Solar appScreener is a static app code analyzer capable of identifying vulnerabilities and undocumented features. Its distinctive feature is the ability to analyze not only source code, but also executables (i.e. binaries) and to return much better results than when using DAST. The analyzer can test apps written in 29 programming languages (and more on the way) or that have been compiled into an executable file with one of seven extensions, including those for Google Android, Apple iOS, and Apple macOS.
- Supported executable file formats: JAR/WAR (Java/Scala), DLL/EXE (C/C++), APK (Google Android), IPA (Apple iOS) and APP (Apple macOS).
The mobile app code can be tested simply by pasting the app link in Google Play or App Store to the analyzer, which may be considered as full mAST.
To detect vulnerabilities and undocumented features, Solar appScreener leverages 10+ analysis methods, including lexical, syntax, semantic, taint, constant propagation, type propagation, synonym and control flow graph analysis. Users can configure analysis settings, exclude some vulnerabilities, or start incremental analysis when only changed code segments are checked.
Software Composition Analysis (SCA) technology employed in Solar appScreener reveals the use of third-party components in codes written in some languages (freeware, ready-to-use codes from the Internet, modules, and libraries), while also identifying their names, versions, known vulnerabilities, and licenses.
Detected vulnerabilities and undocumented features are highlighted directly in the analyzed app code, even if found in executables (debug_info file not needed here). It is possible to compare test results of a project while taking account of any changes, which are usually made when writing code, with the relevant notification being emailed.
Solar appScreener employs Fuzzy Logic Engine, which is based on technological know-how and uses fuzzy set and fuzzy logic mathematical tools in order to minimize the number of both false positives and false negatives (vulnerabilities or undocumented features).
Eliminating vulnerabilities and undocumented features requires not only detection, but also the correct description of rules to exploit or fix them. Solar appScreener provides detailed advice on eliminating detected vulnerabilities and undocumented features, describes the ways they can be exploited, and recommends how to configure WAF. The Solar appScreener’s database of vulnerability and undocumented feature search rules is continuously updated by analyzer developers after R&D activities.
To enable Secure SDLC especially in the context of DevSecOps, Solar appScreener can be easily integrated with the Git repository and CI/CD servers, such as Jenkins and TeamCity, offering quick analysis for both source and binary codes. The solution can also be integrated with the Atlassian Jira issue tracking system, which monitors the process of eliminating vulnerabilities and undocumented features. Support for Microsoft Active Directory streamlines control over access to Solar appScreener in cases where multiple developers are present.
For interoperability with other systems and services, the analyzer offers an open API.
Please [email protected] for more information. Thank you.