ImmuniWeb Community Edition - Mobile App Security Test
The ImmuniWeb® Community Edition is collection of free online tools provided by ImmuniWeb SA pursuant to these Terms of Service for small and medium businesses, municipal and local governments, colleges and universities, students and individual software engineers, as well as to other entities, to help them make their applications more secure, reduce their cyber risks and improve their cybersecurity posture, data protection and privacy practices.
Free Use Daily Limits
ImmuniWeb Community Edition provides a free use of the Mobile App Security Test with the following daily limits:
| Account type | Tests per day | Monthly subscription |
| No Account | 2 | Free |
| Free Account | 4 | Free |
For increased number of daily tests, you can purchase an API key with its increased limits applied to the web interface as well.
Mobile App Security Test Scope and Coverage
The Mobile App Security Test is a free online tool to perform security and privacy tests of Android and iOS mobile apps:
The service can test mobile applications for the following platforms:
Android
- Native Applications
- Hybrid Applications (Cordova, PhoneGap, React, Xamarin)
iOS
- Native Applications
- Hybrid Applications (Cordova, PhoneGap, React, Xamarin)
It promptly detects the wide spectrum of most common weaknesses and vulnerabilities, including OWASP Mobile Top 10, and provides a user-friendly report with the discovered issues.
We provide the following automated tests of the mobile application:
- Mobile Security Scan
- Behavior Testing for malicious functionality and privacy
- Software Composition Analysis
- Mobile Application Outgoing Traffic
Please note, that the most dangerous vulnerabilities usually reside in the mobile back end (i.e. Web Services and APIs) and not in the application. Therefore, to complement your mobile security testing we strongly encourage you to thoroughly test the backend via ImmuniWeb® MobileSuite.
How-To Test
Below are simple instructions on how to use Mobile App Security Test for your Android and IOS applications.
All you need is a valid APK, AAB or IPA archive for the application.
Please follow the steps below:
- Click on "Choose file" button and select the APK, AAB or IPA, file upload will start immediately.
- Once uploaded, the test will take approximately ten minutes, depending on application size and complexity, as well as our current system load.
- Once the test is finished, you will be provided with a detailed report. You can delete the report yourself just after the test.
Vulnerability Coverage for OWASP Mobile Top 10
During the scan, your mobile application will be tested for the following weaknesses and vulnerabilities:
OWASP Mobile Top 10
- M1: Improper Credential Usage
- M2: Inadequate Supply Chain Security
- M3: Insecure Authentication/Authorization
- M4: Insufficient Input/Output Validation
- M5: Insecure Communication
- M6: Inadequate Privacy Controls
- M7: Insufficient Binary Protections
- M8: Security Misconfiguration
- M9: Insecure Data Storage
- M10: Insufficient Cryptography
Behavioral
Mobile App Security Test performs behavioral testing to detect when mobile application tries to access some Mobile Application Permissions.
Software Composition Analysis
The mobile application uses third-party libraries that may represent a security and privacy risk if they come from untrusted source or are outdated. Trusted and commonly accepted libraries (e.g. Google SDK, Facebook SDK, Signal SDK) are not displayed.
External Communications and Outgoing Traffic
Specific test reveals all remote hosts present in the source code of the mobile application where the application may connect to send or receive data at occurrence of a specific event (e.g. user action).
