Check if there are any security vulnerabilities in your mobile app and fix them before they harm your reputation.According to the latest NowSecure research, more than
25% of mobile apps have at least one critical vulnerability.
59% of financial apps for Android have three vulnerabilities from the OWASP Top-10 list.The more mobile phones are used, the more mobile apps appear. There are more than 2 million apps available in the Apple App Store, and more than 2.2 million in the Google Play Store.There are many types of vulnerabilities, the most critical of which are::
- утечка личной или конфиденциальной информации пользователей в сети (email, учетные данные, IMEI, GPS, MAC-адрес);
- обмен информации в сети без шифрования или с недостаточным шифрованием;
- файл доступен для чтения или записи любым лицом;
- выполнение произвольного кода;
- вредоносные программы.
If you are an app owner or developer, you must do everything possible to ensure the security of your mobile app. There are many
tools for finding site vulnerabilities, and the information below will help you find the security weaknesses of a mobile app.The following abbreviations are used in the article:
- APK – формат архивных файлов-приложений для Android (англ. Android Package Kit);
- IPA – формат архивных файлов-приложений для iPhone (англ. iPhone application archive);
- IMEI – международный идентификатор мобильного оборудования (англ. International mobile equipment identity);
- GPS – система глобального позиционирования (англ. Global positioning system);
- MAC – управление доступом к среде (англ. Media access control);
- API – интерфейс программирования приложений (англ. Application Programming Interface);
- OWASP – открытый проект обеспечения безопасности веб-приложений (англ. Open web application security project).
Tools for finding vulnerabilities in Android or iOS apps:
1. Ostorlab
Ostorlab will allow you to test the app on Android or iOS and get a detailed report on the results of verification. Upload your app’s file in APK or IPA format and the security report will be ready in a few minutes.
The maximum file size to upload for verification is 60 Mb. However, if your app size exceeds 60Mb, you can contact Ostorlab specialists to place the file via an API request.It is based on open source software such as Androguard and Radare2. I advise you to test your mobile app for free using Ostorlab.
2. Appvigil
Find all the security gaps in your mobile app using
Appvigil and get a detailed vulnerability report in minutes.With Appvigil, you will get not only a description of possible threats, but also recommendations on how to fix the vulnerability to quickly solve the problem. You don’t need to install any programs, since everything is processed in the Appvigil cloud.
After you download the APK or IPA files, a static and dynamic analysis of the application (Android/iOS) is performed, including for the presence of vulnerabilities from the
3. Quixxi
Quixxi is designed to provide mobile analytics, protect mobile apps, and restore potential revenue. If you just need to check the app for vulnerabilities, then upload the
It will take a few minutes to check. After the scan is complete, you will have a brief report about the vulnerability. If you need a full report, then you need to register on the site. It’s free.
4. AndroTotal
As you might guess from the name, AndroTotal is
only suitable for working with Android apps. AndroTotal checks the APK file for viruses and malicious code by checking the results of the following antivirus programs::
- McAfee;
- TrustGo;
- ESET;
- Comodo;
- AVG;
- Avira;
- Bitdefender;
- Qihoo.
If you need to quickly check your APK files for viruses, then AndroTotal is a good solution.
5. Akana
Akana is an interactive app analysis tool for Android. Akana checks the app for malicious code and displays information about the results.
The check is free, so try it out and see if there is any malicious code in your Android app.
6. NVISO
Nviso APKSCAN is another convenient network tool for checking an application for malicious code. The results may not be ready immediately, depending on your place in the queue. You can leave your email address and receive a notification when the
report is ready.I checked the layout of my app using Nviso and saw that the following is checked:
- активность диска;
- search for viruses;
- network traffic;
- ability to make a phone call or send an SMS;
- cryptographic activity;
- data leak.
7. SandDroid
SandDroid performs static and dynamic analysis and generates a complete report. You can upload an APK file or a zip file with a maximum size of 50 Mb.
SandDroid is developed by a Botnet research team and Xi’an Transport University. The following is checked:
- file size/hash, SDK version;
- network data, components, encoded properties, vulnerable API, IP analysis;
- data leaks, SMS messages, phone call tracking;
- threatening behavior and the likelihood of a threat.
Request a
report and evaluate the security of your app.I hope that the vulnerability verification tools will help you check the security of your mobile app and fix any problems you find.If you have your own site, you may be interested in the ability to automatically check the site for vulnerabilities.
Add to favorites