7 services for finding mobile application vulnerabilities

Check if there are any weak points in the security system of your mobile application and fix them before they damage your reputation.

According to the latest research from NowSecure in more than 25% of mobile applications there is at least one critically dangerous vulnerability.
')
In 59% of financial apps for Android, there are three vulnerabilities in the OWASP Top 10 list.

The more mobile phones are used, the more mobile applications appear. More than 2 million applications are available in the Apple App Store, and more than 2.2 million in the Google Play Store.

There are many types of vulnerabilities, the most critical of which include:

• leak of personal or confidential information of users in the network (email, credentials, IMEI, GPS, MAC-address);
• information exchange on the network without encryption or with insufficient encryption;
• the file is readable or writable by any person;
• arbitrary code execution;
• malware.

If you are the owner or developer of the application, you must do everything to ensure the security of your mobile application. There are many tools for searching for site vulnerabilities , and the information below will help you find the security weaknesses of a mobile application.

The article uses the following abbreviations:

• APK - archive file format for Android applications (Android Package Kit);
• IPA - the format of archive file applications for the iPhone (English iPhone application archive);
• IMEI - international mobile equipment identifier (eng. International mobile equipment identity);
• GPS - global positioning system (Global positioning system);
• MAC - Media Access Control;
• API - application programming interface (eng. Application Programming Interface);
• OWASP is an open web application security project.

Tools for finding Android or iOS application vulnerabilities:

1. Ostorlab
2. Appvigil
3. Quixxi
4. AndroTotal
5. Akana
6. Nviso
7. Sanddroid

1. Ostorlab

Ostorlab will allow you to check the application on Android or iOS and get a detailed report on the results of the check. Download your application file in the APK or IPA format and after a few minutes the security report will be ready.



Maximum file size for upload to check 60 Mb. However, if the size of your application exceeds 60Mb, you can contact Ostorlab experts to place the file via an API request.

It is based on open source software such as Androguard and Radare2. I advise you to check your mobile application for free with Ostorlab.

2. Appvigil

Find all the security gaps in your mobile app using Appvigil and get a detailed vulnerability report in minutes.

With Appvigil, you will receive not only a description of possible threats, but also recommendations on how to fix a vulnerability for a quick fix. No programs need to be installed, since everything is processed in the Appvigil cloud.



After you upload the APK or IPA files, a static and dynamic analysis of the application (Android / iOS) is performed, including for the presence of a vulnerability from the OWASP Top-10 list.

3. Quixxi

Quixxi is designed to get mobile analytics, protect mobile applications and restore potential revenue. If you just need to check the application for vulnerabilities, then download the Android or iOS application file here .



To check it takes a few minutes. After completing the check, you will have a brief vulnerability report. If you need a full report, you need to register on the site. It's free.

4. AndroTotal

As the name suggests, AndroTotal is only suitable for working with Android applications. AndroTotal checks the APK file for viruses and malicious code, comparing the results of the following antivirus programs:

• McAfee ;
• TrustGo;
• ESET;
• Comodo;
• AVG;
• Avira;
• Bitdefender;
• Qihoo.

If you need to quickly check the APK files for viruses, then AndroTotal is a good solution.

5. Akana

Akana is an interactive tool for analyzing Android applications. Akana checks the application for malicious code and displays information about the results.



The check is free, so try and see if there is any malicious code in your Android application.

6. NVISO

Nviso APKSCAN is another handy web-based tool for checking your application for malicious code. Results may not be ready immediately, it depends on your place in the queue. You can leave your email and get notified when the report is ready.

I checked the layout of my application using Nviso and saw that the following was checked:

• disk activity;
• virus scan;
• network traffic;
• the possibility of making a phone call, sending SMS;
• cryptographic activity;
• data leakage.

7. SandDroid

SandDroid conducts static and dynamic analysis and generates a full report. You can download an APK file or a zip file of no more than 50 Mb.



SandDroid is developed by the Botnet Research Group and Sian Transport University. The following is checked:

• file size / hash, SDK version;
• network data, components, coded properties, vulnerable API, IP analysis;
• data leaks, SMS, phone call tracking;
• threat behavior and probability of threat.

Request a report and evaluate the security of your application.

I hope the tools for checking the vulnerability will help you check the security of the mobile application and fix the problems found.

If you have your own site, then you may be interested in the possibility of automatically checking the site for vulnerabilities.

I hope that you will also be interested in the ability to search for virtual servers and virtual hosting at the Hosting Cafe .