App downloads continue to rise, year over year. Mobile app downloads totaled 230 billion in 2021, that’s up 5% from 2020. With more apps comes more frequent hacker attacks, fraud, and malware infections.
Mobile app security testing (MAST) is vital for preventing mobile security issues — and thanks to all those new downloads, there’s a large number of security testing tools to choose from. After sifting through dozens of cutting-edge MAST tools, we have outlined important features to consider and highlighted five MAST tools that are worth considering. Each tool includes unique features or functionality to help you build more secure apps with less manual testing.
What to look for in a mobile app security testing tool
If you want the most value out of your security testing as the mobile industry continues to grow, focus on three factors: deployment options, automations, and add-ons. These are some common factors that we recommend you consider when reviewing potential mobile security testing solutions.
The right deployment option
Tools are deployed in one of two ways: the cloud or on-premise. Often tools will be quick to point out which form they’re available in, but sometimes, that information is difficult to find. And since organizations aren’t generally flexible on this, it’s important you only spend time looking into the tools that can actually be deployed where you need them.
Automation with support
Most MAST tools offer continuous monitoring and notification to some degree, as well as automated testing — all the tools we’ve listed below include automation, for instance.
Similarly, many tools provide instruction for fixing security vulnerabilities, but that doesn’t mean they all offer the same level of support. Some tools will create checklists for you and walk you through fixing vulnerabilities. Other tools will merely notify you of an issue and leave it to you to figure out what to do next. If your team has varying levels of experience in testing, you will likely find the extra support paid tools offer worth the cost. But if you’re an experienced developer who doesn't want to be told how to proceed, tools without those extra features can be a nuisance.
Paid features that offer added value
Some tools have the ability to perform on-demand security tests or pen testing along with automated options.
Free, open-source tools can help small teams with limited resources stretch their budgets. But there are factors to consider. Free and open-source tools typically provide less documentation than paid products, so if you’re looking for a free tool, you should be prepared to lean on peers, mentors, and maybe even a few forums when you’re not sure what to do.
We’ve chosen five MAST tools, some free and some paid, with different strengths and features.
Free MAST tools for Android
AppSweep runs on ProGuard (an open-source Java optimizer by AppSweep’s own developer Guardsquare). This solution provides continuous monitoring and automated testing, plus a summary of any issues it finds and suggestions for fixing vulnerabilities.
AppSweep is surprisingly full of functionality for a free app — with features to address redundancy issues and deobfuscate names using mapping files. Plus, the whole tool integrates into your DevOps toolchain, including Bitrise. This tool only tests Android, though, so you’ll need another tool for any iOS apps.
Quick Android Review Kit, or QARK, is an open-source solution developed by LinkedIn. Over the years, QARK has made a name for itself as one of the most popular Android testing tools available. QARK performs static and dynamic scans, analyzes code for potential security issues, and generates reports. It can also scan either APK files or source code and connect to devices and emulators so you can test the way that works for you.
However, as the name suggests, this tool is also Android-only.
Paid app security testing tools that can do it all
App-Ray works on both iOS and Android. It scans data flow and network traffic for security issues, checking for 80+ types of security vulnerabilities in only minutes. It also analyzes third-party apps and SDKs. Scans come with a list of recommendations for strengthening security.
The testing automation comes with customization options, like prioritizing your most critical security concerns. You can deploy App-Ray on-premise or in the cloud without giving them access to your source code. Instead, App-Ray reverse engineers your application using methods like decompilation and disassembly.
App-Ray also integrates with Bitrise, helping you check and fix app security before release.
Data Theorem by Mobile Secure
Offered in both iOS and Android, Mobile Secure is a well-rounded continuous monitoring tool for application security testing. Like many other paid solutions, Mobile Secure automates much of the work of security testing and includes continuous monitoring. Its “Analyzer Engine” runs static and dynamic scans, including back-end API security analysis, and it even auto triages issues. The tool performs a runtime analysis on each binary build and scans third-party apps and SDKs.
Mobile Secure sends notifications for issues that need immediate attention, and it compiles reports that are accessed and stored in a web portal. Reports include suggestions for remediation.
Even without source code access, customers can create three different kinds of profiles with different levels of tool access: manager, security, and developer. It’s definitely worth trying the free trial — Mobile Secure integrates with Bitrise, too.
The NowSecure Platform can automate up to 80% of mobile security testing as you build your iOS or Android apps. The tool performs continuous static, dynamic, and interactive tests. Plus, it does APIsec analysis.
The software can be installed on-premise or in the cloud and it can be used via web app or API or integrated right into your pipeline. The user interface includes a portal with detailed reports and checklists with recommendations for fixing vulnerabilities. This tool prides itself on being easy to use and simple to learn which makes it a good tool for teams with varying levels of testing experience.
NowSecure has another mobile application testing tool called NowSecure Workstation. Like Platform, Workstation includes automated testing, but it’s geared toward pen testers, with features focused primarily on reducing the time it takes to complete pen testing.
And, like many of the tools we’ve highlighted above, NowSecure integrates with your Bitrise workflow.
Simplify your security testing workflow with Bitrise
Most of the tools we mentioned above integrate with Bitrise. That’s no accident. Bitrise has over 300 pre-made steps to create app development workflows for your team. If you’re not already using a workflow management tool that monitors and automates workflow maintenance, it’s time for that to change.
Learn more about how Bitrise Steps can save your organization time and money setting up and maintaining workflows.