Run an Android Mobile Scan

Upload the APK file. It must be signed.

About this task

Support:
  • Android versions up to 10 are supported.
  • Both Standard Java apps and Kotlin apps are supported.
Limitations:
  • If the APK file requires a specific mobile device (vendor), scanning might not be possible.
  • Apps with a root check are not supported.
  • Apps that require MDM (mobile device management) software to be installed on the mobile device are not supported.
  • Xamarin apps are not supported.
  • Widgets are not supported.
Tip: Before you upload your APK file, make sure it can be installed on a mobile device.

Procedure

  1. If your app connects to a back-end server that is not available on the Internet ("private app") and an AppScan Presence does not yet exist on that server: Create an AppScan Presence.
  2. If you not yet done so: Create an application for your scans.
  3. In the Application, click Create Scan to open the wizard, then click Mobile Analysis to start configuring your scan.
  4. Upload File tab: Drag-and-drop your APK file into the gray area (or Click to select the file), then click Next.
  5. Login tab: If your app requires users to log in, select Yes and enter a valid user name and password, so that ASoC is able to log in to the app to test it.
    You can also optionally enter a third credential, if needed, for example: PIN# = 1234
    Tip: Use test credentials rather than the credentials of an actual user.
  6. Advanced Mode (Optional): To configure a scan for a private network, or if you want the scan to run as a Personal scan, turn on Advanced Mode at the bottom of the dialog.
    1. Private Network tab: Click the Private Network radio button and then select your presence from the list of connected presences.
      Note: If an AppScan Presence has not yet been created, you can create it now by clicking the AppScan Presences page link, and referring to Creating the AppScan Presence.
    2. Preferences tab: You can opt to run your scan as a Personal Scan whose security issues will not be added to the issues for the application as a whole. You can also deselect the default option that sends you an email when the scan completes.
  7. Click Review and Scan to proceed to the summary dialog.
  8. You can optionally edit the default name that was given to the scan (the APK file name with a date and time stamp).
  9. Click Scan Now.

Results

The new scan is added to the Scans view with its starting time, and a progress bar indicates that the scan is running. When the scan is complete the progress bar closes, the results are summarized in a graph, and (if selected) you receive an email notification. See Working with Scan Results.
Note: Free plan scans are limited to four hours in length, so large or complex sites may not be completely covered by these.