Interactive Application Security Testing for Your Mobile App

Less than two years ago, we launched AppSweep, our free mobile application security testing product. We launched this product to help mobile app developers write more secure apps and to create more security awareness.

Since that initial launch, thousands of users have signed up for AppSweep, identifying more than 300,000 high severity findings in mobile apps from across all major industries, including finance, healthcare, retail, and consumer technology.

Our roadmap has gone from delivering high quality static analysis to including more sophisticated data flow analysis, all delivered in an easy-to-use, developer-friendly experience.

Based on the positive feedback on the product so far, we knew we could deliver even more unique and highly valued findings. We set our sights on the next technical milestone on this journey by adding interactive analysis to the mix of analysis techniques we provide. What does interactive analysis mean?

Our approach relies on instrumenting your mobile application, running it on a real device or emulator of your choosing, testing the app functionally, and immediately uncovering security vulnerabilities that are only observable at runtime.

The benefits of interactive analysis

With more than 20 years of expertise in recompilation and instrumentation of mobile applications, our engineers leveraged this depth of experience to build a new type of security testing that brings more findings through new analysis techniques that continue to be easy to use. The traditional challenge in dynamically testing a mobile application includes:

• Difficulty testing complex flows (Login, MFA, etc..)
• Tests are run outside your network and don’t work with your DEV / UAT (Staging) infrastructure
• Requires separate process and tools that can be time consuming
• Online tools can be clunky through a device screen share or emulator

Our approach is different; start by uploading your mobile app to AppSweep. You will quickly receive results that are produced through static analysis including data flow analysis. Your uploaded app will also be instrumented and you’ll be presented with a link to download the instrumented app for additional interactive security testing.

The instrumented app can be installed on your test device - which can be a real device or emulator - and dynamic data will be sent to AppSweep for further analysis. This approach resolves many of the traditional challenges and brings a number of key benefits.

Interactive analysis will dynamically analyze the app at runtime which allows users to uncover new findings that aren’t identifiable only using static analysis. One example of a new finding is uncovering vulnerabilities in token based authentication (JWT). Those tokens can be a big problem if they simply contain unencrypted data. Since there are various ways of encrypting the payload, determining this in a static fashion is very prone to false positives. Doing this check during interactive analysis allows us to point out the locations where this is really happening in your code, so you don’t have to sift through many potential false positives to get to the real issue. For more information on this vulnerability we refer to the OWASP article on JSON Web Token information disclosure.

Another example of the power of interactive analysis is providing insight into the network communications your app makes. For the code you have written yourself, the connections might be fairly obvious, but this is less likely for the 3rd party libraries in your app. Using our app communication view, you can easily uncover unfamiliar communications any code in your applications performs.

Easy to use & simple to integrate in your workflow

• Easy to use: simply upload your app, download the instrumented version to install and run on your device
• Compatible with your manual or automated testing approach, no specialized training required and benefit from your existing test coverage
• Run the tests within your network perimeter, for compatibility with DEV and UAT test environments without resorting to complex proxy setup
• Can be activated transparently by security or DevOps teams; there is no dependency on your developers or complex infrastructure required
• Lastly, using your existing test approach means MFA and complex app flows are no problem

Guardsquare focuses on providing in-depth security analysis of your mobile application without requiring you to maintain a complex device infrastructure to support this testing. By leveraging your existing device testing strategy, we are able to continue to offer AppSweep for free and include more advanced security analysis.

Let us know your feedback!

We’re always looking for feedback. Let us know which security risks you’re hoping to see automatically identified or reach out to share what your testing flow looks like and how you might integrate AppSweep’s additional testing capabilities into your development workflow.

Try AppSweep for free today > or learn more about our interactive analysis feature by reading our help center article >