Streamline your organization's mobile application security testing program with IBM Security AppScan Source 9.0

Identify and correct vulnerabilities

Many applications today are written for mobile devices. These applications are developed and released at a rapid speed. Yet the security of many of these applications remains a major concern. AppScan Source 9.0 streamlines your organization’s mobile application security testing with the introduction of local mode, integration with IBM Worklight, and by expanding its support of the Mac platform.


Leyla Aravopoulos (, AppScan Software Development Manager, IBM

Photo of Leyla AravopoulosLeyla Aravopoulos is a Software Development Manager for the IBM Security AppScan Source product. In her current role, Leyla works with a team of software developers to deliver new features in IBM's Static Application Security Testing (SAST) space. In the past, Leyla also held software development, test, and project management roles at IBM. Leyla has a master's degree in computer science from York University, Toronto, Canada.

17 June 2014

Also available in Russian

Mobile applications have quickly become a part of daily life. People now use apps in ways not imagined possible before. I pay for my coffee with a mobile app on the way to work. If we go out for a family dinner during the week, my husband and I let our kids play their favorite games on our mobile phones while we wait for food to be served. This activity gives us a few minutes of quiet and an opportunity to catch up. A friend even tracks the whereabouts of her teenage daughter by using a mobile app!

AppScan Standard Trial

AppScan Standard Trial

IBM® Security AppScan® is a leading application security testing suite that is designed to help manage vulnerability testing throughout the software development lifecycle. IBM Security AppScan automates vulnerability assessments and scans and tests for all common web application vulnerabilities that include SQL injection, cross-site scripting, buffer overflow, and new flash/flex application and Web 2.0 exposure scans.

Appscan provides full coverage of the OWASP Top 10 for 2013. Our solution also includes support for industry-standard Transport Layer Security (TLS) protocol 1.2, and is compliant with Federal Information Publication Standard (FIPS) 140-2 and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-131a.

Download a trial version of AppScan Standard.

Mobile apps are developed and delivered at a fast pace. The website (see Resources) reports that over a million active apps were added to the iTunes App Store since 2008. As shown in Figure 1, nearly 7,000 game apps were submitted in March 2014 alone, along with more than 15,000 non-game apps.

Figure 1. iTunes App store submission numbers for March 2014
Image of pie chart showing iTunes store submission numbers

While these apps bring convenience and enjoyment to users, are they secure and protected from hackers?

The research of IBM Business Partner Arxan determined that among the top 100 paid applications:

  • 100% of apps on the Google Android platform were hacked.
  • 56% of apps on Apple iOS were hacked.

Among the popular free applications:

  • 73% on Android were hacked.
  • 53% on Apple iOS were hacked.

See Resources for a link to Arxan’s reports.

Clearly companies need to seek tools and techniques to secure their applications and need to do it quickly to meet the rapid demands of today’s market. An ideal place to start application security testing is early in the development phase. This article provides an overview of IBM's static analysis security testing solution and focuses on new features in version 9.0 that further assist with rapid scanning of mobile applications.

Addressing vulnerabilities with IBM's Static Analysis security testing solution

IBM Security AppScan Source identifies static or source code vulnerabilities early in the software development lifecycle, so those vulnerabilities can be fixed before application deployment. In addition to traditional programming languages, AppScan Source supports scanning of JavaScript, HTML5, Java™, and Objective-C mobile applications. In version 9.0, support was added to integrate with IBM Worklight® and to scan Worklight hybrid and Worklight native iOS or Android applications. AppScan Source provides support for integration with Eclipse/Visual Studio plug-ins, build automation, and an analysis and remediation user interface.

All editions of AppScan Source before version 9.0 required a connection to AppScan Enterprise Server, which resulted in time that is spent for installation and setup of the product. With the introduction of local mode in version 9.0, this requirement was lifted in AppScan Source for Development plug-ins for Eclipse and Visual Studio. In local mode, plug-ins operate without connecting to AppScan Enterprise Server, facilitating rapid security scanning of mobile applications. The user benefits by the reduction of the time that is required to conduct the first mobile application scans by using AppScan Source. It is worth noting that Worklight applications are developed in the same Eclipse instance that AppScan Source plugs into. The result is a close integration between mobile application development using Worklight and application scanning that uses AppScan Source. The remainder of this article details local versus server mode in AppScan Source and the capabilities available in each mode.

Comparing local and server mode

Local mode in AppScan Source for Development plug-ins facilitates rapid security scanning of mobile applications. In the local mode, users can conduct security analysis with a default set of scan configurations. They can view findings, apply pre-defined filters, create their own filters, view traces, and remediate vulnerabilities. AppScan Enterprise Server is required for the use of custom rules, shared scan configurations, and share filters. AppScan Source for Analysis provides the following additional functions over development plug-ins: reporting, the ability to publish to Enterprise Server, user management, custom rules creation, scan configuration creation, triage, and integration with defect tracking systems. Furthermore, to integrate source code security scanning with build environments during the software development lifecycle (SDLC), users can use AppScan Source for Automation. AppScan Source for Analysis and Automation requires a connection to AppScan Enterprise Server. See Figure 2 for an illustration of local versus server mode.

Figure 2. Local mode versus server mode
Diagram that compares local mode and server mode

AppScan Source for Development plug-ins have an option of switching between server and local modes. However, users are likely to use local mode at the outset of their application security testing programs. As security processes mature within their organizations, users are likely to use AppScan Source for Analysis or Automation, along with a shared AppScan Enterprise Server to obtain the additional functionality referred to above.

Regarding licensing, AppScan Source for Development plug-in products provide the option to use authorized users or floating licenses. This requirement still holds, regardless of whether you employ local or server mode. All floating licenses require a connection to a license server; this connection is required for both local and server operational modes. A license server is not a requirement when you use authorized user licenses that are tied to a host ID and which function as nodelocked licenses.

Local and server modes in action

Steps in this section outline how users select local mode and what’s involved in switching to server mode. I outline some of the differences in each mode and touch upon licensing considerations.

Upon starting the product, you are presented with the dialog shown in Figure 3. In the Use AppScan Enterprise Server dialog, you choose up front between local and server modes. Assume that you choose Do Not Use Server to stay in local mode.

Figure 3. Local versus server mode selection dialog
Screen capture of the Local versus server mode selection dialog

In local mode, the Security Analysis menu looks like what you see in Figure 4.

Figure 4. Security Analysis menu in local mode
Screen capture of the Security Analysis menu in local mode

In local mode, the user still needs to have a valid license to use the product. If you are using a floating license, connection to a license server is required. The action in the dialog in Figure 4, Release Scanning License, allows you to release the floating scan license when it is no longer needed.

Figure 5 is an example of what you might see in terms of local filters available for filtering in local mode. This combination is ready-to-use filters and ones that you create locally.

Figure 5. Filters in local mode
Screen capture that lists filters in local mode

Figure 6 shows an example of scan configurations available for scanning in local mode.

Figure 6. Scan configurations in local mode
Screen capture that lsits scan configurations in local mode

If you select to start a scan, you are not prompted to log in to AppScan Enterprise Server. Now, using the preference page as shown in Figure 7, switch to server mode. After you click OK, you are prompted to restart your integrated development environment (IDE). After the IDE restarts, you will be prompted to log in to the server.

Figure 7. Preference dialog for Security Analysis
Figure showing Preference dialog for Security Analysis

In server mode, the Security Analysis menu is similar to the one shown in Figure 8. Note the Change Password and Log Out from Server options that are now present in server mode. In server mode, a floating scan license is released implicitly when the user logs out of the server.

Figure 8. Security Analysis menu in server mode
Screen capture of Security Analysis menu in server mode

In server mode, users see that the filters and scan configurations that are listed in Figure 9 and Figure 10 are available to filter their findings and to scan. Note the highlighted shared ones that are now available in server mode to all AppScan Source clients that connect to the shared Enterprise Server. Shared filters and scan configurations are not available in local mode.

Figure 9. Filters in server mode
Screen capture of filters in server mode
Figure 10. Scan configuration in server mode
Screen capture of scan configuration in server mode

As mentioned earlier, scans done in server mode use the custom rules that are shared in AppScan Enterprise Server. Custom rules are not available in local mode.

A quick mobile scan using AppScan Source for development

In this example, the user installed the AppScan Source for Development plug-in in her Eclipse environment where the Worklight plug-in is installed. Installation of the AppScan Source plug-in into Eclipse is quick and completes in a few minutes.

I will briefly show you the results of scanning a mobile application that is created as a Worklight Eclipse project in local mode and the tools available to locate and remediate the findings.

After you create a project and it is ready to scan, you can select a scan configuration by selecting Security Analysis > Configure Scan > Security Scan Configuration. In this case, I selected Quick Scan as shown in the dialog in Figure 10. Since you are in local mode, you have access only to ready-to-use filters and any custom filter that was created.

Next, start a scan of the entire Worklight project by right-clicking on the project and selecting Run Scan. Once the scan completes, a Security Analysis perspective similar to the one in Figure 11 is displayed. With various tools in this perspective, you can zero in on findings in your source code and remediate.

Note:This article contains code samples that are for demonstration use only. The code samples contain known application security vulnerabilities that were created expressly for demonstrating the functionality of the application security testing tools. IBM disclaims all liability of any kind resulting from your use of the application. It is your responsibility to determine if the program is appropriate or safe for your technical environment. Never install the application in a production environment. You acknowledge and accept all risks associated with the use of the application.
Figure 11. AppScan Source Eclipse views
Screen capture of AppScan Source Eclipse views

In the example in Figure 11, I double-clicked a Data Leakage vulnerability in the Findings view. In the Trace view, the root note indicates that this vulnerability originated from line 18 in the source code, which is also opened in the editor at that line. The Remediation Assistant view provides you with information about a vulnerability and about why it is insecure; it also suggests ways to eliminate the vulnerability.

Figure 12 shows how to filter the vulnerabilities found by using, for example, the OWASP Mobile Top 10 Vulnerabilities filter. After you apply the filter, the number of findings is reduced to 29.

Figure 12. Filtering of findings with OWASP Mobile Top 10 Vulnerabilities
Screen capture of filtering of findings with OWASP Mobile Top 10 Vulnerabilities


The solution that is described is flexible in that a user can use AppScan Source for Development in local mode for rapid security testing. To obtain this additional functionality, the user can choose AppScan Source for Development that is connected to Enterprise Server for shared filters, scan configurations, and custom rules. Optionally, you can use Source for Analysis along with a shared AppScan Enterprise Server to do reports, publish to Enterprise Server, manage users, create custom rules, create scan configurations, do triage, and integrate with Defect Tracking Systems. It is also worth noting that AppScan Source for Development 9.0 in local mode doesn't use a database such as IBM solidDB®. In addition to local mode, AppScan Source 9.0 strengthens its mobile story by introducing Eclipse plug-in support on Mac and integrates with IBM Worklight in the same Eclipse instance.



developerWorks: Sign in

Required fields are indicated with an asterisk (*).

Need an IBM ID?
Forgot your IBM ID?

Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.


All information submitted is secure.

Dig deeper into Security on developerWorks

Zone=Security, Mobile development
ArticleTitle=Streamline your organization's mobile application security testing program with IBM Security AppScan Source 9.0