Community Edition
TotalCommunity Tests
269,615,786
This Week
503,973
Today
136,730

Mobile App Security Test

  • iOS/Android Security Test
  • Mobile App Privacy Check
  • OWASP Mobile Top 10 Test
  • Static & Dynamic Mobile Scan
Free online tool to test your mobile security
806,975 applications tested

ImmuniWeb Community Edition - Mobile App Security Test

The Mobile App Security Test is a free online tool to perform security and privacy tests of Android and iOS mobile apps:

The service can test mobile applications for the following platforms:

Android

  • Native Applications
  • Hybrid Applications (Cordova, PhoneGap, React, Xamarin)

iOS

  • Native Applications
  • Hybrid Applications (Cordova, PhoneGap, React, Xamarin)

It promptly detects the wide spectrum of most common weaknesses and vulnerabilities, including OWASP Mobile Top 10 , and provides a user-friendly report with the discovered issues.

We provide the following automated tests of the mobile application:

Please note, that the most dangerous vulnerabilities usually reside in the mobile back end (i.e. Web Services and APIs) and not in the application. Therefore, to complement your mobile security testing we strongly encourage you to thoroughly test the backend via ImmuniWeb® MobileSuite.

SAST

Mobile App Security Test performs Static Application Security Testing (SAST) to detect the following weaknesses and vulnerabilities:

  • Base64 Encoding

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: The mobile application uses Base64 encoding. Make sure that no confidential or sensitive data uses Base64 instead of proper encryption, as it can be trivially decoded to plaintext by a non-skilled attacker.
  • Creation of world readable or writable files

    OWASP Mobile Top Ten: M2
    CWE-ID: CWE-921
    CVSSv3 Base Score: 3.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
    Description: The mobile application creates files with world readable or writable permissions. Such files can be accessed and modified by other applications, including malicious ones, thus jeopardizing the application's data integrity.
  • DOM Storage enabled in WebView

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: The mobile application’s WebView can store data locally via DOM Storage component.
  • Disabled App Transport Security (ATS)

    OWASP Mobile Top Ten: M3
    CWE-ID: CWE-319
    CVSSv3 Base Score: N/A
    Description: ATS should be configured according to best practices by Apple and only be deactivated under certain circumstances. The disabling of ATS restrictions can lead to Man-in-the Middle (MiTM) attacks against victim application users.
  • Dynamic load of code

    OWASP Mobile Top Ten: M7
    CWE-ID: CWE-94
    CVSSv3 Base Score: N/A
    Description: The mobile application uses dynamic load of executable code. Under certain circumstances, dynamic load of code can be dangerous. For example, if the code is located on an external storage (e.g. SD card), this can lead to code injection vulnerability if the external storage is world readable and/or writable and an attacker can access it.
  • Enabled Application Backup

    OWASP Mobile Top Ten: M2
    CWE-ID: CWE-921
    CVSSv3 Base Score: 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
    Description: The mobile application uses the Android backup functionality that may store sensitive data from the application. In certain conditions, this may lead to information disclosure (for example when a backup server or Gmail account is compromised).
  • Enabled Debug Mode

    OWASP Mobile Top Ten: M2
    CWE-ID: CWE-921
    CVSSv3 Base Score: 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
    Description: An application that allows debugging facilitates an attacker in reverse-engineering the application, and can also lead to an attacker with physical access to a victim’s device to compromise sensitive information stored in the application’s sandbox.
  • Exported Activities

    OWASP Mobile Top Ten: M1
    CWE-ID: CWE-926
    CVSSv3 Base Score: 3.6 (AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N)
    Description: The mobile application contains exported activities that can be invoked by other applications residing on the mobile device, including malicious ones, to trigger a legitimate application activity in order to perform potentially sensitive actions.
  • Exported Broadcast Receivers

    OWASP Mobile Top Ten: M1
    CWE-ID: CWE-925
    CVSSv3 Base Score: 3.6 (AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N)
    Description: The mobile application contains an exported receiver enabling other applications, including malicious ones, to send intents without restrictions.\nBy default, Broadcast Receivers is exported in Android, as the result any application will be able to send an intent to the Broadcast Receiver of the application.\nTo define which applications can send intents to mobile application’s Broadcast Receiver set relevant permissions in the Android Manifest file.
  • Exported Content Providers with insufficient protection

    OWASP Mobile Top Ten: M1
    CWE-ID: CWE-926
    CVSSv3 Base Score: 3.6 (AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N)
    Description: The mobile application contains unprotected exported content providers that may disclose sensitive application’s data under certain conditions.\n\nContent providers are normally used to share data between different applications. If exported without due protection, any application installed on the device, including malicious ones, will be able to disclose vulnerable application’s data, including any confidential information contained therein.\n\nTo securely export your content provider, you can restrict access to it by setting up 'android:protectionLevel' or 'android:grantUriPermissions' attributes in Android Manifest file.
  • Exported Services

    OWASP Mobile Top Ten: M1
    CWE-ID: CWE-926
    CVSSv3 Base Score: 3.6 (AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N)
    Description: The mobile application contains an exported service.\nBy default, in Android services are not exported and cannot be invoked by other applications.\nHowever, if an intent filter is defined in Android Manifest file, it is exported by default.\nParticular attention should be given to the exported services, as without the specific permissions, they can be used by any other applications including malicious applications.
  • External data in SQL queries

    OWASP Mobile Top Ten: M7
    CWE-ID: CWE-89
    CVSSv3 Base Score: 7.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
    Description: Inclusion of input into raw SQL queries can potentially lead to a local SQL injection vulnerability in the mobile application, resuting in the compromise of any sensitive information stored within databse files.\nThe correct approach is to use prepared SQL statements beyond user's control.
  • External data storage

    OWASP Mobile Top Ten: M2
    CWE-ID: CWE-921
    CVSSv3 Base Score: 5.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
    Description: The mobile application can access external storage (e.g. SD card) in read or write mode. A Application data stored on external data storage may be accessed by other applications (including malicious ones) under certain conditions and bring risks of data theft, corruption or tampering.
  • Hardcoded Sensitive Data

    OWASP Mobile Top Ten: M10
    CWE-ID: CWE-200
    CVSSv3 Base Score: 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
    Description: The mobile application contains potentially sensitive hardcoded data. An attacker with an access to the mobile application can easily extract this data from the application and use it in any further attacks.
  • Hardcoded data

    OWASP Mobile Top Ten: M2
    CWE-ID: CWE-200
    CVSSv3 Base Score: 3.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
    Description: The mobile application contains debugging or potentially sensitive hardcoded data. An attacker with an access to the mobile application can easily extract this data from the application and use it in any further attacks.
  • Hardcoded encryption keys

    OWASP Mobile Top Ten: M5
    CWE-ID: CWE-798
    CVSSv3 Base Score: 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
    Description: Hardcoded encryption keys can jeopardize secure data storage and transmission within the mobile application by allowing an attacker to decrypt any potentially sensitive information.
  • Information Exposure

    OWASP Mobile Top Ten: M10
    CWE-ID: CWE-200
    CVSSv3 Base Score: 3.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
    Description: The application contains potential information exposure of URIs that should not be present inside the application, such as a development endpoint. Often, developers include hidden backdoor functionality or other internal development security controls that are not intended to be released into a production environment. An example is a password as a comment in a hybrid app or a code segment that disables 2-factor authentication during testing. The defining characteristic of this risk is leaving functionality enabled in the app that was not intended to be released.
  • JS CORS enabled in WebView

    OWASP Mobile Top Ten: M10
    CWE-ID: CWE-749
    CVSSv3 Base Score: 4.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
    Description: Cross-Origin Resource Sharing (CORS) is enabled in WebView. JavaScript used in mobile application can send and receive data from arbitrary remote hosts. This can be a risk if the remote host is impersonated or compromised.
  • JS enabled in a WebView

    OWASP Mobile Top Ten: M10
    CWE-ID: CWE-749
    CVSSv3 Base Score: 4.8 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
    Description: The mobile application has enabled JavaScript in WebView. By default, JavaScript is disabled in WebView, if enabled it can bring various JS-related security issues, such as Cross-Site Scripting (XSS) attacks.
  • List of Android Permissions

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: Android permissions allow mobile application to have different rights and accesses to different components of Android system.\nThe user can see and define the requested permissions during the installation of the application.\nPermissions are set in the Manifest file, but since Android 6.0 they can also be dynamically requested during application run-time.
  • List of Application Components

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: List of all Activities, Providers, Receivers and Services present in the mobile application.
  • List of Method and Functions to access local filesystem

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: List of all methods and functions used to access the local filesystem, such as Keychain, kSecAttrAccessibleWhenUnlocked, kSecAttrAccessibleAfterFirstUnlock, SecItemAdd, SecItemUpdate and NSDataWritingFileProtectionComplete
  • List of cipher suits

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: List of cipher suits used in the mobile application.
  • List of libraries

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: List of libraries used by the mobile application. Pay a special attention to third-party libraries, especially connectivity libraries, and make sure they are up-to-date.
  • List of potentially sensitive files

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: List of potentially interesting files that may endanger privacy or security of the application if accessed by an attacker.
  • Low protection level

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: The mobile application uses a low level of protection for its components. Protection levels are used with the permission element in Android Manifest. It allows developers to set custom permissions for Android components, such as activities and content providers.\nIf the protection level is too low, it can allow other applications to access components of the application.
  • Missing anti-emulation

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: The mobile application does not use any anti-emulation or anti-debugger techniques (e.g. detecting rooted devices or checking if contacts are authentic).\nThis can significantly facilitate application debugging and reverse-engineering processes.
  • Missing tapjacking protection

    OWASP Mobile Top Ten: M1
    CWE-ID: CWE-451
    CVSSv3 Base Score: 3.3 (AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N)
    Description: By default on Android 6.0 and lower, Android allows applications to overlaydraw over some portions of the phone screen and permits touch events to be sent to underlying activities. This can be used by an attacker to trick application users into performing some sensitive actions in a legitimate application (e.g. send a payment) that they do not otherwise intend doing.
  • Network Security Configuration is not present

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: The mobile application does not use Network Security Configuration to define which certificates and Certificate Authorities (CA) can be used for different environments (e.g. Development, Test and Production). The Network Security Configuration on Android feature lets application developers customize their network security settings in a safe, declarative configuration file without modifying the application code.
  • Object deserialization found

    OWASP Mobile Top Ten: M7
    CWE-ID: CWE-502
    CVSSv3 Base Score: N/A
    Description: Object deserialization performed on an untrusted resource (e.g. user-supplied input or external storage), can be dangerous if the data for deserialization is tampered with by an attacker.
  • Possible Man-In-The-Middle Attack

    OWASP Mobile Top Ten: M3
    CWE-ID: CWE-297
    CVSSv3 Base Score: 7.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
    Description: Improper or disabled hostname verification of backend SSL/TLS certificates can expose mobile application users to MITM attacks under certain conditions.
  • Predictable Random Number Generator

    OWASP Mobile Top Ten: M5
    CWE-ID: CWE-338
    CVSSv3 Base Score: 4.8 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
    Description: The mobile application uses a predictable Random Number Generator (RNG).\n\nUnder certain conditions this weakness may jeopardize mobile application data encryption or other protection based on randomization. For example, if encryption tokens are generated inside of the application and an attacker can provide application with a predictable token to validate and then execute a sensitive activity within the application or its backend.
  • Remote URL load in WebView

    OWASP Mobile Top Ten: M10
    CWE-ID: CWE-749
    CVSSv3 Base Score: 4.8 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
    Description: Loading a remote URL can be a dangerous practice in WebView, and can lead to Cross-Site Scripting attacks (XSS). Verify the interactions made with WebView and ensure the trustworthiness, integrity and reliability of third-party URLs used in the mobile application.\n
  • Self-signed CA enabled in WebView

    OWASP Mobile Top Ten: M3
    CWE-ID: CWE-297
    CVSSv3 Base Score: 7.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
    Description: The mobile application’s WebView accepts self-signed and otherwise untrusted certificates. This may create a risk of Man-in-the-Middle (MITM) attacks under many circumstances.
  • Temporary file creation

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: The mobile application creates temporary files. Despite that cache files are usually private by default, it is recommended to make sure that temporary files are securely deleted when they are not required by the application anymore.
  • URI filesystem access enabled in WebView

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: The mobile application’s WebView uses URI "file://" access that allows accessing files in internal and external storage. If the victim user is tricked into visiting a maliciously crafted webpage in the WebView, files containing sensitive information that are stored in private storage may be exfiltrated.
  • Usage of Android's TrustManager

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: The mobile application may allow some untrusted Certificate Authorities (CA) to be used. TrustManager allows developers to accept certificates not trusted by Android. This feature can tremendously facilitate MiTM attacks. If the TrustManager is set up, an attacker would be able to intercept and manipulate the HTTPS traffic.
  • Usage of KeyStore

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: The mobile application uses KeyStore Android system component to add public and private key pairs into the system.
  • Usage of SQL

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: The mobile application interacts with local SQLite databases.
  • Usage of Sockets

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: The mobile application uses network sockets.
  • Usage of WebView

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: The mobile application uses WebView to displays web pages.
  • Usage of implicit intent

    OWASP Mobile Top Ten: M1
    CWE-ID: CWE-927
    CVSSv3 Base Score: N/A
    Description: The mobile application uses implicit intent that may be insecure under certain conditions.\n\nIntents enable mobile applications to communicate with each other by requesting to perform different actions for which they are better suited. An implicit intent, however, does not specify to which particular application it sends a request to perform an action. If a malicious application is installed on victim’s device, it may also receive the implicit intent, respond to it and perform some action instead, or in addition to, a legitimate application.
  • Usage of intent filter

    OWASP Mobile Top Ten: M1
    CWE-ID: CWE-927
    CVSSv3 Base Score: N/A
    Description: The mobile application uses an intent filter. Intent filters should not be used for security purposes because they place no restrictions on explicit intents sent to the component, and can allow other applications on the same device to directly interact with them. Intent filters are defined in the Android Manifest file, they let developers choose which type of intents their application components are supposed to receive and handle.
  • Usage of logging

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: The mobile application uses logging. Android uses a logging system with the possibility to choose the verbosity level (verbose, info, debug, warning and error).\nThese logs may contain sensitive data and endanger the application if they are accessed by a malicious application on the same device on Android versions earlier than 4.3.1, or on devices whose manufacturers expose the logs.
  • Usage of system command

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: The mobile application uses system commands. Under certain conditions this can lead to arbitrary command execution.
  • Usage of unencrypted HTTP protocol

    OWASP Mobile Top Ten: M3
    CWE-ID: CWE-319
    CVSSv3 Base Score: 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)
    Description: The mobile application uses HTTP protocol to send or receive data. The design of the HTTP protocol does not provide any encryption of the transmitted data, and can be easily intercepted if an attacker is located in the same network or has access to data channel of the victim.
  • Usage of weak Initialization Vector

    OWASP Mobile Top Ten: M5
    CWE-ID: CWE-329
    CVSSv3 Base Score: 4.4 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)
    Description: When Cipher Block Chaining (CBC) or Cipher Feedback (CFB) modes are used in encryption, the Initialization Vector must be unpredictable and random.
  • Use of unencrypted HTTP protocol

    OWASP Mobile Top Ten: M3
    CWE-ID: CWE-319
    CVSSv3 Base Score: 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)
    Description: The mobile application uses HTTP network protocol prone to data interception if an attacker is located in the same network as application’s user or has an access to the data channel of the victim.
  • Weak encryption

    OWASP Mobile Top Ten: M5
    CWE-ID: CWE-327
    CVSSv3 Base Score: 4.8 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
    Description: Weak or badly implemented encryption algorithms can endanger data storage and transmission used by the mobile application.
  • Weak hashing algorithms

    OWASP Mobile Top Ten: M5
    CWE-ID: CWE-916
    CVSSv3 Base Score: 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
    Description: The mobile application uses weak hashing algorithms. Weak hashing algorithms (e.g. MD2, MD4, MD5 or SHA-1) can be vulnerable to collisions and other security weaknesses, and should not be used when reliable hashing of data is required.
  • WebView can access Content Providers

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: The mobile application allows WebView to access Content Providers. If WebView can access Content Providers, malicious applications on the same device can access content URIs such as 'content://' to communicate with a Content Provider in order to access stored information or perform actions.\nIf this feature is enabled, ensure that no sensitive information is provided by the content provider, or that no potentially harmful actions are carried out by it.

DAST

Mobile App Security Test performs Dynamic Application Security Testing (DAST) to detect the following weaknesses and vulnerabilities:

  • Cleartext SQLite database

    OWASP Mobile Top Ten: M2
    CWE-ID: CWE-312
    CVSSv3 Base Score: 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
    Description: The mobile application uses an unencrypted SQLite database.\nThis database can be accessed by an attacker with physical access to the mobile device or a malicious application with root access to the device.\nThe application should not store sensitive information in clear text.
  • Custom URL schemes

    OWASP Mobile Top Ten: M3
    CWE-ID: CWE-16
    CVSSv3 Base Score: N/A
    Description: Security issues arise when an app processes calls to its URL scheme without properly validating the URL and its parameters and when users aren't prompted for confirmation before triggering an important action.
  • Deprecated URL scheme methods

    OWASP Mobile Top Ten: M3
    CWE-ID: CWE-16
    CVSSv3 Base Score: N/A
    Description: URL schemes offer a potential attack vector into your app, so make sure to validate all URL parameters and discard any malformed URLs. In addition, limit the available actions to those that do not risk the user's data. For example, do not allow other apps to directly delete content or access sensitive information about the user. When testing your URL-handling code, make sure your test cases include improperly formatted URLs.
  • Dynamic load of code

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: Under certain circumstances, dynamic load of code can be dangerous. If the code is located on an external storage (e.g. SD card), this can lead to code injection if the external storage is world readable and/or writable.
  • Exposure of potentially sensitive data

    OWASP Mobile Top Ten: M2
    CWE-ID: CWE-200
    CVSSv3 Base Score: 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
    Description: The mobile application may expose potentially sensitive information during its runtimes.
  • Insecure WebView usage

    OWASP Mobile Top Ten: M3
    CWE-ID: CWE-16
    CVSSv3 Base Score: N/A
    Description: WebViews are in-app browser components for displaying interactive web content. They can be used to embed web content directly into an app's user interface. iOS WebViews support JavaScript execution by default, so script injection and Cross-Site Scripting attacks can affect them. UIWebView is deprecated starting on iOS 12 and should not be used. WKWebView was introduced with iOS 8 and is the appropriate choice for extending app functionality but should be properly configured
  • List of Binary Cookies

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: List of binary cookies set by the mobile application. iOS stores cookies inside binary files if the application uses WebView or Safari. Sometimes these cookies can contain sensitive information and shall be handled with care.
  • List of Read or Write file operations

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: List of all read or write file operations made by the mobile application during the runtime.
  • List of Receivers activities

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: List of all broadcasts or intents from the mobile application, such as system broadcasts (e.g. shutdown, airplane mode, etc.), or custom broadcasts made by the application.
  • List of networking activities

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: List of all networking activities made by the application during the runtime by using Android API functions, such as of HTTP/HTTPS connections, or usage of Socket, Proxy, etc.
  • List of placed phone calls

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: List of all placed phone calls made by the mobile application during its runtime.
  • List of remote hosts

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: List of remote hosts accessed by the mobile application during the runtime.
  • List of sent Intents

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: List of all intents sent by the mobile application during its runtime.
  • List of sent SMS/MMS

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: List of all SMS and MMS messages sent or read by the mobile application during its runtime.
  • List of started services

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: List of all services started by the mobile application during its runtime.
  • Precompiled code execution

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: List of precompiled code executions made by the mobile application during the runtime. Under certain circumstances, precompiled code execution can be dangerous and should be used with high care when the application is processing an untrusted input (i.e. controllable by an attacker).
  • Usage of Encryption methods and classes

    OWASP Mobile Top Ten: N/A
    CWE-ID: N/A
    CVSSv3 Base Score: N/A
    Description: List of all Android API encryption operations and encryption, keys used by the mobile application.

Behavioral

Mobile App Security Test performs behavioral testing to detect when mobile application tries to access some Mobile Application Permissions:

Android

  • Calendar

    Description: The mobile application can read or write phone's calendar and its data.
  • Camera

    Description: The mobile application can use the camera for taking pictures or videos.
  • Contacts

    Description: The mobile application can read or write phone's contacts
  • Location

    Description: The mobile application has an access to geographical location of the mobile phone.
  • Microphone

    Description: The mobile application can record audio using phone’s microphone.
  • NFC

    Description: The mobile application can perform I/O operations over Near-Field Communications (NFC).
  • Phone

    Description: The mobile application can answer and place calls, or access/modify phone state.
  • SMS

    Description: The mobile application can read, write, receive or broadcast SMS and SMS receipt notifications.
  • Sensors

    Description: The mobile application can access data from phone’s body sensors (e.g. heart rate sensor).
  • Storage

    Description: The mobile application can access external storage (e.g. SD card) in a write or read mode.

iOS

  • Accelerometer

    Description: The mobile application can use device’s accelerometers.
  • Bluetooth

    Description: The mobile application can access phone’s Bluetooth interface.
  • Calendar

    Description: The mobile application can read or write to user's calendar and its data.
  • Camera

    Description: The mobile application can use phone’s camera for taking pictures or videos.
  • Contacts

    Description: The mobile application can read or write to user's contacts.
  • Face ID

    Description: The mobile application can use Apple’s Face ID.
  • Health

    Description: The mobile application can access or modify user’s health data stored on the phone
  • HomeKit

    Description: The mobile application can use HomeKit’s configuration data.
  • Location

    Description: The mobile application has an access to user geographical location.
  • Media

    Description: The mobile application has an access to mobile phone’s media (e.g. music or photo) in read and/or write mode.
  • Microphone

    Description: The mobile application can record audio using phone’s microphone.
  • NFC

    Description: The mobile application can use Near-Field Communications (NFC) reader.
  • Reminders

    Description: The mobile application has an access to Calendar and Reminder data.
  • TV provider accounts

    Description: The mobile application has an access to TV provider accounts.

Software Composition Analysis

The mobile application uses third-party libraries that may represent a security and privacy risk if they come from untrusted source or are outdated. Trusted and commonly accepted libraries (e.g. Google SDK, Facebook SDK, Signal SDK) are not displayed.

External Communications and Outgoing Traffic

Specific SAST test reveals all remote hosts present in the source code of the mobile application where the application may connect to send or receive data at occurrence of a specific event (e.g. user action).

Mobile Application Outgoing Traffic

Specific DAST test provides a comprehensive list of all HTTP/S requests sent by the mobile application without interaction with user.