New Findings Dashboard - The new Findings Dashboard is accessible via the Findings icon located on the left navigation toolbar, directly under Home. The dashboard provides an aggregate view of findings across app versions by vulnerability type over time. For example, you can now view all of your apps affected by a Man-in-the-Middle vulnerability and sort the view according to preference:
Select timeframes 1 week to 6 months of application history
Sortable columns such as:
In page filtering by vulnerability title e.g., “Man-in-the-Middle Attack”
RBAC update - Apps and their history can now be moved between groups.
The guided welcome tour would have a step that would appear off-screen, preventing the user from continuing.
Occasionally, after upload, the “Run” text would not be clickable, causing the user to click on the application card, and re-run the assessment from there.
Font Size We increased the font size from 12 to 13 for your viewing pleasure! :)
Screenshot Message Title Our screenshot messages now have titles.
JIRA Undefined Now we only show config sections after users fully authorize integrations.
Realtime Event Messages Some users experienced an issue where realtime event messages were not showing in correct order. We fixed this issue. Now as soon as we know about them, you will see them in the user interface
Messages Reporting FeatureUsers can now see realtime event messages, interaction logs, and screenshots that displayed during analysis. This information is shown in the Messages tab under the Report Summary.
Online and Offline Detection Our system can now better notify users of their connection status and remind users to intermittently refresh or reload their browser when using the cloud dashboard.
Duplicate Findings Duplicate findings will no longer be shown for Sensitive Data in Transit.
JIRA update Some users experienced an issue when JIRA was improperly configured. Now, JIRA initialization without an Input URL will not cause a “bad state issue.”
Blank Contact Fields Allowing Blank Contact Field(s) causes immediate dynamic test failure is functioning properly.
Improve Screenshot Timestamps Our UI automator, named Zed, got a new stopwatch, so he can now record screenshots during live analysis down to the second. Screenshots will now be recorded with more precision.
Screenshot Reporting Improvements Our team fixed a few minor bugs to improve screenshots recorded during live analysis. Previously, a small number of screenshots would not be recorded accurately or failed to record an image. We’ve fixed this flaw! Screenshots should now be in perfect order.
Fixed Heartbleed Check False Positive (iOS) Previously, the Heartbleed Check for iOS would intermittently surface a false positive. This issue is now fixed.
Logout Improvements Logging out of the application will also log you out of our Single Sign On (SSO) portal. Previously, logging out required multiple windows.
Improved UI The cloud dashboard UI should be smoother than ever before!
Live Automation Improvements Our UI automator, named Zed, likes to give updates on activity while he’s performing a security assessment. He went to grammar school and now offers better live details and insights while he’s completing analysis for you!
Live Screenshots Now Available for iOS Zed got a new camera that allows him to share live screenshots while he’s completing iOS analysis. Previously, he could only show you screenshots after analysis was complete.
Screenshot Improvements We’ve improved the precision of the screenshot timeline view stored during security analysis.
Added Profile Screen with Account Details The Account window now includes a Profile screen with all of the details about each user’s account and their testing limits.
Improved App Sorting In previous versions of NowSecure Auto, the dashboard view would reset upon every login. We’ve changed the system settings that allow you to create a new view and keep that view every time you log in.
Bug fixes to improve performance.
Custom Automation Action Strings Now it’s easier than ever to customize automation scripts to ensure more complete testing coverage of your app. There are times when our default script needs modification to navigate common mobile app screens. You can access custom automation strings in the Configure window to easily build a more complete UI script and enhance code coverage.
Vulnerability Summary Enhancements To more quickly measure the security of your app, we’ve improved the vulnerability summary for each assessment. Now, vulnerabilities are sorted by High, Medium, and Low risk.
View App Certificate Information Easily inspect certificates used by your app to make sure they’re up-to-date and valid. Any certificates in use by the app are displayed and include the type of key, number of bits, serial number, URL, and common name associated with each certificate.
Custom Field Support Now Included for JIRA Integration Lab Automation allows users to integrate their results with common bug trackers like JIRA and GitHub. Now, users that integrate with JIRA can add custom fields before and after their assessment. These fields will then appear within every JIRA ticket.
Bug fixes to improve performance.
Bug fix related to Path Traversal not passing correctly
Fixed an issue where network connections were not displaying findings correctly
Bug fixes related to the UI
Updated findings for Path Traversal (ipc_issues)
Welcome Tour and Instant Trial All users will now be invited to view a walkthrough of the user interface that explains key features and capabilities about NowSecure Auto. Users also have the ability to see pre-configured demo apps for iOS and Android as well as have the ability to upload their own apps.
Preflight Checks After an app is uploaded, Preflight Check will test every application before installation on the device for proper file configuration, encryption, and file integrity.
File Validity and Encryption Both of these conditions would previously cause an application to fail our security analysis.
Application Network Connections Users can now view where their application data is being sent. This section includes IP, Domain, Organization and Location.
Automation and Testing Environment Improvements Bugs have been fixed that previously caused UI automation assessments to fail. Testing environments for both iOS and Android have received stability improvements.
Sanitizing configuration input to notify the user when they’re entering configuration terms that would cause jobs to fail
Added a changelog to the UI under the pop-out menu. Any time an update is pushed to production all users will be notified in the bottom left corner of the application to check out the changelog
All pdf reports are now being generated using the browser print function. This will give users more reliability when trying to print or save pdf versions of our report.
We broke the /results endpoint :( it’s fixed now !!!
Four new security tests have been added to NowSecure Auto
AFNetworking Implementation (iOS) This test checks the implementation setting of the AFNetworking library, which allows developers to add networking functionality into their applications. This vulnerability was patched as of version 2.5.2, however, if an older version is used, all SSL traffic can be intercepted and decrypted in a standard man in the middle attack
System Log Messages (iOS) NowSecure Auto has executed the system logs artifact test on Android apps for a while and now the same test can be performed on iOS apps. Debug logs are designed to detect and correct flaws in an application. These logs can also leak sensitive information that may help an attacker create a more powerful attack. The system log messages detected in an app are also now displayed in the UI.
Increased search coverage (Android) NowSecure Auto allows users configure their tests to surface important search terms such as personal information, login credentials, GPS coordinates, payment information and more. Now, NowSecure Auto can surface search terms found within Local Application (/data/data/) files and on the SD Card.
Files Stored on SD Card (Android) This check determines if files are stored at an external location. External storage, such as an SD card, lacks fine tuned permissions, which allows any app to access and read files in external storage by default.
App Dashboard Updates To help users quickly sort and filter a large volume of apps and assessments in the NowSecure Auto dashboard, we’ve added the ability to sort apps by upload date, app name, and package name.
Fixed an issue with JIRA integration where an informational finding would try to be posted to the JIRA project and NowSecure Auto would crash because of it
JIRA and Github Integration Users can now configure their JIRA Projects and Github Repositories to be used with NowSecure Auto by specifying a specific JIRA Project or Github Repo inside of a specific application. Every time an analysis is run on that application, Issues will be created for every vulnerability that is found.
In-App Messaging Every action a user takes is now confirmed with a toast message across the top of the application. These actions include (but are not limited to) application uploading, configuration saving, integration configuration, application and assessment limits, and clicking the run button incessantly.
App Dashboard Updates Say goodbye to the bars and hello to the cards. We chose to update the App Dashboard to new and improved application cards. These allow more applications to be displayed on the dashboard and will eventually give us the ability to provide the user with much more “at a glance” application information.
Sidebar The new and improved NowSecure Auto sidebar will now be the anchor for all navigation. Currently quite spartan, this will be where all navigation from within Lab will take place.
Search Updates The app dashboard search actually works now. Seriously, give it a try.
2 Minute Upload Timeout We fixed a bug that was limiting all uploads to exactly 2 minutes. Users should no longer have issues uploading their favorite 200mb mobile app at the hipster coffee shop on the corner.
Content API Updates Data is now encrypted at rest and requires authentication for downloads.
Added tests on iOS to check for when cookies are set as ‘secure’ or ‘httponly’
Stability updates to both iOS and Android Dynamic testing
Updates to the way that we sign applications on the iOS dynamic test devices
Fixed a bug that caused reports not to render correctly when data came back for the SQLite test that we perform
Fixed a bug that wouldn’t display reports from older apps when either static or dynamic results were missing.
Updated descriptions and regulatory mappings for some of the results
Users now have the ability to add any number of named search terms (CCN: 4147-2022-1237-8481) in the configuration section of an app. These search terms are treated and searched in the artifacts just like login credentials. If they are found, they will be shown in the Sensitive Data in transit results tables.
A fix for the XML issue with Android dynamic analysis that would keep the assessment from fully completing. This would cause some of the network issues to not be reported.
Multipass for iOS This allows users to run each app multiple times to check for different levels of encryption over the network. The addition of multipass to iOS brings feature parity between iOS and Android rigs in regards to network testing.
Sensitive Data in Transit results have been split into four different results for both iOS and Android. These include Sensitive Data in transit (no encryption), Sensitive Data in transit (with encryption), Invalid TLS/SSL and TLS Traffic with sensitive data.
iOS Descriptions and Recommendations updated for the following sections: Application Metadata, Dynamic Log, Keychain SQlite
Regulatory Mappings: Each result in the report shows the relevant CWE, OWASP and NIAP (when applicable) regulations with links.
Persistent API Tokens: Users will no longer have to refresh their API token every 24 hours. They can now set it and forget it! Users also have the ability to revoke token access.
iOS Screenshots: When users upload iOS applications, they will now see screenshots of the analysis like the ones currently shown for Android.
Increased screen real estate for tables. Data is easier to view. Users can now select a cell in one of the tables and view the entire output.
Various stability fixes
Set the config upon upload. Now when you upload a binary you can set login credentials and a DSL script before uploading the application binary.
DSL script uploads. These allow the user to write a simple interaction script to navigate through the UI.
Screenshots are now present when the app is being run on the rig. This will allow you to see how far the UI Automator or DSL script got within the app.
Improved Login, Logout, and Begin Trial experience
New tables within the reports to improve how data is shown. You can now zoom in on larger portions of data and sort by column.
PDF Downloads are now being tracked in Intercom
Improved error handling
Ongoing Reporting Updates
iOS Dynamic analysis added to the production environment
Began improving reporting for iOS Dynamic analysis
Android Dynamic bug fixes and improvements
Multiple account support
Allowing the user to add login credentials/search terms via the API
New iOS Static tests with more accurate results
App icons and other relevant metadata for application uploads
App summary at the top of the report. This is the start to restructuring the report to provide the user with the best and most relevant information for their app assessments.
Single Sign On (SSO) allowing users to authenticate their accounts with Google Authenticator or Github
Completely restructured RESTful API with full documentation
New front end built in React
Status messages which provide updates to the web UI as tests are being ran