12 Mobile App Scanner to Find Security Vulnerabilities

Test if your Mobile App has any security flaws and fixes them before it damages your business reputation.

Mobile usage is growing, and so are Mobile Apps. There are around 2 million apps on Apple App Store and 2.5 on Google Play. The latest research shows that 38% of iOS and 43% of Android apps had high-risk vulnerabilities.

There are multiple types of vulnerabilities, and some of the dangers are:

• Leaking personal user-sensitive data (email, credential, IMEI, GPS, MAC address) over the network
• Communication over the network with little or no encryption
• Having a world-readable/writable file
• Arbitrary code execution
• Malware

If you are the owner, the developer, then you should do all it takes to secure your mobile app.

There is plenty of security vulnerability scanner for the website, and the following should help you to find the security flaws in Mobile apps.

Some of the abbreviations used in this post.

• APK – Android Package Kit
• IPA – iPhone application archive
• IMEI – International mobile equipment identity
• GPS – Global positioning system
• MAC – Media access control
• API – Application Programming Interface
• OWASP – Open web application security project

App-Ray

Keep vulnerabilities at bay by using the security scanner by App-Ray. It can check your mobile applications from unknown sources and provides a reputation by integration with EMM-MDM/MAM. The scanner can detect threats before they harm your data and prevents you from installing malicious apps.

Integrate your applications with vulnerability analysis while building them. Their REST API lets you perform analysis automatically and elegantly. You can also trigger actions in case you detect any issue to prevent possible risks.

It leverages advanced and military-grade technologies to map data and analyze network traffic which includes encrypted communication as well.

App-Ray employs multiple analysis techniques – static as well as dynamic and behavior-based analysis. Static code analysis is employed for coding problems, encryption-related issues, data leaks, and anti-debugging techniques.

Similarly, dynamic and behavior-based analysis is done for instrumental and unmodified testing, accessing communication files, etc.

App-Ray supports iOS and Android platforms. Once the scan is done, you can see all the technical details and let you download the necessary files, including the PCAP file.

Astra Pentest

Scan and fix security weaknesses in your Android and iOS applications with Astra Pentest and secure them against any kind of vulnerability exploit, hacking attempt, or data breach.

Astra’s comprehensive hacker-style vulnerability scanner, automated and manual pentesting solution, while performing tests, consider every aspect of mobile application parameters, including its:

• Architecture and design
• Network communication and data processing
• Data storage and privacy
• Authentication and session management
• Misconfiguration errors in code or build settings

Astra’s constantly evolving vulnerability Penetration platform performs over 8000+ test cases to aid in the detection of vulnerabilities. The constantly evolving dashboard uses new intel about hacks and CVEs to scan the critical components of your mobile application, like APIs, business logic, and payment gateways.

Codified Security

Detect and quickly fix security issues using Codified. Just upload your app code and use the scanner to test it. It gives a detailed report highlighting security risks.

Codified is a self-serve security scanner. It means you are required to upload your app files into its platform. It is capable of integrating with delivery cycles seamlessly. You can create your rules for static analysis engines and set compliance levels as well.

Their security reports are professional and highlight clear details on all the risks associated with your mobile apps. It also shows a list of applicable actions that you can execute to prevent security breaches.

Codified supports IPA and APK uploads. It facilitates static, dynamic, and 3rd-party library tests.

Additionally, Codified integrates with Phonegap, Xamarin, and Hockey app and also supports Java, Swift, and Objective-C applications.

Mobile Security Framework

The automated and all-in-one mobile app – Mobile Security Framework (MobSF) can be used on Windows, iOS, and Android devices.

You can use the app for malware analysis, pen testing, security assessment, etc. It can perform both types of analysis – static and dynamic.

MobSF provides REST APIs so you can integrate your DevSecOps pipeline or CI/CD seamlessly. It supports mobile application binaries such as IPA, APK, and APPX in addition to zipped source codes. Using its dynamic analyzer, you can execute assessments for runtime security as well as instrumented testing.

Dexcalibur

Dexcalibur is a reverse engineering Android scanner that focuses on instrumentation automation.

The aim of Dexcalibur is to automate all those boring tasks associated with dynamic instrumentation including:

• Searching for some interesting things or patterns to hook
• Process the data a hook gathers such as a dex file, class loader, invoked method, etc.
• Decompile intercepted bytecodes
• Write hook codes
• Manage hook messages

Dexcalibur’s static analysis engine is capable of executing partial small pieces as well. Its purpose is to render the executed function. It can also render what function can be executed based on call stack depth or configuration value. It helps you to read cleaner bytecode versions by removing opaque and goto predicates that are useless.

StaCoAn

StaCoAn is a great tool that helps developers, ethical hackers, and bug-bounty hunters to perform static code analysis for mobile applications. This cross-platform tool analyzes lines written on a code containing API keys, API URLs, hardcoded credentials, decryption keys, coding errors, and so on.

The aim behind the creation of this tool was to provide better graphical guidance and usability in the user interface. At present, StaCoAn supports APK files only, and IPA files would be available soon.

As you can guess, it is open-source.

StaCoAn includes a drag-and-drop feature for your mobile app file so you can generate a portable and visual report. You can even customize wordlists and settings for a better experience. These reports are easy to browse through a decompiled application.

Using the “loot function”, you can bookmark valuable findings. You can also view all your findings on the provided page.

StaCoAn supports different file types such as Java, js, XML, and HTML files. Its database comes with a table viewer where you can search the database files for keywords.

Runtime Mobile Security

The powerful interface of Runtime Mobile Security (RMS) helps you in manipulating iOS and Android applications at runtime. Here, you can hook everything in no time, dump loaded classes, trace method arguments, and return a value, including custom scripts, etc.

At the moment RMS, they have tested it on macOS, and it supports devices including iPhone 7, web interface Chrome, Amazon Fire Stick 4K, and AVD emulator. It might support Linux and Windows with minor adjustments.

Using its API monitor, you can monitor multiple Android APIs that are categorized into 20 types. You can extend the support by adding extra methods or classes to the JSON file and even check native functions like open, close, write, read, remove, unlink, and so on.

A file manager is included so you can explore the private files of the application, and if needed, you can download them.

Ostorlab

Ostorlab lets you scan your Android or iOS app and give you detailed information on the finding.

You can upload the APK or IPA application file, and within a few minutes, you will have the security scan report.

Quixxi

Quixxi is focused on providing mobile analytics, mobile app protection & recovery of revenue loss. If you are just looking to do a vulnerability test, then you can upload your Android or iOS application file here.

The scan may take a few minutes, and once done, you will get a vulnerability report overview.

However, if you are looking for a comprehensive report, then you got to do a FREE registration on their website.

SandDroid

SandDroid performs static and dynamic analysis and gives you a comprehensive report. You can upload APK or zip files with a maximum of 50 MB.

SandDroid is developed by the Botnet research team & Xi’an Jiaotong University. It currently performs checks on the following.

• File size/hash, SDK version
• Network data, component, code feature, sensitive API, IP distribution analysis
• Data leakage, SMS, phone call monitor
• Risk behavior and score

QARK

QARK (Quick Android Review Kit) by LinkedIn helps you to find several Android vulnerabilities in source code and packaged files.

QARK is free to use and to install it requires Python 2.7+, JRE 1.6/1.7+ and tested on OSX/RHEL 6.6

Some of the following vulnerabilities are detectable by QARK.

• Tapjacking
• Improper x.509 certificate validation
• Eavesdropping
• The private key in the source code
• Exploitable WebView configurations
• Outdated API versions
• Potential data leakage
• and much more…

ImmuniWeb

An online Android and iOS app scanner by ImmuniWeb test application against OWASP mobile top 10 vulnerabilities.

It performs static and dynamic security tests and provides an actionable report.

You can download the report in PDF format, which contains the detailed analysis results.

Conclusion

I hope the above vulnerability scanners help you to check your mobile application security so you can fix any findings. If you are a security professional, you may be interested in learning Mobile penetration testing. Here are 8 tips for better mobile security.