In light of COVID-19 precaution measures, we remind that all ImmuniWeb products can be easily configured and safely paid online without any human contact or paperwork.

Total Tests:

Mobile App Security Test

Free online security tool to test your security
  • iOS/Android Security Test
  • Mobile App Privacy Check
  • OWASP Mobile Top 10 Test
  • Static & Dynamic Mobile Scan

Free online security tool to test your security

500,412 applications tested


0 tests running
  tests today
or
Provided "as is" without any warranty of any kind
Provided "as is" without any warranty of any kind
   

How-To Test

Below are simple instructions on how to use Mobile App Security Test for your Android and IOS applications.

Android Applications

All you need is a valid APK archive for the application. APK's can either be compiled from the application source code, or, if already in Google Play market, downloaded via F-Droid or androidappsapk.co.

Please follow the steps below to test Android APK:

  • Click on "Choose file" button and select the APK, file upload will start immediately.
  • Once uploaded, the test will take approximately ten minutes, depending on application size and complexity, as well as our current system load.
  • Once the test is finished, you will be provided with a detailed report. The report is located on a secret link available only to you. The report is stored for your convenience for 90 days and then automatically deleted. You can delete the report yourself just after the test.

iOS Applications

All you need is a valid IPA archive for the application compiled as a Simulator App (see below).

Please follow the steps below to test iOS IPA:

  • Click on "Choose file" button and select the IPA, file upload will start immediately.
  • Once uploaded, the test will take approximately ten minutes, depending on application size and complexity, as well as our current system load.
  • Once the test is finished, you will be provided with a detailed report. The report is located on a secret link available only to you. The report is stored for your convenience for 90 days and then automatically deleted. You can delete the report yourself just after the test.

How to compile your iOS app as a Simulator App:

1. Run XCode and open your project;
2. Right-click your Project Name and select "Show in Finder.";
3. Right-click YourProject.xcodeproj and navigate to "Open With > Terminal";
4. Run "cd .." - your current working directory is now your project's main directory;
5. Determine which iPhone Simulator you can build to by running "xcodebuild -showsdks";
6. Build your app with the following command "xcodebuild -arch i386 -sdk iphonesimulator{version}";
7. Go to build/Release-iphonesimulator and zip file YourProject.app;

About the Service

Mobile App Security Test is a free product available online, provided and operated by ImmuniWeb.

The service can test mobile applications for the following platforms:

  • Android
  • Native Applications
  • Hybrid Applications (Cordova, PhoneGap, React, Xamarin)
  • iOS
  • Native Applications
  • Hybrid Applications (Cordova, PhoneGap, React, Xamarin)

It promptly detects the wide spectrum of most common weaknesses and vulnerabilities, including OWASP Mobile Top 10, and provides a user-friendly report with the discovered issues.

We provide the following automated tests of the mobile application:

Please note, that the most dangerous vulnerabilities usually reside in the mobile back end (i.e. Web Services and APIs) and not in the application. Therefore, to complement your mobile security testing we strongly encourage you to thoroughly test the backend via ImmuniWeb® MobileSuite.

SAST

Mobile App Security Test performs Static Application Security Testing (SAST) to detect the following weaknesses and vulnerabilities:

    DAST

    Mobile App Security Test performs Dynamic Application Security Testing (DAST) to detect the following weaknesses and vulnerabilities:

      Behavioral

      Mobile App Security Test performs behavioral testing to detect when mobile application tries to access some sensitive or privacy-related functions:

          Software Composition Analysis

          The mobile application uses third-party libraries that may represent a security and privacy risk if they come from untrusted source or are outdated. Trusted and commonly accepted libraries (e.g. Google SDK, Facebook SDK, Signal SDK) are not displayed.

          Mobile App External Communications

          Specific SAST test reveals all remote hosts present in the source code of the mobile application where the application may connect to send or receive data at occurrence of a specific event (e.g. user action).

          Mobile Application Outgoing Traffic

          Specific DAST test provides a comprehensive list of all HTTP/S requests sent by the mobile application without interaction with user.

          ImmuniWeb Discovery

          For continuous monitoring purposes, we suggest you exploring our award-winning ImmuniWeb® Discovery offering tailored for continuous monitoring with flexible 24/7 notifications.

          Commercial API

          ImmuniWeb provides a commercial access to the Mobile App Security Test API with extended limits to the number daily tests. Please get in touch with us to get a personalized quote. Prices start at 1,000 USD per month.

          Non-profit, research and academic institutions may request commercial API for free. Please send your API usage requirements to for additional information.

          Free API

          ImmuniWeb provides you with a free API to test your mobile application for most common weaknesses and vulnerabilities. To assure high speed of service and availability for everyone, the free API allows 1 request in 3 minutes, and 10 requests in total per 24 hours, from one IP address.

          In addition, there are different tiers of user, with each providing a different level of usage with the API. If the daily test limit is exceeded the results will be only be avaliable after upgrading to a paid subscription.


          License notice: The API is provided for free both for private and commercial purposes. When using the free API, a clearly-visible credit to ImmuniWeb® Community when displaying results is mandatory. Failure to properly do so may trigger a ban and legal consequences.

          The groups listed below will vary in how many tests they may run in parallel, over a three minute period and how many tests are allowed in one day.

          API Documentation and How-To

          Full API Documentation

          API Specifications

          Field Name Value
          Protocol HTTP/HTTPS
          Request Type GET/POST
          URL https://www.immuniweb.com/mobile/api/

          Example of Transaction Using CURL

          # Downloading app from Google Play and starting test: $ curl --data 'app_id=com.viber.voip' https://www.immuniweb.com/mobile/api/download_apk

          # Uploading APK/IPA file and starting test: $ curl -F malware_check=0 -F hide_in_statistics=0 -F file=@diva-beta.apk https://www.immuniweb.com/mobile/api/upload

          # Get test results:

          In previous example, if app is found and test is started, we will get test ID in response. Once we have test ID, we can query API for test results. We can query either by full ID (id) or by short ID (short_id).


          $ curl https://www.immuniweb.com/mobile/api/test_info/id/[TEST_ID]

          # Delete test (possible only for manually uploaded APK/IPA files): $ curl https://www.immuniweb.com/mobile/api/delete/id/[TEST_ID]

          # Refresh test by redownloading (possible only for APKs downloaded from Google Play) $ curl https://www.immuniweb.com/mobile/api/refresh/id/[TEST_ID]

          Example of Server Response

           

          Mobile Apps: Vulnerabilities and Weaknesses

          Application Name Application ID Test Date/Time Security Flaws

          Malicious Apps: Malware Found by VirusTotal

          Application Name Application ID Test Date/Time Malware

          Frequently Asked Questions

          • Q
            What is mobile security testing?
            A

            Mobile security testing shall include security testing of the mobile app (e.g. iOS or Android), mobile application backend (e.g. web services or APIs that send or receive data from the app), and the encryption between them. The eventual goal of mobile security testing is to ensure that the mobile ecosystem is secure, private and respond to the enacted regulatory standards such as PCI DSS or GDPR. Mobile security testing may be both manual (mobile penetration testing) and automated (mobile vulnerability scanning).

          • Q
            What are mobile security threats?
            A

            Mobile security threats lay in the mobile app, its backend and may also involve insufficient or missing encryption between them. Most of the security threats and known privacy weaknesses of the mobile app (e.g. iOS or Android ones are comprehensively covered by OWASP Mobile Top 10 list) require some specific conditions in order to be exploited (e.g. presence of attacker in the same network as the victim, theft of a device, or a pre-installed malware app on the victim’s device) and thus few of them may be considered critical issues.

            The vulnerability laying in the mobile app backend (e.g. micro services and APIs that get or send data to the mobile app) may contain critical security vulnerabilities allowing the attacker, for example, to get the entire database of all users who use the mobile app. The range of such vulnerabilities is pretty broad and is well described by SANS Top 25 list of vulnerabilities. Finally, missing or weak encryption of the data sent by the mobile app to its backend may lead to a compromise of an individual user if attacker has access to the network by which the data transits.

          • Q
            What are mobile security vulnerabilities?
            A

            Most of the mobile security vulnerabilities are described by OWASP Mobile Top 10 list. They include various weaknesses and misconfigurations of the mobile app, both iOS and Android ones, that under certain circumstances may allow attacker to compromise the mobile app’s data security, the mobile device or even the entire mobile infrastructure that serves all users of the mobile app.

            For example, a hardcoded password or API key may jeopardize all users of the mobile app at once, while missing or insecurely configured HTTPS data encryption between the mobile app and its backend (e.g. web services or APIs that send or receive data from the app) will likely impact only a specific user if attacker has access to the network by which the data is sent over. You may test mobile security vulnerabilities impacting your iOS and Android mobile app by using free online mobile scanner provided as a part of ImmuniWeb Community Edition.

          • Q
            What is OWASP Top 10?
            A

            OWASP is a non-profit organization dedicated to application security and driven by open community of security professionals from almost all countries around the globe. OWASP Top 10 is a list of most popular web application vulnerabilities which is updated every three years. OWASP Mobile Top 10 is a list of most common mobile application weaknesses that is also regularly updated. There are some controversies around these lists related to inclusion or exclusion of some specific types of vulnerabilities. Therefore, it’s recommended to enhance OWASP Top 10 testing a more inclusive list of security flaws such as SANS Top 25 for example.

          • Q
            How to test mobile application security?
            A

            Mobile application shall be tested for security, privacy and compliance threats that may endanger not just the individual user of mobile app but the entire ecosystem of the mobile application such as external databases storing data from all users of the application. The most popular ways of mobile application security testing are static (SAST), dynamic (DAST) and interactive (IAST) testing. SAST usually involves access to the application source code, or runs fuzzing of the binary under certain circumstances. DAST implies fuzzing and scanning of a running mobile application by interacting with various built-in features and capacities of the app.

            While IAST is a sort of combination of SAST and DAST enhanced with various correlating mechanisms. To verify whether the mobile application security is weakened by vulnerable third-party or native libraries, it is also recommended to run Software Composition Analysis (SCA) testing of the app. You may launch all these tests on your iOS or Android app by using free online mobile scanner by ImmuniWeb Community Edition.

          • Q
            How good is iOS security?
            A

            iOS is deservingly considered to be a secure operating system for mobile devices. It is a proprietary, closed-source system by Apple. Its closeness makes external vulnerability research time-consuming and complicated. Importantly, all mobile apps available in Apple Store are rigorously vetoed and regularly monitored by Apple security professionals to remove malicious apps or apps that may jeopardize user privacy.

            Moreover, Apple’s security ecosystem also involves proprietary security mechanisms embedded into its hardware, making some attack vectors against the devices unfeasible on all levels. Therefore, compared to other modern mobile vendors, Apple’s consolidated approach to device security effectively advances iOS operating system among other mobile operating systems. To preserve iOS security avoid jailbreaking your device unless you have a clear a specific goal to do so, and you understand all the risks you get from a jailbroken device.

          • Q
            How to check iOS security?
            A

            iOS is considered to be a secure, proprietary system maintained and continuously improved by Apple. To ensure that your installation of iOS is secure, first make sure that your device is up2date. Apple regularly releases security and reliability patches, and installing them in a timely manner is essential for your device security.

            Then make sure all of the installed mobile applications are likewise up2date, and consider removing those apps that you don’t use to minimize exposure of your device to app-specific vulnerabilities. Finally, make sure you have 8-digit or stronger device PIN code, or even a pass phrase, to make data extraction attacks harder for an attacker when your device is stolen or lost.

          • Q
            How to test Android security?
            A

            Given the variety of Android versions maintained by different vendors, and the openness of the app ecosystem, Android security largely depends on the device and specific branch and version of Android operating system that you have. It is essential to ensure that your Android device is up2date, that vendor timely releases security updates and enables smooth mechanism to automatically install newly available security updates.

            Once you are confident that your device operating system is up2date, revise carefully installed applications you have and especially their permissions. This is because it is common for malicious developers to request many intrusive permissions to be granted by non tech-savvy users, and additionally older versions of Android have insecure mechanisms of permission management by granting a permanent permission to application (upon its installation) to access your camera or SMS for example. Finally, avoid rooting your Android device unless you have a specific goal to do so, and understand the security and privacy risks it may bring.

          • Q
            What is SAST and DAST?
            A

            SAST stands for Static Application Security Testing. It implies access to the source code, or sometimes a binary, of the application for testing. DAST is Dynamic Application Security Testing and involves fuzzing and scanning or a running application to interact with its features and functionalities while the application runs.

            Both methods have different pros and cons, and it is recommended to combine them in order to attain highest vulnerability coverage and ensure holistic security testing. You may run both SAST and DAST security testing of your mobile app via free online security test by ImmuniWeb Community Edition.

          Try Other ImmuniWeb® Free Products

          Mobile App Security Test is in progress tests running test speed:
          May take up to twenty minutes, but usually is quicker.
          Please do not close this window.
          AI Products Ask a Question