Overview
AppSweep’s interactive analysis (IAST) enables further security testing of application functionality.
This guide explains how it can be integrated with existing UI tests with minimal effort to streamline testing.
Prerequisites
You should already have an existing Android UI test suite, using a testing framework such as Appium.
This article uses a simple Python test for the PIVAA app: pivaa_test.py (see code below)Install the Guardsquare CLI
Install the jq utility (this article was tested with version 1.7)
pivaa_test.py
pivaa_test.py
import unittest
from appium import webdriver
from appium.webdriver.common.appiumby import AppiumBy
from appium.options.android import UiAutomator2Options
from time import sleep
class PivaaTest(unittest.TestCase):
@classmethod
def setUpClass(cls):
"""Set up the Appium driver and desired capabilities."""
desired_caps = {
'platformName':
'Android',
'platformVersion':'13', # Adjust to your Android version
'deviceName': 'emulator-5554', # Name of the emulator/device
'app': '/path/to/pivaa-instrumented.apk', # Path to your APK file
'automationName': 'uiautomator2',
'appActivity': 'com.htbridge.pivaa.MainActivity',
"fullReset": True
}
options = UiAutomator2Options().load_capabilities(desired_caps)
#Set up Appium driver
cls.driver = webdriver.Remote('http://127.0.0.1:4723', options=options)
def test_click_button(self):
"""Test to click a button in the app."""
# Wait for the app to load
sleep(10)
username = self.driver.find_element(by=AppiumBy.ID, value="username")
password = self.driver.find_element(by=AppiumBy.ID, value="password")
username.clear()
password.clear()
username.send_keys("admin")
password.send_keys("hunter2")
button = self.driver.find_element(by=AppiumBy.ID, value="sign_in_button") #
Update to your actual element's accessibility ID
button.click()
# Wait for the activities to transition
sleep(5)
xss_button = self.driver.find_element(by=AppiumBy.ID, value="button_xss")
self.assertTrue(xss_button.is_displayed(), "XSS Button is not visible - did the login fail?")
@classmethod
def tearDownClass(cls):
"""Close the Appium driver."""
cls.driver.quit()
if __name__ == '__main__':
unittest.main()
Integrating IAST with existing tests
Automatically running your existing Appium tests with additional interactive analysis can be easily automated.
For example, the following shell script will
Instrument an app,
run Appium tests,
run interactive analysis, and
return an exit code depending on the finding numbers
#!/bin/bash
# Retrieve the build ID from the scan
build_id=$(guardsquare scan pivaa-release-unshrunk.apk --format json | jq -r ".id")
# Initiate instrumentation
guardsquare scan instrumented-app "$build_id" --wait --output "pivaa-instrumented.apk"
# Execute the UI tests. These would be your Appium tests.
python3 pivaa_test.py
# Initiate and query the results of the scan
guardsquare scan start-interactive-analysis "$build_id"
scan_result=$(guardsquare scan summary --format json --wait-for interactive "$build_id")
# Check if the count of high issues exceeds a given threshold
high_issues=$(echo "$scan_result" | jq -r ".high")
if [ "$high_issues" -gt 5 ]; then
echo "AppSweep found $high_issues high issues, which is above the threshold."
exit 1
else
exit 0
fi
Processing the results
The integrated testing procedure above will output high-level AppSweep issue counts:
Severity Count
High 6
Medium 5
Low 0
The script above uses the JSON output format, based on which a script can adjust its exit code to pass or fail a CI pipeline:
scan_result=$(guardsquare scan summary --format json --wait-for interactive <build_id>)
high_issues=$(echo "$scan_result" | jq -r ".high")
if [ "$high_issues" -gt 5 ]; then
echo "AppSweep found $high_issues high issues, which is above the threshold."
exit 1
else
exit 0
fi
For more sophisticated integration use cases, like retrieving individual issue details, locations, and other metadata, consider upgrading to AppSweep enterprise.