Test if your Mobile App has any security flaws and fixes it before it damages your business reputation.
The latest research by NowSecure shows that 25% of mobile apps contains at least one high-risk security vulnerability.
59% of finance app on Android had three OWAS Mobile top 10 risks.
Mobile usage is growing so Mobile Apps. There are more than 2 billion apps in Apple App Store & 2.2 million in Google Play Store.
There are multiple types of vulnerabilities, and some of the dangers are:
- Leaking personal user sensitive data (email, credential, IMEI, GPS, MAC address) over the network
- Communication over the network with little or no encryption
- Having world readable/writable file
- Arbitrary code execution
If you are the owner, the developer then you should do all it takes to secure your mobile app.
There are plenty of security vulnerability scanner for the website, and the following should help you to find the security flaws in Mobile apps.
Some of the abbreviation used in this post.
- APK – Android Package Kit
- IPA – iPhone application archive
- IMEI – International mobile equipment identity
- GPS – Global positioning system
- MAC – Media access control
- API – Application Programming Interface
- OWASP – Open web application security project
Android/iOS App Vulnerability Scanner
Ostorlab let you scan your Android or iOS app and give you the detailed information on the finding.
You can upload the APK or IPA application file, and within few minutes you will have the security scan report.
The maximum size of app file you can upload to be scanned is 60MB However, if your app size is larger than 60MB, then you may contact them to upload through API call.
It is based on open-source like Androguard, Radare2. It would be good to scan your mobile application for FREE with Ostorlab.
Find the security loophole in your mobile app with Appvigil and get in-depth vulnerability report in minutes.
With Appvigil, you get not just a safety hazard details but also the patch recommendation so you can fix it immediately.
You don’t need to install any software as everything is done at Appvigil cloud.
Once you upload APK or IPA file, It performs static and dynamic analysis on your app (Android/iOS) including OWASP Mobile Top 10 vulnerabilities.
Quixxi is focused on providing mobile analytics, mobile app protection & recovery revenue loss. If you are just looking to do a vulnerability test, then you can upload your Android or iOS application file here.
The scan may take few minutes and once done; you will get a vulnerability report overview.
However, if you are looking for the comprehensive report, then you got to do a FREE registration on their website.
As the name indicates, this is applicable only for Android apps. AndroTotal scan APK file for viruses & malware. It checks against the following Anti-virus.
If you are looking for a quick checkup on your APK files for viruses, then the AndroTotal scan would be the quick win.
Akana is interactive analysis tool for Android apps. Akana checks your app for malicious code and gives you a nice summary of your app.
It’s free so go ahead and give a try to see if your Android app has any malicious code.
Nviso APKSCAN is another handy online tool to scan your app for malware. Getting scan results may take time based on queue so you can enter your email address to get a notification once scan report is available.
I checked my dummy application with Nviso and could see it tested the following.
- Disk activity
- Virus lookup
- Network activity
- Can place a phone call, send SMS or not
- Cryptographic activity
- Information leakage
SandDroid performs static and dynamic analysis and gives you a comprehensive report. You can upload APK or zip file with a maximum of 50 MB.
SandDroid is developed by Botnet research team & Xi’an Jiaotong University. It currently performs checks on the following.
- File size/hash, SDK version
- Network data, component, code feature, sensitive API, IP distribution analysis
- Data leakage, SMS, phone call monitor
- Risk behavior and score
Take a look at some scan report to get an idea.
QARK (Quick Android Review Kit) by LinkedIn helps you to find several Android vulnerabilities in source code and packaged file.
QARK is free to use and to install it requires Python 2.7+, JRE 1.6/1.7+ and tested on OSX/RHEL 6.6
Some of the following vulnerabilities are detectable by QARK.
- Improper x.509 certificate validation
- The private key in the source code
- Exploitable WebView configurations
- Outdated API versions
- Potential data leakage
- and much more…
9Mobile App Scanner
An online Android and iOS app scanner by High-Tech Bridge test application against OWASP mobile top 10 vulnerabilities.
It performs static and dynamic security test and provides an actionable report.
You can download the report in PDF format which contains the detailed analysis results.
I hope above vulnerability scanners help you to check your mobile application security and fix if any finding.
You may also be interested in learning Mobile penetration testing.