Mobile App Security Test

  • iOS/Android Security Test
  • Mobile App Privacy Check
  • OWASP Mobile Top 10 Test
  • Mobile Security Scan
Free online tool to test mobile app's security
857,307mobile applications tested

ImmuniWeb Community Edition - Mobile App Security Test

The ImmuniWeb® Community Edition is collection of free online tools provided by ImmuniWeb SA pursuant to these Terms of Service for the small and medium businesses, municipal government, colleges and universities, software engineers, and other entities and individuals to help them making their applications more secure and reduce their cyber risks.

The Mobile App Security Test is a free online tool to perform security and privacy tests of Android and iOS mobile apps:

The service can test mobile applications for the following platforms:

Android

  • Native Applications
  • Hybrid Applications (Cordova, PhoneGap, React, Xamarin)

iOS

  • Native Applications
  • Hybrid Applications (Cordova, PhoneGap, React, Xamarin)

It promptly detects the wide spectrum of most common weaknesses and vulnerabilities, including OWASP Mobile Top 10 , and provides a user-friendly report with the discovered issues.

We provide the following automated tests of the mobile application:

Please note, that the most dangerous vulnerabilities usually reside in the mobile back end (i.e. Web Services and APIs) and not in the application. Therefore, to complement your mobile security testing we strongly encourage you to thoroughly test the backend via ImmuniWeb® MobileSuite.

How-To Test

Below are simple instructions on how to use Mobile App Security Test for your Android and IOS applications.

All you need is a valid APK, AAB or IPA archive for the application. APK's can either be compiled from the application source code, or, if already in Google Play market, downloaded via F-Droid or androidappsapk.co.

Please follow the steps below:

  • Click on "Choose file" button and select the APK, AAB or IPA, file upload will start immediately.
  • Once uploaded, the test will take approximately ten minutes, depending on application size and complexity, as well as our current system load.
  • Once the test is finished, you will be provided with a detailed report. The report is located on a secret link available only to you. The report is stored for your convenience for 90 days and then automatically deleted. You can delete the report yourself just after the test.

Mobile Security Scan

Mobile App Security Test performs Application Security Testing to detect the following weaknesses and vulnerabilities:

  • Base64 Encoding

    OWASP Mobile Top Ten: N/A
    CWE-ID: CWE-N/A
    CVSSv3 Base Score: N/A
    Description: The mobile application uses Base64 encoding. Make sure that no confidential or sensitive data uses Base64 instead of proper encryption, as it can be trivially decoded to plaintext by a non-skilled attacker.
  • Creation of world readable or writable files

    OWASP Mobile Top Ten: M2
    CWE-ID: CWE-CWE-921
    CVSSv3 Base Score: 3.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
    Description: The mobile application creates files with world readable or writable permissions. Such files can be accessed and modified by other applications, including malicious ones, thus jeopardizing the application's data integrity.
  • DOM Storage enabled in WebView

    OWASP Mobile Top Ten: N/A
    CWE-ID: CWE-N/A
    CVSSv3 Base Score: N/A
    Description: The mobile application’s WebView can store data locally via DOM Storage component.
  • Disabled App Transport Security (ATS)

    OWASP Mobile Top Ten: M3
    CWE-ID: CWE-CWE-319
    CVSSv3 Base Score: N/A
    Description: ATS should be configured according to best practices by Apple and only be deactivated under certain circumstances. The disabling of ATS restrictions can lead to Man-in-the Middle (MiTM) attacks against victim application users.
  • Dynamic load of code

    OWASP Mobile Top Ten: M7
    CWE-ID: CWE-CWE-94
    CVSSv3 Base Score: N/A
    Description: The mobile application uses dynamic load of executable code. Under certain circumstances, dynamic load of code can be dangerous. For example, if the code is located on an external storage (e.g. SD card), this can lead to code injection vulnerability if the external storage is world readable and/or writable and an attacker can access it.
  • Enabled Application Backup

    OWASP Mobile Top Ten: M2
    CWE-ID: CWE-CWE-921
    CVSSv3 Base Score: 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
    Description: The mobile application uses the Android backup functionality that may store sensitive data from the application. In certain conditions, this may lead to information disclosure (for example when a backup server or Gmail account is compromised).
  • Enabled Debug Mode

    OWASP Mobile Top Ten: M2
    CWE-ID: CWE-CWE-921
    CVSSv3 Base Score: 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
    Description: An application that allows debugging facilitates an attacker in reverse-engineering the application, and can also lead to an attacker with physical access to a victim’s device to compromise sensitive information stored in the application’s sandbox.
  • Exported Activities

    OWASP Mobile Top Ten: M1
    CWE-ID: CWE-CWE-926
    CVSSv3 Base Score: 3.6 (AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N)
    Description: The mobile application contains exported activities that can be invoked by other applications residing on the mobile device, including malicious ones, to trigger a legitimate application activity in order to perform potentially sensitive actions.
  • Exported Broadcast Receivers

    OWASP Mobile Top Ten: M1
    CWE-ID: CWE-CWE-925
    CVSSv3 Base Score: 3.6 (AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N)
    Description: The mobile application contains an exported receiver enabling other applications, including malicious ones, to send intents without restrictions. By default, Broadcast Receivers is exported in Android, as the result any application will be able to send an intent to the Broadcast Receiver of the application. To define which applications can send intents to mobile application’s Broadcast Receiver set relevant permissions in the Android Manifest file.
  • Exported Content Providers with insufficient protection

    OWASP Mobile Top Ten: M1
    CWE-ID: CWE-CWE-926
    CVSSv3 Base Score: 3.6 (AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N)
    Description: The mobile application contains unprotected exported content providers that may disclose sensitive application’s data under certain conditions. Content providers are normally used to share data between different applications. If exported without due protection, any application installed on the device, including malicious ones, will be able to disclose vulnerable application’s data, including any confidential information contained therein. To securely export your content provider, you can restrict access to it by setting up 'android:protectionLevel' or 'android:grantUriPermissions' attributes in Android Manifest file.
  • Exported Services

    OWASP Mobile Top Ten: M1
    CWE-ID: CWE-CWE-926
    CVSSv3 Base Score: 3.6 (AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N)
    Description: The mobile application contains an exported service. By default, in Android services are not exported and cannot be invoked by other applications. However, if an intent filter is defined in Android Manifest file, it is exported by default. Particular attention should be given to the exported services, as without the specific permissions, they can be used by any other applications including malicious applications.
  • External data in SQL queries

    OWASP Mobile Top Ten: M7
    CWE-ID: CWE-CWE-89
    CVSSv3 Base Score: 7.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
    Description: Inclusion of input into raw SQL queries can potentially lead to a local SQL injection vulnerability in the mobile application, resuting in the compromise of any sensitive information stored within databse files. The correct approach is to use prepared SQL statements beyond user's control.
  • External data storage

    OWASP Mobile Top Ten: M2
    CWE-ID: CWE-CWE-921
    CVSSv3 Base Score: 5.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
    Description: The mobile application can access external storage (e.g. SD card) in read or write mode. A Application data stored on external data storage may be accessed by other applications (including malicious ones) under certain conditions and bring risks of data theft, corruption or tampering.
  • Hardcoded Sensitive Data

    OWASP Mobile Top Ten: M10
    CWE-ID: CWE-CWE-200
    CVSSv3 Base Score: 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
    Description: The mobile application contains potentially sensitive hardcoded data. An attacker with an access to the mobile application can easily extract this data from the application and use it in any further attacks.
  • Hardcoded data

    OWASP Mobile Top Ten: M2
    CWE-ID: CWE-CWE-200
    CVSSv3 Base Score: 3.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
    Description: The mobile application contains debugging or potentially sensitive hardcoded data. An attacker with an access to the mobile application can easily extract this data from the application and use it in any further attacks.
  • Hardcoded encryption keys

    OWASP Mobile Top Ten: M5
    CWE-ID: CWE-CWE-798
    CVSSv3 Base Score: 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
    Description: Hardcoded encryption keys can jeopardize secure data storage and transmission within the mobile application by allowing an attacker to decrypt any potentially sensitive information.
  • Information Exposure

    OWASP Mobile Top Ten: M10
    CWE-ID: CWE-CWE-200
    CVSSv3 Base Score: 3.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
    Description: The application contains potential information exposure of URIs that should not be present inside the application, such as a development endpoint. Often, developers include hidden backdoor functionality or other internal development security controls that are not intended to be released into a production environment. An example is a password as a comment in a hybrid app or a code segment that disables 2-factor authentication during testing. The defining characteristic of this risk is leaving functionality enabled in the app that was not intended to be released.
  • JS CORS enabled in WebView

    OWASP Mobile Top Ten: M10
    CWE-ID: CWE-CWE-749
    CVSSv3 Base Score: 4.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
    Description: Cross-Origin Resource Sharing (CORS) is enabled in WebView. JavaScript used in mobile application can send and receive data from arbitrary remote hosts. This can be a risk if the remote host is impersonated or compromised.
  • JS enabled in a WebView

    OWASP Mobile Top Ten: M10
    CWE-ID: CWE-CWE-749
    CVSSv3 Base Score: 4.8 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
    Description: The mobile application has enabled JavaScript in WebView. By default, JavaScript is disabled in WebView, if enabled it can bring various JS-related security issues, such as Cross-Site Scripting (XSS) attacks.
  • List of Android Permissions

    OWASP Mobile Top Ten: N/A
    CWE-ID: CWE-N/A
    CVSSv3 Base Score: N/A
    Description: Android permissions allow mobile application to have different rights and accesses to different components of Android system. The user can see and define the requested permissions during the installation of the application. Permissions are set in the Manifest file, but since Android 6.0 they can also be dynamically requested during application run-time.
  • List of Application Components

    OWASP Mobile Top Ten: N/A
    CWE-ID: CWE-N/A
    CVSSv3 Base Score: N/A
    Description: List of all Activities, Providers, Receivers and Services present in the mobile application.
  • List of Method and Functions to access local filesystem

    OWASP Mobile Top Ten: N/A
    CWE-ID: CWE-N/A
    CVSSv3 Base Score: N/A
    Description: List of all methods and functions used to access the local filesystem, such as Keychain, kSecAttrAccessibleWhenUnlocked, kSecAttrAccessibleAfterFirstUnlock, SecItemAdd, SecItemUpdate and NSDataWritingFileProtectionComplete
  • List of cipher suits

    OWASP Mobile Top Ten: N/A
    CWE-ID: CWE-N/A
    CVSSv3 Base Score: N/A
    Description: List of cipher suits used in the mobile application.
  • List of libraries

    OWASP Mobile Top Ten: N/A
    CWE-ID: CWE-N/A
    CVSSv3 Base Score: N/A
    Description: List of libraries used by the mobile application. Pay a special attention to third-party libraries, especially connectivity libraries, and make sure they are up-to-date.
  • List of potentially sensitive files

    OWASP Mobile Top Ten: N/A
    CWE-ID: CWE-N/A
    CVSSv3 Base Score: N/A
    Description: List of potentially interesting files that may endanger privacy or security of the application if accessed by an attacker.
  • Low protection level

    OWASP Mobile Top Ten: N/A
    CWE-ID: CWE-N/A
    CVSSv3 Base Score: N/A
    Description: The mobile application uses a low level of protection for its components. Protection levels are used with the permission element in Android Manifest. It allows developers to set custom permissions for Android components, such as activities and content providers. If the protection level is too low, it can allow other applications to access components of the application.
  • Missing anti-emulation

    OWASP Mobile Top Ten: N/A
    CWE-ID: CWE-N/A
    CVSSv3 Base Score: N/A
    Description: The mobile application does not use any anti-emulation or anti-debugger techniques (e.g. detecting rooted devices or checking if contacts are authentic). This can significantly facilitate application debugging and reverse-engineering processes.
  • Missing tapjacking protection

    OWASP Mobile Top Ten: M1
    CWE-ID: CWE-CWE-451
    CVSSv3 Base Score: 3.3 (AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N)
    Description: By default on Android 6.0 and lower, Android allows applications to overlaydraw over some portions of the phone screen and permits touch events to be sent to underlying activities. This can be used by an attacker to trick application users into performing some sensitive actions in a legitimate application (e.g. send a payment) that they do not otherwise intend doing.
  • Network Security Configuration is not present

    OWASP Mobile Top Ten: N/A
    CWE-ID: CWE-N/A
    CVSSv3 Base Score: N/A
    Description: The mobile application does not use Network Security Configuration to define which certificates and Certificate Authorities (CA) can be used for different environments (e.g. Development, Test and Production). The Network Security Configuration on Android feature lets application developers customize their network security settings in a safe, declarative configuration file without modifying the application code.
  • Object deserialization found

    OWASP Mobile Top Ten: M7
    CWE-ID: CWE-CWE-502
    CVSSv3 Base Score: N/A
    Description: Object deserialization performed on an untrusted resource (e.g. user-supplied input or external storage), can be dangerous if the data for deserialization is tampered with by an attacker.
  • Possible Man-In-The-Middle Attack

    OWASP Mobile Top Ten: M3
    CWE-ID: CWE-CWE-297
    CVSSv3 Base Score: 7.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
    Description: Improper or disabled hostname verification of backend SSL/TLS certificates can expose mobile application users to MITM attacks under certain conditions.
  • Predictable Random Number Generator

    OWASP Mobile Top Ten: M5
    CWE-ID: CWE-CWE-338
    CVSSv3 Base Score: 4.8 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
    Description: The mobile application uses a predictable Random Number Generator (RNG). Under certain conditions this weakness may jeopardize mobile application data encryption or other protection based on randomization. For example, if encryption tokens are generated inside of the application and an attacker can provide application with a predictable token to validate and then execute a sensitive activity within the application or its backend.
  • Remote URL load in WebView

    OWASP Mobile Top Ten: M10
    CWE-ID: CWE-CWE-749
    CVSSv3 Base Score: 4.8 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
    Description: Loading a remote URL can be a dangerous practice in WebView, and can lead to Cross-Site Scripting attacks (XSS). Verify the interactions made with WebView and ensure the trustworthiness, integrity and reliability of third-party URLs used in the mobile application.
  • Self-signed CA enabled in WebView

    OWASP Mobile Top Ten: M3
    CWE-ID: CWE-CWE-297
    CVSSv3 Base Score: 7.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
    Description: The mobile application’s WebView accepts self-signed and otherwise untrusted certificates. This may create a risk of Man-in-the-Middle (MITM) attacks under many circumstances.
  • Temporary file creation

    OWASP Mobile Top Ten: N/A
    CWE-ID: CWE-N/A
    CVSSv3 Base Score: N/A
    Description: The mobile application creates temporary files. Despite that cache files are usually private by default, it is recommended to make sure that temporary files are securely deleted when they are not required by the application anymore.
  • URI filesystem access enabled in WebView

    OWASP Mobile Top Ten: N/A
    CWE-ID: CWE-N/A
    CVSSv3 Base Score: N/A
    Description: The mobile application’s WebView uses URI "file://" access that allows accessing files in internal and external storage. If the victim user is tricked into visiting a maliciously crafted webpage in the WebView, files containing sensitive information that are stored in private storage may be exfiltrated.
  • Usage of Android's TrustManager

    OWASP Mobile Top Ten: N/A
    CWE-ID: CWE-N/A
    CVSSv3 Base Score: N/A
    Description: The mobile application may allow some untrusted Certificate Authorities (CA) to be used. TrustManager allows developers to accept certificates not trusted by Android. This feature can tremendously facilitate MiTM attacks. If the TrustManager is set up, an attacker would be able to intercept and manipulate the HTTPS traffic.
  • Usage of KeyStore

    OWASP Mobile Top Ten: N/A
    CWE-ID: CWE-N/A
    CVSSv3 Base Score: N/A
    Description: The mobile application uses KeyStore Android system component to add public and private key pairs into the system.
  • Usage of SQL

    OWASP Mobile Top Ten: N/A
    CWE-ID: CWE-N/A
    CVSSv3 Base Score: N/A
    Description: The mobile application interacts with local SQLite databases.
  • Usage of Sockets

    OWASP Mobile Top Ten: N/A
    CWE-ID: CWE-N/A
    CVSSv3 Base Score: N/A
    Description: The mobile application uses network sockets.
  • Usage of WebView

    OWASP Mobile Top Ten: N/A
    CWE-ID: CWE-N/A
    CVSSv3 Base Score: N/A
    Description: The mobile application uses WebView to displays web pages.
  • Usage of implicit intent

    OWASP Mobile Top Ten: M1
    CWE-ID: CWE-CWE-927
    CVSSv3 Base Score: N/A
    Description: The mobile application uses implicit intent that may be insecure under certain conditions. Intents enable mobile applications to communicate with each other by requesting to perform different actions for which they are better suited. An implicit intent, however, does not specify to which particular application it sends a request to perform an action. If a malicious application is installed on victim’s device, it may also receive the implicit intent, respond to it and perform some action instead, or in addition to, a legitimate application.
  • Usage of intent filter

    OWASP Mobile Top Ten: M1
    CWE-ID: CWE-CWE-927
    CVSSv3 Base Score: N/A
    Description: The mobile application uses an intent filter. Intent filters should not be used for security purposes because they place no restrictions on explicit intents sent to the component, and can allow other applications on the same device to directly interact with them. Intent filters are defined in the Android Manifest file, they let developers choose which type of intents their application components are supposed to receive and handle.
  • Usage of logging

    OWASP Mobile Top Ten: N/A
    CWE-ID: CWE-N/A
    CVSSv3 Base Score: N/A
    Description: The mobile application uses logging. Android uses a logging system with the possibility to choose the verbosity level (verbose, info, debug, warning and error). These logs may contain sensitive data and endanger the application if they are accessed by a malicious application on the same device on Android versions earlier than 4.3.1, or on devices whose manufacturers expose the logs.
  • Usage of system command

    OWASP Mobile Top Ten: N/A
    CWE-ID: CWE-N/A
    CVSSv3 Base Score: N/A
    Description: The mobile application uses system commands. Under certain conditions this can lead to arbitrary command execution.
  • Usage of unencrypted HTTP protocol

    OWASP Mobile Top Ten: M3
    CWE-ID: CWE-CWE-319
    CVSSv3 Base Score: 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)
    Description: The mobile application uses HTTP protocol to send or receive data. The design of the HTTP protocol does not provide any encryption of the transmitted data, and can be easily intercepted if an attacker is located in the same network or has access to data channel of the victim.
  • Usage of weak Initialization Vector

    OWASP Mobile Top Ten: M5
    CWE-ID: CWE-CWE-329
    CVSSv3 Base Score: 4.4 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)
    Description: When Cipher Block Chaining (CBC) or Cipher Feedback (CFB) modes are used in encryption, the Initialization Vector must be unpredictable and random.
  • Use of unencrypted HTTP protocol

    OWASP Mobile Top Ten: M3
    CWE-ID: CWE-CWE-319
    CVSSv3 Base Score: 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)
    Description: The mobile application uses HTTP network protocol prone to data interception if an attacker is located in the same network as application’s user or has an access to the data channel of the victim.
  • Weak encryption

    OWASP Mobile Top Ten: M5
    CWE-ID: CWE-CWE-327
    CVSSv3 Base Score: 4.8 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
    Description: Weak or badly implemented encryption algorithms can endanger data storage and transmission used by the mobile application.
  • Weak hashing algorithms

    OWASP Mobile Top Ten: M5
    CWE-ID: CWE-CWE-916
    CVSSv3 Base Score: 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
    Description: The mobile application uses weak hashing algorithms. Weak hashing algorithms (e.g. MD2, MD4, MD5 or SHA-1) can be vulnerable to collisions and other security weaknesses, and should not be used when reliable hashing of data is required.
  • WebView can access Content Providers

    OWASP Mobile Top Ten: N/A
    CWE-ID: CWE-N/A
    CVSSv3 Base Score: N/A
    Description: The mobile application allows WebView to access Content Providers. If WebView can access Content Providers, malicious applications on the same device can access content URIs such as 'content://' to communicate with a Content Provider in order to access stored information or perform actions. If this feature is enabled, ensure that no sensitive information is provided by the content provider, or that no potentially harmful actions are carried out by it.

Behavioral

Mobile App Security Test performs behavioral testing to detect when mobile application tries to access some Mobile Application Permissions:

Android

  • Calendar

    Description: The mobile application can read or write phone's calendar and its data.
  • Camera

    Description: The mobile application can use the camera for taking pictures or videos.
  • Contacts

    Description: The mobile application can read or write phone's contacts
  • Location

    Description: The mobile application has an access to geographical location of the mobile phone.
  • Microphone

    Description: The mobile application can record audio using phone’s microphone.
  • NFC

    Description: The mobile application can perform I/O operations over Near-Field Communications (NFC).
  • Phone

    Description: The mobile application can answer and place calls, or access/modify phone state.
  • SMS

    Description: The mobile application can read, write, receive or broadcast SMS and SMS receipt notifications.
  • Sensors

    Description: The mobile application can access data from phone’s body sensors (e.g. heart rate sensor).
  • Storage

    Description: The mobile application can access external storage (e.g. SD card) in a write or read mode.

iOS

  • Accelerometer

    Description: The mobile application can use device’s accelerometers.
  • Bluetooth

    Description: The mobile application can access phone’s Bluetooth interface.
  • Calendar

    Description: The mobile application can read or write to user's calendar and its data.
  • Camera

    Description: The mobile application can use phone’s camera for taking pictures or videos.
  • Contacts

    Description: The mobile application can read or write to user's contacts.
  • Face ID

    Description: The mobile application can use Apple’s Face ID.
  • Health

    Description: The mobile application can access or modify user’s health data stored on the phone
  • HomeKit

    Description: The mobile application can use HomeKit’s configuration data.
  • Location

    Description: The mobile application has an access to user geographical location.
  • Media

    Description: The mobile application has an access to mobile phone’s media (e.g. music or photo) in read and/or write mode.
  • Microphone

    Description: The mobile application can record audio using phone’s microphone.
  • NFC

    Description: The mobile application can use Near-Field Communications (NFC) reader.
  • Reminders

    Description: The mobile application has an access to Calendar and Reminder data.
  • TV provider accounts

    Description: The mobile application has an access to TV provider accounts.

Software Composition Analysis

The mobile application uses third-party libraries that may represent a security and privacy risk if they come from untrusted source or are outdated. Trusted and commonly accepted libraries (e.g. Google SDK, Facebook SDK, Signal SDK) are not displayed.

External Communications and Outgoing Traffic

Specific test reveals all remote hosts present in the source code of the mobile application where the application may connect to send or receive data at occurrence of a specific event (e.g. user action).