complexity, as well as our current system load.
  • Once the test is finished, you will be provided with a detailed report. The report is located on a secret link available only to you. The report is stored for your convenience for 90 days and then automatically deleted. You can delete the report yourself just after the test.

iOS Applications

All you need is a valid IPA archive for the application compiled as a Simulator App (see below).

Please follow the steps below to test iOS IPA:

  • Click on "Choose file" button and select the IPA, file upload will start immediately.
  • Once uploaded, the test will take approximately ten minutes, depending on application size and complexity, as well as our current system load.
  • Once the test is finished, you will be provided with a detailed report. The report is located on a secret link available only to you. The report is stored for your convenience for 90 days and then automatically deleted. You can delete the report yourself just after the test.

How to compile your iOS app as a Simulator App:

1. Run XCode and open your project;
2. Right-click your Project Name and select "Show in Finder.";
3. Right-click YourProject.xcodeproj and navigate to "Open With > Terminal";
4. Run "cd .." - your current working directory is now your project's main directory;
5. Determine which iPhone Simulator you can build to by running "xcodebuild -showsdks";
6. Build your app with the following command "xcodebuild -arch i386 -sdk iphonesimulator{version}";
7. Go to build/Release-iphonesimulator and zip file YourProject.app;

About the Service

ImmuniWeb® Mobile App Scanner is a free product available online, provided and operated by High-Tech Bridge.

The service can test mobile applications for the following platforms:

  • Android
  • Native Applications
  • Hybrid Applications (Cordova, PhoneGap, React, Xamarin)
  • iOS
  • Native Applications
  • Hybrid Applications (Cordova, PhoneGap, React, Xamarin)

It promptly detects the wide spectrum of most common weaknesses and vulnerabilities, including OWASP Mobile Top 10, and provides a user-friendly report with the discovered issues.

We provide the following automated tests of the mobile application:

Please note, that the most dangerous vulnerabilities usually reside in the mobile back end (i.e. Web Services and APIs) and not in the application. Therefore, to complement your mobile security testing we strongly encourage you to thoroughly test the backend via ImmuniWeb® Mobile.

SAST

Mobile App Scanner performs Static Application Security Testing (SAST) to detect the following weaknesses and vulnerabilities:

    DAST

    Mobile App Scanner performs Dynamic Application Security Testing (DAST) to detect the following weaknesses and vulnerabilities:

      Behavioral

      Mobile App Scanner performs behavioral testing to detect when mobile application tries to access some sensitive or privacy-related functions:

          Software Composition Analysis

          The mobile application uses third-party libraries that may represent a security and privacy risk if they come from untrusted source or are outdated. Trusted and commonly accepted libraries (e.g. Google SDK, Facebook SDK, Signal SDK) are not displayed.

          Mobile Application Communications

          Specific SAST test reveals all remote hosts present in the source code of the mobile application where the application may connect to send or receive data at occurrence of a specific event (e.g. user action).

          Mobile Application Outgoing Traffic

          Specific DAST test provides a comprehensive list of all HTTP/S requests sent by the mobile application without interaction with user.

          Free API

          High-Tech Bridge provides you with a free API to test your mobile application for most common weaknesses and vulnerabilities. To assure high speed of service and availability for everyone, the free API allows 20 requests in 3 minutes, and 50 requests in total per 24 hours, from one IP address.

          In addition, there are different tiers of user, with each providing a different level of usage with the API. If the daily test limit is exceeded the results will be only be avaliable after upgrading to a paid subscription.


          License notice: The API is provided for free both for private and commercial purposes. If you use the API for publicly available service (commercial or not) a link to High-Tech Bridge's Free Mobile App Scanner is mandatory.

          Unlimited API

          High-Tech Bridge provides a commercial access to the Mobile App Scanner API without restrictions. Tailored for your needs, restrictions of the free API can be partially or entirely removed. Prices start at 200 USD per month.


          Non-profit, research and academic institutions may request unlimited API for free. Please send your API usage requirements to for additional information.

          The groups listed below will vary in how many tests they may run in parallel, over a three minute period and how many tests are allowed in one day.

          API Documentation and How-To

          Full API Documentation

          API Specifications

          Field Name Value
          Protocol HTTP/HTTPS
          Request Type GET/POST
          URL http://htbridge.com/mobile/api/

          Example of Transaction Using CURL

          # Downloading app from Google Play and starting test: $ curl --data 'app_id=com.viber.voip' https://htbridge.com/mobile/api/download_apk

          # Uploading APK/IPA file and starting test: $ curl -F malware_check=0 -F hide_in_statistics=0 -F file=@diva-beta.apk https://www.htbridge.com/mobile/api/upload

          # Get test results:

          In previous example, if app is found and test is started, we will get test ID in response. Once we have test ID, we can query API for test results. We can query either by full ID (id) or by short ID (short_id).


          $ curl https://htbridge.com/mobile/api/test_info/id/[TEST_ID]

          # Delete test (possible only for manually uploaded APK/IPA files): $ curl http://mobile.local/api/delete/id/[TEST_ID]

          # Refresh test by redownloading (possible only for APKs downloaded from Google Play) $ curl https://www.htbridge.com/mobile/api/refresh/id/[TEST_ID]

          System Messages

          Message Name Response
          error Mandatory field missing.
          error Application ID is not valid.
          error Internal error, please try again.
          error Application can't be downloaded, please try again later.
          error Test doesn't exist.
          error Test ID doesn't exist.
          error Test can't be deleted. Test is locked.
          error Test can't be deleted.
          error Test can't be refreshed. Test is locked.
          error Test can't be refreshed because it's manually uploaded.
          error Your IP is blacklisted.
          error Sorry, your API key is invalid or has expired. Please double-check it or contact us
          error You have performed N tests in the last 3 minutes. The system is currently busy, please try again a bit later.
          error You have performed N tests in the last 24 hours. The system is currently busy, please try again a bit later.
          error You have reached the limit of N concurring running tests. Please wait until at least one of them is finished.
          error Sorry, our systems are very busy now, we are working on the issue. Please try again in a few minutes.

          Example of Server Response

           

          Mobile Apps: Vulnerabilities and Weaknesses

          • Highest Scores
          • Lowest Scores
          Application Name Application ID Test Date/Time Security Flaws

          Malicious Apps: Malware found by VirusTotal

          Application Name Application ID Test Date/Time Security Flaws
          High-Tech Bridge on Facebook High-Tech Bridge on Twitter High-Tech Bridge on LinkedIn High-Tech Bridge RSS Feeds Send by Email
          Share