• Group Reference Identifiers - For organizations with more than one group, Group IDs are now visible on App History page by hovering over group name #611


  • Fix deployed to ensure applications belonging to deactivated groups do not appear within Dashboard, App Index & Findings Pages

  • Fix deployed which corrects logic around handling of deleted apps and correct app expiration behavior




  • Custom RBAC Roles - GraphQL API available which enables creation of custom role within Role Based Access Control. which will populate under ‘Accounts & Management > Permissions tab

    • Admin can create custom role and delete it
    • Admin can rename existing role to custom role name (but cannot delete the existing default roles)
  • GPS Coordinates - Custom GPS coordinates for Android supported

  • HTTP Requests - HTTP requests surfaced for Android, independent of credentials or search terms




  • New NowSecure AUTO Services Portal - The Services Portal adds a convenient option for customers to securely send binaries and manage projects directly with the NowSecure Services and Support team within NowSecure AUTO. The Services Portal is located on the left navigation bar, under the Services icon.

    For more details regarding the NowSecure AUTO Services Portal, visit the NowSecure Customer Portal for a detailed overview.




  • Login Screen - Updated branding on login screen

  • Notifications - Updated look for notifications.

  • In-Product Alers - Streamlined mobile-responsive experience with in-product alerts




  • Avatar Mappings - Updated the avatar color mappings to display user initials or a profile picture

  • Jenkins Plugin - Group ID is now a mandatory field for the Jenkins plugin




  • Service Portal - Minio object storage instance added to manage uploads in prep for release of the Services Portal

  • Mobile Responsive - Tables were refactored to be better responsive to mobile contexts

  • Configuration Credentials - Text updated on Configuration page to exclude “not stored securely” verbiage




  • Distribution of Vulnerability Risk - Enhanced the Distribution of Vulnerability Risk widget to display both Android and Apple icons instead of displaying only the word “BOTH” on the Dashboard View


  • Fixed a bug which ensures the Request More option under Limits opens a ZenDesk ticket




  • Application header, with application title, displays correctly during assessment processing

  • Fix deployed to ensure app assessment re-runs execute without issue for apps added via Download from Store” option

  • Form layout issues fixed for Safari users




  • In-Product Chat Support - Enhanced in-product chat and issue submission via interactive Help located on the bottom right of user interface

  • Applications Page - Infinite scroll added to App Index homepage


  • Results for binaries uploaded with the same bundle ID, but different secure hash algorithm, will pull through most recent for assessment

  • Updates deployed to improve interface view for Safari browser users

  • App name displaying correctly in top header of individual app dashboard




  • Enterprise SSO - Enterprise SSO (i.e. SAML2) support is now available, enabling NowSecure AUTO admins to automatically enable user access leveraging existing corporate credentials

  • Integrations

    • Configuration is available to support of dynamic JIRA fields, allowing users to set conditions which populate customized JIRA field with a value.

    • Finding edits made within NowSecure AUTO will pull through to JIRA and Github issues


  • Refresh no longer required for Admins submitting multiple New User invitations one after the other

  • Findings marked passed are no longer re-sorted

  • Re-Run Assessment button functioning as expected.

  • Users on IE11 or below will see an Unsupported Browsers screen display if they attempt to log into NowSecure AUTO

  • Formatting issues in Jira have now been corrected.

  • Partial binary upload issues have been fixed for Jenkins users accessing NowSecure via API




  • Email Notifications - New sensitive data setting notifies group members a new alert is available, but requires users to sign into NowSecure AUTO to view alert details.

  • Unique vulnerability ID - Unique vulnerability ID available for JIRA which enables detection if a vuln reappears in later releases (API).

  • Preflight Checks - New app upload messages will provide context if an app fails to upload for the following reasons:

    • Android
      • If an app contains an SDK version higher than currently available for processing
      • If an app is found to be a System Application
    • iOS
      • If an app contains encrypted executables


  • SSO users land on the correct login screen when attempting to sign out and sign back in under a different account.
  • If the same application is added to multiple groups, NowSecure AUTO will adjust configuration page according to the respective group.
  • Intermittent display issue resolved ensuring all application names appear as intended.




  • App Operating System Version Compatibility Update - During the app upload process, NowSecure AUTO will provide an alert if an app is not compatible with the iOS or Android operating systems available within the product.

  • Alert Email Digest Option - A new group policy setting is available which will provide email summaries of all alerts triggered within a chosen period of time.

  • App Changes Audit Log (API) - Organization, Group, User, Permission and Membership attributes are now available via API audit log.


  • Assessments attempted after limit is reached will fail.




  • Alert Notification Inbox - Alert menu has been added to left sidebar which displays individual alert notifications with time stamps received. Alerts are customized at group level and individual or all alerts may be turned off at anytime. End users may mark alerts as read to remove them from the Alerts inbox within AUTO.

  • App Configuration Alert - Setting now available to choose to receive an alert notification if an app configuration change occurs. Admins may choose for a group to receive the Alert via email, via Alert inbox within NowSecure AUTO, or both.

  • Configuration Audit Logs - API users can pull a log of app configuration changes.

    • Type of Event
    • Created at Date
    • Read at Date


  • Static analysis updated to fix indeterminate Obfuscation Check and Certificate Validity Check tests.




  • New vuln email alerts - Adjust alert frequency and choose to receive a weekly summarization of alerts.

  • Date range for dashboard widgets - Drop down menu available to provide view of scoring or vulnerability trends within a selected date range.

  • App Upload Enhancements - Updated messaging, more detailed reasons provided when app upload fails.

  • Unique Vulnerability ID Enhancements (API User) - A new API endpoint is accessible that provides additional details regarding vulnerability history.


  • Email alert update to include more identifying information about the app and vulnerability score

  • Issue suppression ability restored for roles with appropriate permissions




  • Email Alerts - Configurable email alert notifications are available within the Account & Management section, under Groups tab. Alerts may be turned on or off as needed and group recipients and thresholds are editable allowing customization based on organizational requirements. Alert categories are as follows:

    • Notification after assessment attempt
    • Security score is ≤ (current default is ≤ 25)
    • If specified vulnerabilities are found
    • If an app is connecting to a specified country
    • If an assessment is incomplete or fails


  • Jira Integrations pipeline fix deployed




  • App Store Support - NowSecure AUTO now supports the ability to search and test apps published to Apple App Store and Google Play, enabling end users the flexibility to test apps during pre-production, after release, or during both times. The enhancement extends NowSecure AUTO features and functionality to app store apps, including:

    • Summary, Findings and App-Level dashboards
    • The ability to hide and edit assessments
    • Developer remediation instructions for findings
  • Error Codes - Additional update provides more descriptive error codes should dynamic analysis fail to complete


  • XCTest fix deployed to improve initial upload process




  • XCTest Support - A new Xcode test framework field is available for iOS scripting on the application configuration page. The field accepts a runner IPA with the script. For additional details, see this article: XCTest Automation


  • All completed assessments now show an associated score in the application history view.
  • Scoring calculation correction deployed to ensure assessments that don’t complete either static or dynamic analysis are provided a score prematurely.
  • Permissions fix enables consistent assessment runs on newly uploaded applications.
  • Analysis run status updates appropriately, no longer showing status “Unknown” on rare occasions.




  • Screenshots and status messages would occasionally be unable to render in real-time.

  • Github and Jira integrations were unable to be initialized.

  • Embedded URLs within Github and Jira issues now redirect to the proper report.

  • Reports are now updated as either static or dynamic testing completes.

  • UI enhancements have been added to the application configuration step.




  • Individual App-Level Overview - Individual app assessment summary including current status, history and trends over time to help better understand current app-level security posture and trends.

  • Individual App-Level History - Timeline view including high level details of each assessment is now available from the App-Level Overview page

  • Compliance Summary - Report summary now shows compliance summary of all findings within every assessment report, enabling users to locate compliance gaps before they snowball into regulatory issues.

  • New Jailbreak Detection Finding - Me thods of jailbreak detection(if any) are now shown in a context table attached to this finding.


  • UI enhancements addressed a few issues in the overall dashboard and app listing pages.

  • Issue fixed which was causing screenshots not to load within some assessments.




  • CVSS Vector Strings - Within the AUTO report view, CVSS vector strings have now been made available. A tooltip over the CVSS value will show the vector string associated with each value, and each CVSS score is now linked to a calculator on, which illustrates the exact criteria NowSecure used to arrive at a given CVSS value.


  • Invites sent to users would result in a screen that displays “Loading…” indefinitely. Invites now properly assign the correct permissions and grant the newly invited user the proper access.

  • When changing an application’s group, a “TypeError” was thrown. Although this had no effect on the actual group change, it was misleading to users, and has since been corrected.




  • New App Listing View - The Application Card view has been updated to show a linear listing of applications, allowing more information and functionality to be performed from this view. Applications can be re-run and re-configured directly, without having to first click into the app. Additional information is also now available such as latest App Score and score trend over time.

  • Archive App Enhancements - Archived applications are no longer counted in dashboard and finding level stats, and are separated out of the standard group sorting. To see an archived application, first ensure you have the proper RBAC permission and check the “Show Archived” box on the App Listing page.

  • App Portfolio Dashboard Enhancements - Sparklines have been added to the totals widget to show the trend over time.


  • Screenshots from the assessment were not showing up in the PDF reports, despite being included in the report configuration options.

  • The “Distribution of Application Risk” widget on the App Portfolio Dashboard wouldn’t respond correctly when being resized.




  • New App Portfolio Dashboard View - The new App Portfolio Dashboard provides an aggregate of mobile app assessment statistics, vulnerability risks, and scoring trends over time via table and graph views (a.k.a. widgets). Dashboard layout may be reorganized and additional customization options are available for applicable widgets, including the ability to sort by operating system or risk severity and to select only relevant compliance regimes. The new dashboard view is now the default home page for NowSecure AUTO using the left dashboard navigation icon. Additional details regarding the widgets included in this iteration are:

    • Totals: current status of all testing activity and trends over time
    • App Risk Score Trends: average risk score for all apps over time
    • Most Vulnerable Apps: most vulnerable apps ranked by findings or risk score
    • Distribution of Vulnerability Risk: all vulnerabilities ranked by CVSS-scored findings, highest rank, largest boxes and color identify highest risk
    • Findings by Impact Summary: all findings grouped by CVSS-scored risk
    • Compliance Summary: compliance posture across all apps, lowest percentage identifies highest risk
    • Top Compliance Issues: compliance posture ranked by finding, lowest percentage identifies highest risk
  • Archive App - Apps can now removed from app listing view and archived into separate group.

  • CVSS Score Update - Routine review and maintenance of CVSS Vector calculations to ensure most accurate results. Methodology viewable for API customers. The ability to view CVSS Vector Score methodology within NowSecure AUTO interface is coming soon.




  • New Findings Dashboard - The new Findings Dashboard is accessible via the Findings icon located on the left navigation toolbar, directly under Home. The dashboard provides an aggregate view of findings across app versions by vulnerability type over time. For example, you can now view all of your apps affected by a Man-in-the-Middle vulnerability and sort the view according to preference:

  • Select timeframes 1 week to 6 months of application history

  • Sortable columns such as:

    • CVSS finding score
    • Impact - the criticality of the finding
    • Title - CVSS well known name
    • Platform - iOS vs Android
    • Analysis - whether the finding was determined by Static or Dynamic analysis
    • Category - the rollup type of vulnerability e.g, Networking, Code, Permissions
  • In page filtering by vulnerability title e.g., “Man-in-the-Middle Attack”

RBAC update - Apps and their history can now be moved between groups.




  • Role Based Access Control (RBAC) - This major enhancement extends NowSecure’s AUTO’s capabilities to also include administration of new users, role based access assignments, create groups, or the ability to customize configuration of end user permissions from over 30 attributes.
    • Administration - Organization Admins can provide access, deactivate users, edit roles and creates groups of users in the system with only a few clicks.
    • Enhanced Profiles & Invites - Users, if permitted may access tokens, update personal information, view groups and roles, and invite other users via their profiles.
    • Permissions Configuration - Admins can set permissions for each user or leverage pre-configured role defaults within the product: Admin, Analyst, Customer, Developer, Q&A, Exec and Customer. Admins may edit pre-configured roles as well. complete control.
    • Groups - Groups functionality allows administrators to assign users to teams, controlling access to applications and each apps discrete test data.


  • The guided welcome tour would have a step that would appear off-screen, preventing the user from continuing.

  • Occasionally, after upload, the “Run” text would not be clickable, causing the user to click on the application card, and re-run the assessment from there.




  • iOS Zip Files in Transit - For added protection of iOS, in light of the ZipperDown vulnerability, a check for zip files sent in transit has been added. A check for zip files in transit already existed for Android.
  • Writable Executable Findings Details - Specifies if writable executable findings are found in private or shared storage, and allows risk assignment based on storage location.
  • Networking Issue Title Name Changes - A number of network issue titles were updated to help more easily identify the underlying vulnerability. These changes are as follows:
    • Broken SSL => Certificate Validation / Hostname Verification
    • Sensitive Data in Transit (with encryption) => Man-in-the-Middle Attack
    • TLS traffic with sensitive data => Certificate Pinning Bypass
  • Sensitive Data in the iOS Keychain - Checks have been added for configured search terms within the iOS keychain including username, password, and any other remaining terms such as Device ID, GPS coordinates, etc.
  • Google’s Core App Quality Regulatory Guidance - A new compliance body has been added to the Regulatory section that reflects Google’s Core App Quality guidelines.
  • Remote Code Execution (Probable) - A new check looks for combination of an Android application sending zip files in transit with writable executable files.


  • Numerous CWE mappings were updated to reflect proper listings and NIAP is updated to the latest published version of the Protection Profile for Application Software.




  • New Findings Toolbar - Customers can now customize finding information in assessments to meet their organizational needs including Edit CVSS Score, Add Finding Note, Hide Finding in Report, and Pass Finding in Report.New Findings Toolbar - Customers can now customize finding information in assessments to meet their organizational needs including Edit CVSS Score, Add Finding Note, Hide Finding in Report, and Pass Finding in Report.
  • Editable CVSS Scores - Customers now have the ability to Edit CVSS scores to best reflect the importance of a finding relative to their specific organizational preferences and security policies. CVSS Score adjustments can be made for each individual finding.
  • Add Notes to Findings - There is now a Notes option available per individual scored finding so that team members can add crucial context in line to share across security, development, QA or other key stakeholders. Notes can be made for each individual finding.
  • Ability to Hide Findings - With just one click, customers now have the ability to hide individual scored findings after a vulnerability has been reviewed. This will ensure the vuln does not alert with future scans of the same app and will not create new redundant issue tickets within trackers like JIRA or GitHub. “Hidden” findings are customizable for every app, apply to all assessments for that app over time, can be turned off at any time, and the raw results are still referenceable at the bottom of reports.
  • Pass Findings - Within an assessment, customers can now adjust a CVSS Scored finding to “Pass” which will remove the individual finding and CVSS score from the total risk score and remove from FINDINGS SUMMARY list.
  • Assessment Reversion Back to Original - At any time after editing, customers can with one click return to the clean default assessment which will remove all changes including custom CVSS scores, notes and hidden findings.


  • Enhanced AFNetworking Check - Enhancements now surface additional fields, showing if the vulnerable instance of AFNetworking is used during runtime, and the module in which the insecure implementation was found.




  • Better detailed reporting - Our new AUTO reports include more granular and detailed vulnerability findings, comprehensive test listings, a completely new user interface, and new navigation.
  • More flexible report-export options - AUTO users can now customize and export PDF reports whether they want a one-to-two page overview or a detailed 300 page documents with deep technical information.
  • Security Score - Tested apps will now be measured with the NowSecure Security Score. Based upon CVSS, this score ranges from 0 - 100, rating the overall security of each app build.
  • Detailed information panel - Customers now have access to detailed job data in one convenient collapsible panel. Data like job messages, status, job information and easy access to raw data can be toggled with a single click of the “Info” on any in-progress or completed assessment.
  • View search-term-specific findings - Reports now break-out findings individually for search-terms. For example, if an app transmits sensitive data without encryption, a finding is created for each identified piece of data (e.g., username, password, e-mail, device ID, etc.).
  • New Regulatory Mappings - NowSecure AUTO now includes findings for GDPR, FFIEC, FISMA, HIPAA and PCI regulation violations.
  • New Tests and Findings - New checks add 10 new findings to the report. These checks include, but aren’t limited to: iOS Frameworks, HTTP Requests, SQL Injection, and SMS Communications.
  • Critical Severity - CVSS Scores of 9-10 and App Security Scores of 0-30 are now marked as critical severity. This matches the CVSS scoring system.


  • Canceling Tasks - Customers can now cancel tasks in progress if they wish to.




  • Javascript Automation Scripts We are proud to announce that our system now accepts .js automation scripts! Our system now allows users to upload and run assessments using javascript automation scripts.

  • Font Size We increased the font size from 12 to 13 for your viewing pleasure! :)

  • Screenshot Message Title Our screenshot messages now have titles.


  • JIRA Undefined Now we only show config sections after users fully authorize integrations.

  • Realtime Event Messages Some users experienced an issue where realtime event messages were not showing in correct order. We fixed this issue. Now as soon as we know about them, you will see them in the user interface




  • Messages Reporting FeatureUsers can now see realtime event messages, interaction logs, and screenshots that displayed during analysis. This information is shown in the Messages tab under the Report Summary.

  • Online and Offline Detection Our system can now better notify users of their connection status and remind users to intermittently refresh or reload their browser when using the cloud dashboard.


  • Duplicate Findings Duplicate findings will no longer be shown for Sensitive Data in Transit.

  • JIRA update Some users experienced an issue when JIRA was improperly configured. Now, JIRA initialization without an Input URL will not cause a “bad state issue.”

  • Blank Contact Fields Allowing Blank Contact Field(s) causes immediate dynamic test failure is functioning properly.


  • Improve Screenshot Timestamps Our UI automator, named Zed, got a new stopwatch, so he can now record screenshots during live analysis down to the second. Screenshots will now be recorded with more precision.

  • Screenshot Reporting Improvements Our team fixed a few minor bugs to improve screenshots recorded during live analysis. Previously, a small number of screenshots would not be recorded accurately or failed to record an image. We’ve fixed this flaw! Screenshots should now be in perfect order.

  • Fixed Heartbleed Check False Positive (iOS) Previously, the Heartbleed Check for iOS would intermittently surface a false positive. This issue is now fixed.

  • Logout Improvements Logging out of the application will also log you out of our Single Sign On (SSO) portal. Previously, logging out required multiple windows.

  • Improved UI The cloud dashboard UI should be smoother than ever before!


  • Live Automation Improvements Our UI automator, named Zed, likes to give updates on activity while he’s performing a security assessment. He went to grammar school and now offers better live details and insights while he’s completing analysis for you!

  • Live Screenshots Now Available for iOS Zed got a new camera that allows him to share live screenshots while he’s completing iOS analysis. Previously, he could only show you screenshots after analysis was complete.

  • Screenshot Improvements We’ve improved the precision of the screenshot timeline view stored during security analysis.

  • Added Profile Screen with Account Details The Account window now includes a Profile screen with all of the details about each user’s account and their testing limits.

  • Improved App Sorting In previous versions of NowSecure Auto, the dashboard view would reset upon every login. We’ve changed the system settings that allow you to create a new view and keep that view every time you log in.

  • Bug fixes to improve performance.


  • Custom Automation Action Strings Now it’s easier than ever to customize automation scripts to ensure more complete testing coverage of your app. There are times when our default script needs modification to navigate common mobile app screens. You can access custom automation strings in the Configure window to easily build a more complete UI script and enhance code coverage.

  • Vulnerability Summary Enhancements To more quickly measure the security of your app, we’ve improved the vulnerability summary for each assessment. Now, vulnerabilities are sorted by High, Medium, and Low risk.

  • View App Certificate Information Easily inspect certificates used by your app to make sure they’re up-to-date and valid. Any certificates in use by the app are displayed and include the type of key, number of bits, serial number, URL, and common name associated with each certificate.

  • Custom Field Support Now Included for JIRA Integration Lab Automation allows users to integrate their results with common bug trackers like JIRA and GitHub. Now, users that integrate with JIRA can add custom fields before and after their assessment. These fields will then appear within every JIRA ticket.

  • Bug fixes to improve performance.


  • Bug fix related to Path Traversal not passing correctly

  • Fixed an issue where network connections were not displaying findings correctly


  • Bug fixes related to the UI

  • Updated findings for Path Traversal (ipc_issues)


  • Updated Report Layout The Analysis Summary for each assessment can now be sorted by specific Sections for Issues: Artifact, Code, Network, etc. as well as the ability to show the full report via Show All.


  • Bug Fixes


  • Welcome Tour and Instant Trial All users will now be invited to view a walkthrough of the user interface that explains key features and capabilities about NowSecure Auto. Users also have the ability to see pre-configured demo apps for iOS and Android as well as have the ability to upload their own apps.

  • Preflight Checks After an app is uploaded, Preflight Check will test every application before installation on the device for proper file configuration, encryption, and file integrity.


  • File Validity and Encryption Both of these conditions would previously cause an application to fail our security analysis.

  • Application Network Connections Users can now view where their application data is being sent. This section includes IP, Domain, Organization and Location.

  • Automation and Testing Environment Improvements Bugs have been fixed that previously caused UI automation assessments to fail. Testing environments for both iOS and Android have received stability improvements.


  • Sanitizing configuration input to notify the user when they’re entering configuration terms that would cause jobs to fail

  • Added a changelog to the UI under the pop-out menu. Any time an update is pushed to production all users will be notified in the bottom left corner of the application to check out the changelog

  • All pdf reports are now being generated using the browser print function. This will give users more reliability when trying to print or save pdf versions of our report.

  • We broke the /results endpoint :( it’s fixed now !!!


  • Four new security tests have been added to NowSecure Auto

  • AFNetworking Implementation (iOS) This test checks the implementation setting of the AFNetworking library, which allows developers to add networking functionality into their applications. This vulnerability was patched as of version 2.5.2, however, if an older version is used, all SSL traffic can be intercepted and decrypted in a standard man in the middle attack

  • System Log Messages (iOS) NowSecure Auto has executed the system logs artifact test on Android apps for a while and now the same test can be performed on iOS apps. Debug logs are designed to detect and correct flaws in an application. These logs can also leak sensitive information that may help an attacker create a more powerful attack. The system log messages detected in an app are also now displayed in the UI.

  • Increased search coverage (Android) NowSecure Auto allows users configure their tests to surface important search terms such as personal information, login credentials, GPS coordinates, payment information and more. Now, NowSecure Auto can surface search terms found within Local Application (/data/data/) files and on the SD Card.

  • Files Stored on SD Card (Android) This check determines if files are stored at an external location. External storage, such as an SD card, lacks fine tuned permissions, which allows any app to access and read files in external storage by default.

  • App Dashboard Updates To help users quickly sort and filter a large volume of apps and assessments in the NowSecure Auto dashboard, we’ve added the ability to sort apps by upload date, app name, and package name.

  • Fixed an issue with JIRA integration where an informational finding would try to be posted to the JIRA project and NowSecure Auto would crash because of it


  • JIRA and Github Integration Users can now configure their JIRA Projects and Github Repositories to be used with NowSecure Auto by specifying a specific JIRA Project or Github Repo inside of a specific application. Every time an analysis is run on that application, Issues will be created for every vulnerability that is found.

  • In-App Messaging Every action a user takes is now confirmed with a toast message across the top of the application. These actions include (but are not limited to) application uploading, configuration saving, integration configuration, application and assessment limits, and clicking the run button incessantly.

  • App Dashboard Updates Say goodbye to the bars and hello to the cards. We chose to update the App Dashboard to new and improved application cards. These allow more applications to be displayed on the dashboard and will eventually give us the ability to provide the user with much more “at a glance” application information.

  • Sidebar The new and improved NowSecure Auto sidebar will now be the anchor for all navigation. Currently quite spartan, this will be where all navigation from within Lab will take place.

  • Search Updates The app dashboard search actually works now. Seriously, give it a try.

  • 2 Minute Upload Timeout We fixed a bug that was limiting all uploads to exactly 2 minutes. Users should no longer have issues uploading their favorite 200mb mobile app at the hipster coffee shop on the corner.

  • Content API Updates Data is now encrypted at rest and requires authentication for downloads.


  • Added tests on iOS to check for when cookies are set as ‘secure’ or ‘httponly’

  • Stability updates to both iOS and Android Dynamic testing

  • Updates to the way that we sign applications on the iOS dynamic test devices

  • Fixed a bug that caused reports not to render correctly when data came back for the SQLite test that we perform


  • Fixed a bug that wouldn’t display reports from older apps when either static or dynamic results were missing.

  • Updated descriptions and regulatory mappings for some of the results


  • Users now have the ability to add any number of named search terms (CCN: 4147-2022-1237-8481) in the configuration section of an app. These search terms are treated and searched in the artifacts just like login credentials. If they are found, they will be shown in the Sensitive Data in transit results tables.

  • A fix for the XML issue with Android dynamic analysis that would keep the assessment from fully completing. This would cause some of the network issues to not be reported.


  • Multipass for iOS This allows users to run each app multiple times to check for different levels of encryption over the network. The addition of multipass to iOS brings feature parity between iOS and Android rigs in regards to network testing.

  • Sensitive Data in Transit results have been split into four different results for both iOS and Android. These include Sensitive Data in transit (no encryption), Sensitive Data in transit (with encryption), Invalid TLS/SSL and TLS Traffic with sensitive data.


  • iOS Descriptions and Recommendations updated for the following sections: Application Metadata, Dynamic Log, Keychain SQlite

  • Regulatory Mappings: Each result in the report shows the relevant CWE, OWASP and NIAP (when applicable) regulations with links.

  • Persistent API Tokens: Users will no longer have to refresh their API token every 24 hours. They can now set it and forget it! Users also have the ability to revoke token access.

  • iOS Screenshots: When users upload iOS applications, they will now see screenshots of the analysis like the ones currently shown for Android.

  • Increased screen real estate for tables. Data is easier to view. Users can now select a cell in one of the tables and view the entire output.

  • Various stability fixes


  • Set the config upon upload. Now when you upload a binary you can set login credentials and a DSL script before uploading the application binary.

  • DSL script uploads. These allow the user to write a simple interaction script to navigate through the UI.

  • Screenshots are now present when the app is being run on the rig. This will allow you to see how far the UI Automator or DSL script got within the app.


  • Improved Login, Logout, and Begin Trial experience

  • New tables within the reports to improve how data is shown. You can now zoom in on larger portions of data and sort by column.

  • PDF Downloads are now being tracked in Intercom


  • Improved error handling

  • Bug Fixes

  • Ongoing Reporting Updates


  • iOS Dynamic analysis added to the production environment

  • Began improving reporting for iOS Dynamic analysis

  • Android Dynamic bug fixes and improvements

  • Multiple account support

  • Allowing the user to add login credentials/search terms via the API

  • New iOS Static tests with more accurate results

  • App icons and other relevant metadata for application uploads

  • App summary at the top of the report. This is the start to restructuring the report to provide the user with the best and most relevant information for their app assessments.

  • Single Sign On (SSO) allowing users to authenticate their accounts with Google Authenticator or Github

  • Completely restructured RESTful API with full documentation

  • New front end built in React

  • Status messages which provide updates to the web UI as tests are being ran