Mobile App Security Test
The ImmuniWeb® Community Edition is collection of free online tools provided by ImmuniWeb SA pursuant to these Terms of Service for small and medium businesses, municipal and local governments, colleges and universities, students and individual software engineers, as well as to other entities, to help them make their applications more secure, reduce their cyber risks and improve their cybersecurity posture, data protection and privacy practices.
Mobile App Security Test: Scope and Coverage
The Mobile App Security Test is a free online tool to perform security and privacy tests of Android and iOS mobile applications:
The service can test mobile applications for the following platforms:
Android
- Native Applications
- Hybrid Applications (Cordova, PhoneGap, React, Xamarin)
iOS
- Native Applications
- Hybrid Applications (Cordova, PhoneGap, React, Xamarin)
It promptly detects the wide spectrum of most common weaknesses and vulnerabilities, including OWASP Mobile Top 10, and provides a user-friendly report with the discovered issues.
We provide the following automated tests of the mobile application:
- Mobile Security Scan for OWASP Mobile Top 10
- Behavior Testing for malicious functionality and privacy
- Mobile App Software Composition Analysis Report
- Mobile Application Outgoing Traffic
Please note, that the most dangerous vulnerabilities usually reside in the mobile back end (i.e. Web Services and APIs) and not in the application. Therefore, to complement your mobile security testing we strongly encourage you to comprehensively test both the mobile application and it's backend via ImmuniWeb® MobileSuite.
How-To Test
Below are simple instructions on how to use Mobile App Security Test for your Android and iOS applications.
All you need is a valid APK, AAB or IPA archive for the application.
Please follow the steps below:
- Click on "Choose file" button and select the APK, AAB or IPA, file upload will start immediately.
- Once uploaded, the test will take approximately ten minutes, depending on application size and complexity, as well as our current system load.
- Once the test is finished, you will be provided with a detailed report. You can delete the report yourself just after the test.
Vulnerability Coverage for OWASP Mobile Top 10
During the scan, your mobile application will be tested for the following weaknesses and vulnerabilities:
OWASP Mobile Top 10
- M1: Improper Credential Usage
- M2: Inadequate Supply Chain Security
- M3: Insecure Authentication/Authorization
- M4: Insufficient Input/Output Validation
- M5: Insecure Communication
- M6: Inadequate Privacy Controls
- M7: Insufficient Binary Protections
- M8: Security Misconfiguration
- M9: Insecure Data Storage
- M10: Insufficient Cryptography
Behavioral
Mobile App Security Test performs behavioral testing to detect when mobile application tries to access some Mobile Application Permissions.
Mobile App Software Composition Analysis Report
The mobile application uses third-party libraries that may represent a security and privacy risk if they come from untrusted source or are outdated. Trusted and commonly accepted libraries (e.g. Google SDK, Facebook SDK, Signal SDK) are not displayed.
Mobile App External Communications Report
Specific test reveals all remote hosts present in the source code of the mobile application where the application may connect to send or receive data at occurrence of a specific event (e.g. user action).
