June 2017




  • Javascript Automation Scripts We are proud to announce that our system now accepts .js automation scripts! Our system now allows users to upload and run assessments using javascript automation scripts.

  • Font Size We increased the font size from 12 to 13 for your viewing pleasure! :)

  • Screenshot Message Title Our screenshot messages now have titles.


  • JIRA Undefined Now we only show config sections after users fully authorize integrations.

  • Realtime Event Messages Some users experienced an issue where realtime event messages were not showing in correct order. We fixed this issue. Now as soon as we know about them, you will see them in the user interface

April 2017




  • Messages Reporting FeatureUsers can now see realtime event messages, interaction logs, and screenshots that displayed during analysis. This information is shown in the Messages tab under the Report Summary.

  • Online and Offline Detection Our system can now better notify users of their connection status and remind users to intermittently refresh or reload their browser when using the cloud dashboard.


  • Duplicate Findings Duplicate findings will no longer be shown for Sensitive Data in Transit.

  • JIRA update Some users experienced an issue when JIRA was improperly configured. Now, JIRA initialization without an Input URL will not cause a “bad state issue.”

  • Blank Contact Fields Allowing Blank Contact Field(s) causes immediate dynamic test failure is functioning properly.


  • Improve Screenshot Timestamps Our UI automator, named Zed, got a new stopwatch, so he can now record screenshots during live analysis down to the second. Screenshots will now be recorded with more precision.

  • Screenshot Reporting Improvements Our team fixed a few minor bugs to improve screenshots recorded during live analysis. Previously, a small number of screenshots would not be recorded accurately or failed to record an image. We’ve fixed this flaw! Screenshots should now be in perfect order.

  • Fixed Heartbleed Check False Positive (iOS) Previously, the Heartbleed Check for iOS would intermittently surface a false positive. This issue is now fixed.

  • Logout Improvements Logging out of the application will also log you out of our Single Sign On (SSO) portal. Previously, logging out required multiple windows.

  • Improved UI The cloud dashboard UI should be smoother than ever before!

March 2017


  • Live Automation Improvements Our UI automator, named Zed, likes to give updates on activity while he’s performing a security assessment. He went to grammar school and now offers better live details and insights while he’s completing analysis for you!

  • Live Screenshots Now Available for iOS Zed got a new camera that allows him to share live screenshots while he’s completing iOS analysis. Previously, he could only show you screenshots after analysis was complete.

  • Screenshot Improvements We’ve improved the precision of the screenshot timeline view stored during security analysis.

  • Added Profile Screen with Account Details The Account window now includes a Profile screen with all of the details about each user’s account and their testing limits.

  • Improved App Sorting In previous versions of NowSecure Auto, the dashboard view would reset upon every login. We’ve changed the system settings that allow you to create a new view and keep that view every time you log in.

  • Bug fixes to improve performance.

February 2017


  • Custom Automation Action Strings Now it’s easier than ever to customize automation scripts to ensure more complete testing coverage of your app. There are times when our default script needs modification to navigate common mobile app screens. You can access custom automation strings in the Configure window to easily build a more complete UI script and enhance code coverage.

  • Vulernability Summary Enhancements To more quickly measure the security of your app, we’ve improved the vulnerability summary for each assessment. Now, vulnerabilities are sorted by High, Medium, and Low risk.

  • View App Certificate Information Easily inspect certificates used by your app to make sure they’re up-to-date and valid. Any certificates in use by the app are displayed and include the type of key, number of bits, serial number, URL, and common name associated with each certificate.

  • Custom Field Support Now Included for JIRA Integration Lab Automation allows users to integrate their results with common bug trackers like JIRA and GitHub. Now, users that integrate with JIRA can add custom fields before and after their assessment. These fields will then appear within every JIRA ticket.

  • Bug fixes to improve performance.

January 2017


v1.11.0 - v2.0.0
  • Bug fix related to Path Traversal not passing correctly.

  • Fixed an issue where network connections were not displaying findings correctly.


  • Bug fixes related to the UI.

  • Updated findings for Path Traversal (ipc_issues).

December 2016


  • Updated Report Layout The Analysis Summary for each assessment can now be sorted by specific Sections for Issues: Artifact, Code, Network, etc. as well as the ability to show the full report via Show All.


  • Bug Fixes

November 2016


  • Welcome Tour and Instant Trial All users will now be invited to view a walkthrough of the user interface that explains key features and capabilities about NowSecure Auto. Users also have the ability to see pre-configured demo apps for iOS and Android as well as have the ability to upload their own apps.

  • Preflight Checks After an app is uploaded, Preflight Check will test every application before installation on the device for proper file configuration, encryption, and file integrity.


  • File Validity and Encryption Both of these conditions would previously cause an application to fail our security analysis.

  • Application Network Connections Users can now view where their application data is being sent. This section includes IP, Domain, Organization and Location.

  • Automation and Testing Environment Improvements Bugs have been fixed that previously caused UI automation assessments to fail. Testing environments for both iOS and Android have received stability improvements.

October 2016


v1.6.0 - v1.6.1
  • Sanitizing configuration input to notify the user when they’re entering configuration terms that would cause jobs to fail

  • Added a changelog to the UI under the pop-out menu. Any time an update is pushed to production all users will be notified in the bottom left corner of the application to check out the changelog

  • All pdf reports are now being generated using the browser print function. This will give users more reliability when trying to print or save pdf versions of our report.

  • We broke the /results endpoint :( it’s fixed now !!!


  • Four new security tests have been added to NowSecure Auto

  • AFNetworking Implementation (iOS) This test checks the implementation setting of the AFNetworking library, which allows developers to add networking functionality into their applications. This vulnerability was patched as of version 2.5.2, however, if an older version is used, all SSL traffic can be intercepted and decrypted in a standard man in the middle attack

  • System Log Messages (iOS) NowSecure Auto has executed the system logs artifact test on Android apps for a while and now the same test can be performed on iOS apps. Debug logs are designed to detect and correct flaws in an application. These logs can also leak sensitive information that may help an attacker create a more powerful attack. The system log messages detected in an app are also now displayed in the UI.

  • Increased search coverage (Android) NowSecure Auto allows users configure their tests to surface important search terms such as personal information, login credentials, GPS coordinates, payment information and more. Now, NowSecure Auto can surface search terms found within Local Application (/data/data/) files and on the SD Card.

  • Files Stored on SD Card (Android) This check determines if files are stored at an external location. External storage, such as an SD card, lacks fine tuned permissions, which allows any app to access and read files in external storage by default.

  • App Dashboard Updates To help users quickly sort and filter a large volume of apps and assessments in the NowSecure Auto dashboard, we’ve added the ability to sort apps by upload date, app name, and package name.

  • Fixed an issue with JIRA integration where an informational finding would try to be posted to the JIRA project and NowSecure Auto would crash because of it

September 2016


  • JIRA and Github Integration Users can now configure their JIRA Projects and Github Repositories to be used with NowSecure Auto by specifying a specific JIRA Project or Github Repo inside of a specific application. Every time an analysis is run on that application, Issues will be created for every vulnerability that is found.

  • In-App Messaging Every action a user takes is now confirmed with a toast message across the top of the application. These actions include (but are not limited to) application uploading, configuration saving, integration configuration, application and assessment limits, and clicking the run button incessantly.

  • App Dashboard Updates Say goodbye to the bars and hello to the cards. We chose to update the App Dashboard to new and improved application cards. These allow more applications to be displayed on the dashboard and will eventually give us the ability to provide the user with much more “at a glance” application information.

  • Sidebar The new and improved NowSecure Auto sidebar will now be the anchor for all navigation. Currently quite spartan, this will be where all navigation from within Lab will take place.

  • Search Updates The app dashboard search actually works now. Seriously, give it a try.

  • 2 Minute Upload Timeout We fixed a bug that was limiting all uploads to exactly 2 minutes. Users should no longer have issues uploading their favorite 200mb mobile app at the hipster coffee shop on the corner.

  • Content API Updates Data is now encrypted at rest and requires authentication for downloads.

August 2016


  • Added tests on iOS to check for when cookies are set as ‘secure’ or ‘httponly’

  • Stability updates to both iOS and Android Dynamic testing

  • Updates to the way that we sign applications on the iOS dynamic test devices

  • Fixed a bug that caused reports not to render correctly when data came back for the SQLite test that we perform


July 2016


  • Fixed a bug that wouldn’t display reports from older apps when either static or dynamic results were missing.

  • Updated descriptions and regulatory mappings for some of the results


  • Users now have the ability to add any number of named search terms (CCN: 4147-2022-1237-8481) in the configuration section of an app. These search terms are treated and searched in the artifacts just like login credentials. If they are found, they will be shown in the Sensitive Data in transit results tables.

  • A fix for the XML issue with Android dynamic analysis that would keep the assessment from fully completing. This would cause some of the network issues to not be reported.


v1.3.0 - v1.3.1 - v1.3.2
  • Multipass for iOS This allows users to run each app multiple times to check for different levels of encryption over the network. The addition of multipass to iOS brings feature parity between iOS and Android rigs in regards to network testing.

  • Sensitive Data in Transit results have been split into four different results for both iOS and Android. These include Sensitive Data in transit (no encryption), Sensitive Data in transit (with encryption), Invalid TLS/SSL and TLS Traffic with sensitive data.

June 2016


  • iOS Descriptions and Recommendations updated for the following sections: Application Metadata, Dynamic Log, Keychain SQlite

  • Regulatory Mappings: Each result in the report shows the relevant CWE, OWASP and NIAP (when applicable) regulations with links.

  • Persistent API Tokens: Users will no longer have to refresh their API token every 24 hours. They can now set it and forget it! Users also have the ability to revoke token access.

  • iOS Screenshots: When users upload iOS applications, they will now see screenshots of the analysis like the ones currently shown for Android.

  • Increased screen real estate for tables. Data is easier to view. Users can now select a cell in one of the tables and view the entire output.

  • Various stability fixes

May 2016


  • Set the config upon upload. Now when you upload a binary you can set login credentials and a DSL script before uploading the application binary.

  • DSL script uploads. These allow the user to write a simple interaction script to navigate through the UI.

  • Screenshots are now present when the app is being run on the rig. This will allow you to see how far the UI Automator or DSL script got within the app.


v1.1.0 v1.1.1
  • Improved Login, Logout, and Begin Trial experience

  • New tables within the reports to improve how data is shown. You can now zoom in on larger portions of data and sort by column.

  • PDF Downloads are now being tracked in Intercom


  • Improved error handling

  • Bug Fixes

  • Ongoing Reporting Updates

April 2016


  • iOS Dynamic analysis added to the production environment

  • Began improving reporting for iOS Dynamic analysis

  • Android Dynamic bug fixes and improvements

  • Multiple account support

  • Allowing the user to add login credentials/search terms via the API

  • New iOS Static tests with more accurate results

  • App icons and other relevant metadata for application uploads

  • App summary at the top of the report. This is the start to restructuring the report to provide the user with the best and most relevant information for their app assessments.

  • Single Sign On (SSO) allowing users to authenticate their accounts with Google Authenticator or Github

  • Completely restructured RESTful API with full documentation

  • New front end built in React

  • Status messages which provide updates to the web UI as tests are being ran

March 2016


  • Integrated Intercom to support customers

  • Links in the report summary. You can now click on a test or finding in the report summary and it will jump to the relevant section of the assessment.

  • URLS are now counted instead of listed multiple times and shown in a collapsable view

  • Limits on the signup page have been corrected to show the default account limits of two apps for 14 days.

  • Miscellaneous bug fixes, copy changes, and formatting updates

February 2016

  • Trial accounts

  • Downloadable PDF reports

  • Improved report content

  • Layout and bug fixes

January 2016

  • Dynamic and Static reports have been unified into a single report

  • Current report now renders the unified report correctly for the most recently run assessment

  • Executive Summary has been added to the top of each assessment report. This shows a quick overview of all of the vulnerabilities that we test for and what the result of the test was.

  • Artifacts are now collapsable