Changelog

3.1.0

06.21.2018

Updates:

  • New Findings Dashboard - The new Findings Dashboard is accessible via the Findings icon located on the left navigation toolbar, directly under Home. The dashboard provides an aggregate view of findings across app versions by vulnerability type over time. For example, you can now view all of your apps affected by a Man-in-the-Middle vulnerability and sort the view according to preference:

  • Select timeframes 1 week to 6 months of application history

  • Sortable columns such as:

    • CVSS finding score
    • Impact - the criticality of the finding
    • Title - CVSS well known name
    • Platform - iOS vs Android
    • Analysis - whether the finding was determined by Static or Dynamic analysis
    • Category - the rollup type of vulnerability e.g, Networking, Code, Permissions
  • In page filtering by vulnerability title e.g., “Man-in-the-Middle Attack”

RBAC update - Apps and their history can now be moved between groups.

3.0.0

06.05.2018

Updates:

  • Role Based Access Control (RBAC) - This major enhancement extends NowSecure’s AUTO’s capabilities to also include administration of new users, role based access assignments, create groups, or the ability to customize configuration of end user permissions from over 30 attributes.
    • Administration - Organization Admins can provide access, deactivate users, edit roles and creates groups of users in the system with only a few clicks.
    • Enhanced Profiles & Invites - Users, if permitted may access tokens, update personal information, view groups and roles, and invite other users via their profiles.
    • Permissions Configuration - Admins can set permissions for each user or leverage pre-configured role defaults within the product: Admin, Analyst, Customer, Developer, Q&A, Exec and Customer. Admins may edit pre-configured roles as well. complete control.
    • Groups - Groups functionality allows administrators to assign users to teams, controlling access to applications and each apps discrete test data.

Fixes

  • The guided welcome tour would have a step that would appear off-screen, preventing the user from continuing.

  • Occasionally, after upload, the “Run” text would not be clickable, causing the user to click on the application card, and re-run the assessment from there.

2.5.1

05.24.2018

Updates:

  • iOS Zip Files in Transit - For added protection of iOS, in light of the ZipperDown vulnerability, a check for zip files sent in transit has been added. A check for zip files in transit already existed for Android.
  • Writable Executable Findings Details - Specifies if writable executable findings are found in private or shared storage, and allows risk assignment based on storage location.
  • Networking Issue Title Name Changes - A number of network issue titles were updated to help more easily identify the underlying vulnerability. These changes are as follows:
    • Broken SSL => Certificate Validation / Hostname Verification
    • Sensitive Data in Transit (with encryption) => Man-in-the-Middle Attack
    • TLS traffic with sensitive data => Certificate Pinning Bypass
  • Sensitive Data in the iOS Keychain - Checks have been added for configured search terms within the iOS keychain including username, password, and any other remaining terms such as Device ID, GPS coordinates, etc.
  • Google’s Core App Quality Regulatory Guidance - A new compliance body has been added to the Regulatory section that reflects Google’s Core App Quality guidelines.
  • Remote Code Execution (Probable) - A new check looks for combination of an Android application sending zip files in transit with writable executable files.

Fixes

  • Numerous CWE mappings were updated to reflect proper listings and NIAP is updated to the latest published version of the Protection Profile for Application Software.

2.5.0

03.28.2018

Updates:

  • New Findings Toolbar - Customers can now customize finding information in assessments to meet their organizational needs including Edit CVSS Score, Add Finding Note, Hide Finding in Report, and Pass Finding in Report.New Findings Toolbar - Customers can now customize finding information in assessments to meet their organizational needs including Edit CVSS Score, Add Finding Note, Hide Finding in Report, and Pass Finding in Report.
  • Editable CVSS Scores - Customers now have the ability to Edit CVSS scores to best reflect the importance of a finding relative to their specific organizational preferences and security policies. CVSS Score adjustments can be made for each individual finding.
  • Add Notes to Findings - There is now a Notes option available per individual scored finding so that team members can add crucial context in line to share across security, development, QA or other key stakeholders. Notes can be made for each individual finding.
  • Ability to Hide Findings - With just one click, customers now have the ability to hide individual scored findings after a vulnerability has been reviewed. This will ensure the vuln does not alert with future scans of the same app and will not create new redundant issue tickets within trackers like JIRA or GitHub. “Hidden” findings are customizable for every app, apply to all assessments for that app over time, can be turned off at any time, and the raw results are still referenceable at the bottom of reports.
  • Pass Findings - Within an assessment, customers can now adjust a CVSS Scored finding to “Pass” which will remove the individual finding and CVSS score from the total risk score and remove from FINDINGS SUMMARY list.
  • Assessment Reversion Back to Original - At any time after editing, customers can with one click return to the clean default assessment which will remove all changes including custom CVSS scores, notes and hidden findings.

Fixes

  • Enhanced AFNetworking Check - Enhancements now surface additional fields, showing if the vulnerable instance of AFNetworking is used during runtime, and the module in which the insecure implementation was found.

2.4.0

02.27.2018

Updates:

  • Better detailed reporting - Our new AUTO reports include more granular and detailed vulnerability findings, comprehensive test listings, a completely new user interface, and new navigation.
  • More flexible report-export options - AUTO users can now customize and export PDF reports whether they want a one-to-two page overview or a detailed 300 page documents with deep technical information.
  • Security Score - Tested apps will now be measured with the NowSecure Security Score. Based upon CVSS, this score ranges from 0 - 100, rating the overall security of each app build.
  • Detailed information panel - Customers now have access to detailed job data in one convenient collapsible panel. Data like job messages, status, job information and easy access to raw data can be toggled with a single click of the “Info” on any in-progress or completed assessment.
  • View search-term-specific findings - Reports now break-out findings individually for search-terms. For example, if an app transmits sensitive data without encryption, a finding is created for each identified piece of data (e.g., username, password, e-mail, device ID, etc.).
  • New Regulatory Mappings - NowSecure AUTO now includes findings for GDPR, FFIEC, FISMA, HIPAA and PCI regulation violations.
  • New Tests and Findings - New checks add 10 new findings to the report. These checks include, but aren’t limited to: iOS Frameworks, HTTP Requests, SQL Injection, and SMS Communications.
  • Critical Severity - CVSS Scores of 9-10 and App Security Scores of 0-30 are now marked as critical severity. This matches the CVSS scoring system.

Fixes

  • Canceling Tasks - Customers can now cancel tasks in progress if they wish to.

2.3.0

06.09.2017

Updates:

  • Javascript Automation Scripts We are proud to announce that our system now accepts .js automation scripts! Our system now allows users to upload and run assessments using javascript automation scripts.

  • Font Size We increased the font size from 12 to 13 for your viewing pleasure! :)

  • Screenshot Message Title Our screenshot messages now have titles.

Fixes:

  • JIRA Undefined Now we only show config sections after users fully authorize integrations.

  • Realtime Event Messages Some users experienced an issue where realtime event messages were not showing in correct order. We fixed this issue. Now as soon as we know about them, you will see them in the user interface

2.2.2

04.27.2017

Updates:

  • Messages Reporting FeatureUsers can now see realtime event messages, interaction logs, and screenshots that displayed during analysis. This information is shown in the Messages tab under the Report Summary.

  • Online and Offline Detection Our system can now better notify users of their connection status and remind users to intermittently refresh or reload their browser when using the cloud dashboard.

Fixes:

  • Duplicate Findings Duplicate findings will no longer be shown for Sensitive Data in Transit.

  • JIRA update Some users experienced an issue when JIRA was improperly configured. Now, JIRA initialization without an Input URL will not cause a “bad state issue.”

  • Blank Contact Fields Allowing Blank Contact Field(s) causes immediate dynamic test failure is functioning properly.

2.2.1

04.05.2017
  • Improve Screenshot Timestamps Our UI automator, named Zed, got a new stopwatch, so he can now record screenshots during live analysis down to the second. Screenshots will now be recorded with more precision.

  • Screenshot Reporting Improvements Our team fixed a few minor bugs to improve screenshots recorded during live analysis. Previously, a small number of screenshots would not be recorded accurately or failed to record an image. We’ve fixed this flaw! Screenshots should now be in perfect order.

  • Fixed Heartbleed Check False Positive (iOS) Previously, the Heartbleed Check for iOS would intermittently surface a false positive. This issue is now fixed.

  • Logout Improvements Logging out of the application will also log you out of our Single Sign On (SSO) portal. Previously, logging out required multiple windows.

  • Improved UI The cloud dashboard UI should be smoother than ever before!

2.2

03.23.2017
  • Live Automation Improvements Our UI automator, named Zed, likes to give updates on activity while he’s performing a security assessment. He went to grammar school and now offers better live details and insights while he’s completing analysis for you!

  • Live Screenshots Now Available for iOS Zed got a new camera that allows him to share live screenshots while he’s completing iOS analysis. Previously, he could only show you screenshots after analysis was complete.

  • Screenshot Improvements We’ve improved the precision of the screenshot timeline view stored during security analysis.

  • Added Profile Screen with Account Details The Account window now includes a Profile screen with all of the details about each user’s account and their testing limits.

  • Improved App Sorting In previous versions of NowSecure Auto, the dashboard view would reset upon every login. We’ve changed the system settings that allow you to create a new view and keep that view every time you log in.

  • Bug fixes to improve performance.

2.1.0

02.02.2017
  • Custom Automation Action Strings Now it’s easier than ever to customize automation scripts to ensure more complete testing coverage of your app. There are times when our default script needs modification to navigate common mobile app screens. You can access custom automation strings in the Configure window to easily build a more complete UI script and enhance code coverage.

  • Vulnerability Summary Enhancements To more quickly measure the security of your app, we’ve improved the vulnerability summary for each assessment. Now, vulnerabilities are sorted by High, Medium, and Low risk.

  • View App Certificate Information Easily inspect certificates used by your app to make sure they’re up-to-date and valid. Any certificates in use by the app are displayed and include the type of key, number of bits, serial number, URL, and common name associated with each certificate.

  • Custom Field Support Now Included for JIRA Integration Lab Automation allows users to integrate their results with common bug trackers like JIRA and GitHub. Now, users that integrate with JIRA can add custom fields before and after their assessment. These fields will then appear within every JIRA ticket.

  • Bug fixes to improve performance.

2.0.0

01.17.2017
  • Bug fix related to Path Traversal not passing correctly

  • Fixed an issue where network connections were not displaying findings correctly

1.10.0

01.04.2017
  • Bug fixes related to the UI

  • Updated findings for Path Traversal (ipc_issues)

1.9.0

12.15.2016
  • Updated Report Layout The Analysis Summary for each assessment can now be sorted by specific Sections for Issues: Artifact, Code, Network, etc. as well as the ability to show the full report via Show All.

1.8.2

12.05.2016
  • Bug Fixes

1.8.1

11.23.2016
  • Welcome Tour and Instant Trial All users will now be invited to view a walkthrough of the user interface that explains key features and capabilities about NowSecure Auto. Users also have the ability to see pre-configured demo apps for iOS and Android as well as have the ability to upload their own apps.

  • Preflight Checks After an app is uploaded, Preflight Check will test every application before installation on the device for proper file configuration, encryption, and file integrity.

1.8.0

11.22.2016
  • File Validity and Encryption Both of these conditions would previously cause an application to fail our security analysis.

  • Application Network Connections Users can now view where their application data is being sent. This section includes IP, Domain, Organization and Location.

  • Automation and Testing Environment Improvements Bugs have been fixed that previously caused UI automation assessments to fail. Testing environments for both iOS and Android have received stability improvements.

1.6.1

10.18.2016
  • Sanitizing configuration input to notify the user when they’re entering configuration terms that would cause jobs to fail

  • Added a changelog to the UI under the pop-out menu. Any time an update is pushed to production all users will be notified in the bottom left corner of the application to check out the changelog

  • All pdf reports are now being generated using the browser print function. This will give users more reliability when trying to print or save pdf versions of our report.

  • We broke the /results endpoint :( it’s fixed now !!!

1.5.0

10.11.2016
  • Four new security tests have been added to NowSecure Auto

  • AFNetworking Implementation (iOS) This test checks the implementation setting of the AFNetworking library, which allows developers to add networking functionality into their applications. This vulnerability was patched as of version 2.5.2, however, if an older version is used, all SSL traffic can be intercepted and decrypted in a standard man in the middle attack

  • System Log Messages (iOS) NowSecure Auto has executed the system logs artifact test on Android apps for a while and now the same test can be performed on iOS apps. Debug logs are designed to detect and correct flaws in an application. These logs can also leak sensitive information that may help an attacker create a more powerful attack. The system log messages detected in an app are also now displayed in the UI.

  • Increased search coverage (Android) NowSecure Auto allows users configure their tests to surface important search terms such as personal information, login credentials, GPS coordinates, payment information and more. Now, NowSecure Auto can surface search terms found within Local Application (/data/data/) files and on the SD Card.

  • Files Stored on SD Card (Android) This check determines if files are stored at an external location. External storage, such as an SD card, lacks fine tuned permissions, which allows any app to access and read files in external storage by default.

  • App Dashboard Updates To help users quickly sort and filter a large volume of apps and assessments in the NowSecure Auto dashboard, we’ve added the ability to sort apps by upload date, app name, and package name.

  • Fixed an issue with JIRA integration where an informational finding would try to be posted to the JIRA project and NowSecure Auto would crash because of it

1.4.0

09.27.2016
  • JIRA and Github Integration Users can now configure their JIRA Projects and Github Repositories to be used with NowSecure Auto by specifying a specific JIRA Project or Github Repo inside of a specific application. Every time an analysis is run on that application, Issues will be created for every vulnerability that is found.

  • In-App Messaging Every action a user takes is now confirmed with a toast message across the top of the application. These actions include (but are not limited to) application uploading, configuration saving, integration configuration, application and assessment limits, and clicking the run button incessantly.

  • App Dashboard Updates Say goodbye to the bars and hello to the cards. We chose to update the App Dashboard to new and improved application cards. These allow more applications to be displayed on the dashboard and will eventually give us the ability to provide the user with much more “at a glance” application information.

  • Sidebar The new and improved NowSecure Auto sidebar will now be the anchor for all navigation. Currently quite spartan, this will be where all navigation from within Lab will take place.

  • Search Updates The app dashboard search actually works now. Seriously, give it a try.

  • 2 Minute Upload Timeout We fixed a bug that was limiting all uploads to exactly 2 minutes. Users should no longer have issues uploading their favorite 200mb mobile app at the hipster coffee shop on the corner.

  • Content API Updates Data is now encrypted at rest and requires authentication for downloads.

1.3.5

08.19.2016
  • Added tests on iOS to check for when cookies are set as ‘secure’ or ‘httponly’

  • Stability updates to both iOS and Android Dynamic testing

  • Updates to the way that we sign applications on the iOS dynamic test devices

  • Fixed a bug that caused reports not to render correctly when data came back for the SQLite test that we perform

1.3.4

07.22.2016
  • Fixed a bug that wouldn’t display reports from older apps when either static or dynamic results were missing.

  • Updated descriptions and regulatory mappings for some of the results

v1.3.3

07.21.2016
  • Users now have the ability to add any number of named search terms (CCN: 4147-2022-1237-8481) in the configuration section of an app. These search terms are treated and searched in the artifacts just like login credentials. If they are found, they will be shown in the Sensitive Data in transit results tables.

  • A fix for the XML issue with Android dynamic analysis that would keep the assessment from fully completing. This would cause some of the network issues to not be reported.

1.3.2

07.19.2016
  • Multipass for iOS This allows users to run each app multiple times to check for different levels of encryption over the network. The addition of multipass to iOS brings feature parity between iOS and Android rigs in regards to network testing.

  • Sensitive Data in Transit results have been split into four different results for both iOS and Android. These include Sensitive Data in transit (no encryption), Sensitive Data in transit (with encryption), Invalid TLS/SSL and TLS Traffic with sensitive data.

1.2.0

06.30.2016
  • iOS Descriptions and Recommendations updated for the following sections: Application Metadata, Dynamic Log, Keychain SQlite

  • Regulatory Mappings: Each result in the report shows the relevant CWE, OWASP and NIAP (when applicable) regulations with links.

  • Persistent API Tokens: Users will no longer have to refresh their API token every 24 hours. They can now set it and forget it! Users also have the ability to revoke token access.

  • iOS Screenshots: When users upload iOS applications, they will now see screenshots of the analysis like the ones currently shown for Android.

  • Increased screen real estate for tables. Data is easier to view. Users can now select a cell in one of the tables and view the entire output.

  • Various stability fixes

1.1.2

05.20.2016
  • Set the config upon upload. Now when you upload a binary you can set login credentials and a DSL script before uploading the application binary.

  • DSL script uploads. These allow the user to write a simple interaction script to navigate through the UI.

  • Screenshots are now present when the app is being run on the rig. This will allow you to see how far the UI Automator or DSL script got within the app.

1.1.1

05.19.2016
  • Improved Login, Logout, and Begin Trial experience

  • New tables within the reports to improve how data is shown. You can now zoom in on larger portions of data and sort by column.

  • PDF Downloads are now being tracked in Intercom

1.0.1

05.02.2016
  • Improved error handling

  • Bug Fixes

  • Ongoing Reporting Updates

1.0.0

04.05.2016
  • iOS Dynamic analysis added to the production environment

  • Began improving reporting for iOS Dynamic analysis

  • Android Dynamic bug fixes and improvements

  • Multiple account support

  • Allowing the user to add login credentials/search terms via the API

  • New iOS Static tests with more accurate results

  • App icons and other relevant metadata for application uploads

  • App summary at the top of the report. This is the start to restructuring the report to provide the user with the best and most relevant information for their app assessments.

  • Single Sign On (SSO) allowing users to authenticate their accounts with Google Authenticator or Github

  • Completely restructured RESTful API with full documentation

  • New front end built in React

  • Status messages which provide updates to the web UI as tests are being ran