At Guardsquare, we’ve created an open-source Gradle plugin, published in the Gradle plugin repository, that simplifies integrating our developer-focused mobile application security testing (MAST) tool, AppSweep, into your Android project. The result? Automated security scans that shift security left and catch vulnerabilities earlier. Let’s take a deeper look at AppSweep, our AppSweep Gradle plugin, and how using the plugin can improve your mobile application’s security posture.
Shifting mobile app security testing (MAST) earlier in an app’s development timeline helps developers find security issues in their app’s code and dependencies earlier in the app’s development schedule. Using their MAST results, developers can resolve security vulnerabilities during the development process to prevent scheduling delays or publishing an app with security vulnerabilities.
While the benefits of MAST are clear, there’s considerable pressure for developers to meet deadlines and bring their app to market quickly. This pressure often leads developers to either push security to the end of the development lifecycle or completely neglect security considerations.
In addition to the pressure of deadlines, there’s also the question of how best to integrate MAST. Mobile app security testing can be done manually, but this often places a larger burden on the developer’s shoulders, especially if they lack the skills to comprehensively test the app on their own.
Automating the process with a MAST solution eliminates the pressure of manual security scans and helps fill in developer skill gaps. Developers using automated MAST solutions are able to scan their apps earlier and identify security issues before they become pervasive concerns later in the development process.
At Guardsquare, we considered how best to help developers introduce and automate MAST. This led us to develop AppSweep and a plugin for Gradle.
We developed AppSweep as a free mobile application security testing tool. AppSweep helps developers find security issues in their mobile app quickly and offers actionable recommendations to fix the concerns based on internationally recognized security standards like OWASP. AppSweep automates the testing process, which allows developers to test early during development, effectively shifting security left.
Here are some other key AppSweep benefits:
While AppSweep offers a free way for developers to access comprehensive scans for their mobile app projects, we wanted to make the integration process even easier for Android developers. The AppSweep plugin allows developers to easily integrate the rigorous security testing of AppSweep in their Android application or library projects. Once added, the plugin automates security testing and flags issues for developers to fix early on in the development process, which creates a more secure app.
As a non-disruptive addition to a developer’s existing processes, the plugin’s efficient addition of security scanning can help ensure that apps reach the finish line secured and on time — with minimal to zero additional load on developers.
Once you’ve created an API key in your AppSweep project settings, you can easily apply the AppSweep Gradle plugin with a few lines of code:
plugins {
// Keep your other plugins here
id "com.guardsquare.appsweep" version "latest.release"
}
You’ll then need to put your API key in the APPSWEEP_API_KEY environmental variable or in the `appsweep` block:
appsweep {
apiKey "gs_appsweep_SOME_API_KEY"
}
You can then initiate a scan by executing a Gradle task (where `<Variant>` is the specific variant that you want to scan e.g. `Release`).
./gradlew uploadToAppSweep<Variant>For more information, refer to the README on the project’s GitHub page.
When developers neglect mobile app security testing (MAST), they risk sending their apps to market with unresolved security vulnerabilities. These vulnerabilities can be exploited by threat actors to wreak havoc within the app: elevating privileges, stealing intellectual property, and pilfering user data. Implementing MAST can help flag these issues before the app goes to market, giving developers an opportunity to resolve and strengthen the security posture of their mobile app. MAST, however, works best when integrated early. Shifting left reduces the frustration of finding security issues later, when they’re more likely to be pervasive and require significant work to correct.
Without the right tools, MAST integration can feel clunky and slow. The AppSweep plugin for Gradle quickly and easily integrates with the build automation tool to automate application code security scans.
Executive Summary (TL;DR)