ℹ️ This AppSweep feature is only available for Android applications
You've uploaded your Android app, either manually or automatically via AppSweep CI/CD integration and you are now checking out the retrieved vulnerabilities when you notice a new feature available: Interactive Application Security Testing.
What is the feature? What can it do for me/my team? How do I use it?
What is Interactive Application Security Testing (IAST)
Interactive Application Security Testing is a technique to analyze application behavior while it's being executed at runtime. It is a form of dynamic testing that relies on instrumentation to observe the application while it is being run.
This new analysis technique is now available in AppSweep, on top of the static analysis and advanced analysis based on data flow, for your Android apps.
What do I gain by performing Interactive Application Security Testing?
First of all, this new technique allows AppSweep to uncover new findings that aren’t possible with static analysis. It detects vulnerabilities that are only observable at runtime for Android apps.
One specific example of a new finding is uncovering vulnerabilities in token-based authentication (JWT).
Other interesting findings you might identify during testing are the reuse of random number generator (RNG) seeds or secrets in your web traffic.
Another insight that Interactive Analysis gives you, is visibility into the network communications your app makes, we represent these communications with a visual map. While you may be knowledgeable about the communications expected from your app, you may be surprised to learn what communications the 3rd party libraries you rely upon are making. This is valuable when you need to comply with specific regulations or standards for your app.
Interactive Analysis will also enhance the static analysis findings of AppSweep. More specifically, now AppSweep can verify the following vulnerabilities during the application runtime with more precision:
Debuggable web views
Cleartext communications
Insecure ciphers and randomness
Outdated TLS versions
How Interactive Application Security Testing Works
In order to get started, our approach requires you to have a testing device at hand or an emulator.
First, you need to complete a static scan of your Android app by uploading it. Remember that interactive analysis is a new feature and will only appear for newly created builds (not builds you have uploaded prior to the availability of the feature).
During the static scan, AppSweep automatically instruments the Android app and shows you a path to download the instrumented version of your app (via a QR code or download link).
Once you scan the QR code for the instrumented app, you will be prompted to download the app on your own testing device or on an emulator.
Important: Remember to delete any existing versions of the app you already have on your testing device before trying to install the instrumented version or you may receive an error during installation.
Once the app is installed you can start using your app as usual. The more you explore and test your application on the device or emulator, the more functions that will be covered for analysis. You can test as extensively as you wish, the more coverage you provide, the more complete the analysis will be. The testing itself can be done manually, or through automated means if you have an existing test automation infrastructure for your app.
Once you have tested your app sufficiently, you can press the "Start Analysis" button to start the analysis and retrieve the updated results.
Interactive results are displayed on the build page, and you can use filters to check if new dynamic findings were introduced.
If you still have questions or feedback, feel free to ping us in the chatbot 💬