AppSweep is a mobile security testing tool that identifies vulnerabilities within Android and iOS apps by using static and dynamic analyses.
This page provides an overview of AppSweep's core components, features, and functionality, as well as the basics of navigation through the product.
Scan Result
After uploading an Android (in .apk, .aab, or .aar format) or iOS (in .ipa, .xarchive, or .xcarchive.zip format) you will be able to check the scan result with the vulnerabilities we have found in the application.
The different available reports provide different views on the findings, for example you can see the findings classified by their OWASP MASVS category.
You can apply filters to select just the findings you are interested in. For example, you can filter the findings based on their severity, analysis type or other parameters.
Findings detected by the scan
Sharing the scan result
The findings that AppSweep produces are displayed only to you or the colleagues that are part of your team. You can also obtain a link to your build results by using the sharing function:
By default, the link you receive only works if you are part of the team.
The build can also be shared using a public link that is based on a randomly generated UUID, which can be used to share the build results with users who do not have an AppSweep account.
Findings in dependencies
In addition to scanning your code, AppSweep also analyzes third-party libraries and dependencies used by the app.
AppSweep’s UI provides options to visualize only the information you are interested in, including showing findings just for selected third-party code.
Report on dependencies with indications of the number of findings identified in each library
Package structure (Android only)
Filtering options for dependencies
This is how the report on dependencies looks like in an iOS app:
Suppressing findings
You can suppress findings that you think are not relevant for your application, we won’t show them in future scans.
Suppressions can be visualized and removed from the app settings:
Analysis techniques
In AppSweep we use two main analysis techniques. Here’s a short summary of them, you can find further information in this document.
Static Analysis (SAST)
AppSweep’s static analysis evaluates the app’s compiled code without executing it. This allows us to detect a wide range of problems in the app like hardcoded secrets, misconfiguration of sensitive components, and dangerous dataflows.
SAST is available for both Android and iOS applications.
Interactive Analysis (IAST)
AppSweep’s interactive analysis evaluates data collected during the app execution. This allows us to detect vulnerabilities which are relevant in real runtime scenarios with higher reliability.
After the static analysis phase, AppSweep provides an instrumented version of your app, that you need to install on your device or emulator, and interact with in order to collect the data needed for the analysis.
Currently IAST is available only for Android applications.
Integrations
AppSweep seamlessly integrates into your development workflow through the Guardsquare Command Line Interface (CLI), enabling automation in your CI/CD pipeline.
Example CI/CD integrations:
You can also integrate IAST with existing UI tests.
AppSweep Enterprise
The AppSweep Enterprise tier includes several features tailored for the needs of larger teams and organizations. This includes
Enhanced CLI for integration
Single Sign-On (SSO)
Automated data retention policies
Web based support
Support for larger apps (up to 1GB)
Downloadable PDF report
Here you can find more information about AppSweep Enterprise features.