Overview
AppSweep’s interactive analysis (IAST) feature offers deep security testing, but typically requires manual effort to fully explore the app’s functionality. However, IAST can easily be integrated with existing UI tests, with very little effort.
This article describes the necessary prerequisites, how to run IAST scans using the Guardsquare CLI, and how to obtain and process results.
Prerequisites
This article assumes that you already have an existing Android UI test suite, using a testing framework such as Appium. This article uses a simple test for the PIVAA app written in Python as an example, named pivaa_test.py, and its source code can be found in the collapsed section below.
import unittest
from appium import webdriver
from appium.webdriver.common.appiumby import AppiumBy
from appium.options.android import UiAutomator2Options
from time import sleep
class PivaaTest(unittest.TestCase):
@classmethod
def setUpClass(cls):
"""Set up the Appium driver and desired capabilities."""
desired_caps = {
'platformName':
'Android',
'platformVersion':'13', # Adjust to your Android version
'deviceName': 'emulator-5554', # Name of the emulator/device
'app': '/path/to/pivaa-instrumented.apk', # Path to your APK file
'automationName': 'uiautomator2',
'appActivity': 'com.htbridge.pivaa.MainActivity',
"fullReset": True
}
options = UiAutomator2Options().load_capabilities(desired_caps)
#Set up Appium driver
cls.driver = webdriver.Remote('http://127.0.0.1:4723', options=options)
def test_click_button(self):
"""Test to click a button in the app."""
# Wait for the app to load
sleep(10)
username = self.driver.find_element(by=AppiumBy.ID, value="username")
password = self.driver.find_element(by=AppiumBy.ID, value="password")
username.clear()
password.clear()
username.send_keys("admin")
password.send_keys("hunter2")
button = self.driver.find_element(by=AppiumBy.ID, value="sign_in_button") #
Update to your actual element's accessibility ID
button.click()
# Wait for the activities to transition
sleep(5)
xss_button = self.driver.find_element(by=AppiumBy.ID, value="button_xss")
self.assertTrue(xss_button.is_displayed(), "XSS Button is not visible - did the login fail?")
@classmethod
def tearDownClass(cls):
"""Close the Appium driver."""
cls.driver.quit()
if __name__ == '__main__':
unittest.main()
In addition, make sure to have the Guardsquare CLI installed, as described in this article, as well as the jq utility (this article was tested with version 1.7), which comes pre-installed on most Linux systems.
Integrating IAST with existing tests
Automatically running your existing Appium tests with additional interactive analysis can be easily automated.
For example, the following shell script will
instrument an app,
run Appium tests,
run interactive analysis, and then
return an exit code depending on the finding numbers
#!/bin/bash
build_id=$(guardsquare scan pivaa-release-unshrunk.apk --format json | jq -r ".id")
guardsquare scan instrumented-app "$build_id" --wait --output "pivaa-instrumented.apk"
python3 pivaa_test.py # execute our existing UI tests. These would be your Appium tests.
guardsquare scan start-interactive-analysis "$build_id"
scan_result=$(guardsquare scan summary --format json --wait-for interactive "$build_id")
# Check if the count of high issues exceeds a given threshold
high_issues=$(echo "$scan_result" | jq -r ".high")
if [ "$high_issues" -gt 5 ]; then
echo "AppSweep found $high_issues high issues, which is above the threshold."
exit 1
else
exit 0
fi
In the following, this article will explain each step of the script individually:
guardsquare scan pivaa.apk
Using the build ID returned by this command, initiate instrumentation by running the following command:
guardsquare scan instrumented-app <build_id> --wait --output "pivaa-instrumented.apk"
This will deposit the instrumented APK at the given filename. If necessary, adjust your test code to account for the modified APK name, and run the Appium test just as normal:
python3 pivaa_test.py
Your existing UI test suite will now run normally, after which you can initiate and query the results of the scan with the following CLI commands:
guardsquare scan start-interactive-analysis <build_id>
guardsquare scan summary --wait-for interactive <build_id>
Processing the results
The integrated testing procedure above will output high-level AppSweep issue counts, such as the following for the PIVAA example:
Severity Count
High 6
Medium 5
Low 0
Several output formats are available.
For example, the script above uses the JSON output format, based on which a script can adjust its exit code to pass or fail a CI pipeline:
scan_result=$(guardsquare scan summary --format json --wait-for interactive <build_id>)
high_issues=$(echo "$scan_result" | jq -r ".high")
if [ "$high_issues" -gt 5 ]; then
echo "AppSweep found $high_issues high issues, which is above the threshold."
exit 1
else
exit 0
fi
For more sophisticated integration use cases, like retrieving individual issue details, locations, and other metadata, consider upgrading to AppSweep enterprise.