Email Notifications - New sensitive data setting notifies group members a new alert is available, but requires users to sign into NowSecure AUTO to view alert details.
Unique vulnerability ID - Unique vulnerability ID available for JIRA which enables detection if a vuln reappears in later releases (API).
Preflight Checks - New app upload messages will provide context if an app fails to upload for the following reasons:
App Operating System Version Compatibility Update - During the app upload process, NowSecure AUTO will provide an alert if an app is not compatible with the iOS or Android operating systems available within the product.
Alert Email Digest Option - A new group policy setting is available which will provide email summaries of all alerts triggered within a chosen period of time.
App Changes Audit Log (API) - Organization, Group, User, Permission and Membership attributes are now available via API audit log.
Alert Notification Inbox - Alert menu has been added to left sidebar which displays individual alert notifications with time stamps received. Alerts are customized at group level and individual or all alerts may be turned off at anytime. End users may mark alerts as read to remove them from the Alerts inbox within AUTO.
App Configuration Alert - Setting now available to choose to receive an alert notification if an app configuration change occurs. Admins may choose for a group to receive the Alert via email, via Alert inbox within NowSecure AUTO, or both.
Configuration Audit Logs - API users can pull a log of app configuration changes.
New vuln email alerts - Adjust alert frequency and choose to receive a weekly summarization of alerts.
Date range for dashboard widgets - Drop down menu available to provide view of scoring or vulnerability trends within a selected date range.
App Upload Enhancements - Updated messaging, more detailed reasons provided when app upload fails.
Unique Vulnerability ID Enhancements (API User) - A new API endpoint is accessible that provides additional details regarding vulnerability history.
Email alert update to include more identifying information about the app and vulnerability score
Issue suppression ability restored for roles with appropriate permissions
Email Alerts - Configurable email alert notifications are available within the Account & Management section, under Groups tab. Alerts may be turned on or off as needed and group recipients and thresholds are editable allowing customization based on organizational requirements. Alert categories are as follows:
App Store Support - NowSecure AUTO now supports the ability to search and test apps published to Apple App Store and Google Play, enabling end users the flexibility to test apps during pre-production, after release, or during both times. The enhancement extends NowSecure AUTO features and functionality to app store apps, including:
Error Codes - Additional update provides more descriptive error codes should dynamic analysis fail to complete
Screenshots and status messages would occasionally be unable to render in real-time.
Github and Jira integrations were unable to be initialized.
Embedded URLs within Github and Jira issues now redirect to the proper report.
Reports are now updated as either static or dynamic testing completes.
UI enhancements have been added to the application configuration step.
Individual App-Level Overview - Individual app assessment summary including current status, history and trends over time to help better understand current app-level security posture and trends.
Individual App-Level History - Timeline view including high level details of each assessment is now available from the App-Level Overview page
Compliance Summary - Report summary now shows compliance summary of all findings within every assessment report, enabling users to locate compliance gaps before they snowball into regulatory issues.
New Jailbreak Detection Finding - Me thods of jailbreak detection(if any) are now shown in a context table attached to this finding.
UI enhancements addressed a few issues in the overall dashboard and app listing pages.
Issue fixed which was causing screenshots not to load within some assessments.
Invites sent to users would result in a screen that displays “Loading…” indefinitely. Invites now properly assign the correct permissions and grant the newly invited user the proper access.
When changing an application’s group, a “TypeError” was thrown. Although this had no effect on the actual group change, it was misleading to users, and has since been corrected.
New App Listing View - The Application Card view has been updated to show a linear listing of applications, allowing more information and functionality to be performed from this view. Applications can be re-run and re-configured directly, without having to first click into the app. Additional information is also now available such as latest App Score and score trend over time.
Archive App Enhancements - Archived applications are no longer counted in dashboard and finding level stats, and are separated out of the standard group sorting. To see an archived application, first ensure you have the proper RBAC permission and check the “Show Archived” box on the App Listing page.
App Portfolio Dashboard Enhancements - Sparklines have been added to the totals widget to show the trend over time.
Screenshots from the assessment were not showing up in the PDF reports, despite being included in the report configuration options.
The “Distribution of Application Risk” widget on the App Portfolio Dashboard wouldn’t respond correctly when being resized.
New App Portfolio Dashboard View - The new App Portfolio Dashboard provides an aggregate of mobile app assessment statistics, vulnerability risks, and scoring trends over time via table and graph views (a.k.a. widgets). Dashboard layout may be reorganized and additional customization options are available for applicable widgets, including the ability to sort by operating system or risk severity and to select only relevant compliance regimes. The new dashboard view is now the default home page for NowSecure AUTO using the left dashboard navigation icon. Additional details regarding the widgets included in this iteration are:
Archive App - Apps can now removed from app listing view and archived into separate group.
CVSS Score Update - Routine review and maintenance of CVSS Vector calculations to ensure most accurate results. Methodology viewable for API customers. The ability to view CVSS Vector Score methodology within NowSecure AUTO interface is coming soon.
New Findings Dashboard - The new Findings Dashboard is accessible via the Findings icon located on the left navigation toolbar, directly under Home. The dashboard provides an aggregate view of findings across app versions by vulnerability type over time. For example, you can now view all of your apps affected by a Man-in-the-Middle vulnerability and sort the view according to preference:
Select timeframes 1 week to 6 months of application history
Sortable columns such as:
In page filtering by vulnerability title e.g., “Man-in-the-Middle Attack”
RBAC update - Apps and their history can now be moved between groups.
The guided welcome tour would have a step that would appear off-screen, preventing the user from continuing.
Occasionally, after upload, the “Run” text would not be clickable, causing the user to click on the application card, and re-run the assessment from there.
Font Size We increased the font size from 12 to 13 for your viewing pleasure! :)
Screenshot Message Title Our screenshot messages now have titles.
JIRA Undefined Now we only show config sections after users fully authorize integrations.
Realtime Event Messages Some users experienced an issue where realtime event messages were not showing in correct order. We fixed this issue. Now as soon as we know about them, you will see them in the user interface
Messages Reporting FeatureUsers can now see realtime event messages, interaction logs, and screenshots that displayed during analysis. This information is shown in the Messages tab under the Report Summary.
Online and Offline Detection Our system can now better notify users of their connection status and remind users to intermittently refresh or reload their browser when using the cloud dashboard.
Duplicate Findings Duplicate findings will no longer be shown for Sensitive Data in Transit.
JIRA update Some users experienced an issue when JIRA was improperly configured. Now, JIRA initialization without an Input URL will not cause a “bad state issue.”
Blank Contact Fields Allowing Blank Contact Field(s) causes immediate dynamic test failure is functioning properly.
Improve Screenshot Timestamps Our UI automator, named Zed, got a new stopwatch, so he can now record screenshots during live analysis down to the second. Screenshots will now be recorded with more precision.
Screenshot Reporting Improvements Our team fixed a few minor bugs to improve screenshots recorded during live analysis. Previously, a small number of screenshots would not be recorded accurately or failed to record an image. We’ve fixed this flaw! Screenshots should now be in perfect order.
Fixed Heartbleed Check False Positive (iOS) Previously, the Heartbleed Check for iOS would intermittently surface a false positive. This issue is now fixed.
Logout Improvements Logging out of the application will also log you out of our Single Sign On (SSO) portal. Previously, logging out required multiple windows.
Improved UI The cloud dashboard UI should be smoother than ever before!
Live Automation Improvements Our UI automator, named Zed, likes to give updates on activity while he’s performing a security assessment. He went to grammar school and now offers better live details and insights while he’s completing analysis for you!
Live Screenshots Now Available for iOS Zed got a new camera that allows him to share live screenshots while he’s completing iOS analysis. Previously, he could only show you screenshots after analysis was complete.
Screenshot Improvements We’ve improved the precision of the screenshot timeline view stored during security analysis.
Added Profile Screen with Account Details The Account window now includes a Profile screen with all of the details about each user’s account and their testing limits.
Improved App Sorting In previous versions of NowSecure Auto, the dashboard view would reset upon every login. We’ve changed the system settings that allow you to create a new view and keep that view every time you log in.
Bug fixes to improve performance.
Custom Automation Action Strings Now it’s easier than ever to customize automation scripts to ensure more complete testing coverage of your app. There are times when our default script needs modification to navigate common mobile app screens. You can access custom automation strings in the Configure window to easily build a more complete UI script and enhance code coverage.
Vulnerability Summary Enhancements To more quickly measure the security of your app, we’ve improved the vulnerability summary for each assessment. Now, vulnerabilities are sorted by High, Medium, and Low risk.
View App Certificate Information Easily inspect certificates used by your app to make sure they’re up-to-date and valid. Any certificates in use by the app are displayed and include the type of key, number of bits, serial number, URL, and common name associated with each certificate.
Custom Field Support Now Included for JIRA Integration Lab Automation allows users to integrate their results with common bug trackers like JIRA and GitHub. Now, users that integrate with JIRA can add custom fields before and after their assessment. These fields will then appear within every JIRA ticket.
Bug fixes to improve performance.
Bug fix related to Path Traversal not passing correctly
Fixed an issue where network connections were not displaying findings correctly
Bug fixes related to the UI
Updated findings for Path Traversal (ipc_issues)
Welcome Tour and Instant Trial All users will now be invited to view a walkthrough of the user interface that explains key features and capabilities about NowSecure Auto. Users also have the ability to see pre-configured demo apps for iOS and Android as well as have the ability to upload their own apps.
Preflight Checks After an app is uploaded, Preflight Check will test every application before installation on the device for proper file configuration, encryption, and file integrity.
File Validity and Encryption Both of these conditions would previously cause an application to fail our security analysis.
Application Network Connections Users can now view where their application data is being sent. This section includes IP, Domain, Organization and Location.
Automation and Testing Environment Improvements Bugs have been fixed that previously caused UI automation assessments to fail. Testing environments for both iOS and Android have received stability improvements.
Sanitizing configuration input to notify the user when they’re entering configuration terms that would cause jobs to fail
Added a changelog to the UI under the pop-out menu. Any time an update is pushed to production all users will be notified in the bottom left corner of the application to check out the changelog
All pdf reports are now being generated using the browser print function. This will give users more reliability when trying to print or save pdf versions of our report.
We broke the /results endpoint :( it’s fixed now !!!
Four new security tests have been added to NowSecure Auto
AFNetworking Implementation (iOS) This test checks the implementation setting of the AFNetworking library, which allows developers to add networking functionality into their applications. This vulnerability was patched as of version 2.5.2, however, if an older version is used, all SSL traffic can be intercepted and decrypted in a standard man in the middle attack
System Log Messages (iOS) NowSecure Auto has executed the system logs artifact test on Android apps for a while and now the same test can be performed on iOS apps. Debug logs are designed to detect and correct flaws in an application. These logs can also leak sensitive information that may help an attacker create a more powerful attack. The system log messages detected in an app are also now displayed in the UI.
Increased search coverage (Android) NowSecure Auto allows users configure their tests to surface important search terms such as personal information, login credentials, GPS coordinates, payment information and more. Now, NowSecure Auto can surface search terms found within Local Application (/data/data/) files and on the SD Card.
Files Stored on SD Card (Android) This check determines if files are stored at an external location. External storage, such as an SD card, lacks fine tuned permissions, which allows any app to access and read files in external storage by default.
App Dashboard Updates To help users quickly sort and filter a large volume of apps and assessments in the NowSecure Auto dashboard, we’ve added the ability to sort apps by upload date, app name, and package name.
Fixed an issue with JIRA integration where an informational finding would try to be posted to the JIRA project and NowSecure Auto would crash because of it
JIRA and Github Integration Users can now configure their JIRA Projects and Github Repositories to be used with NowSecure Auto by specifying a specific JIRA Project or Github Repo inside of a specific application. Every time an analysis is run on that application, Issues will be created for every vulnerability that is found.
In-App Messaging Every action a user takes is now confirmed with a toast message across the top of the application. These actions include (but are not limited to) application uploading, configuration saving, integration configuration, application and assessment limits, and clicking the run button incessantly.
App Dashboard Updates Say goodbye to the bars and hello to the cards. We chose to update the App Dashboard to new and improved application cards. These allow more applications to be displayed on the dashboard and will eventually give us the ability to provide the user with much more “at a glance” application information.
Sidebar The new and improved NowSecure Auto sidebar will now be the anchor for all navigation. Currently quite spartan, this will be where all navigation from within Lab will take place.
Search Updates The app dashboard search actually works now. Seriously, give it a try.
2 Minute Upload Timeout We fixed a bug that was limiting all uploads to exactly 2 minutes. Users should no longer have issues uploading their favorite 200mb mobile app at the hipster coffee shop on the corner.
Content API Updates Data is now encrypted at rest and requires authentication for downloads.
Added tests on iOS to check for when cookies are set as ‘secure’ or ‘httponly’
Stability updates to both iOS and Android Dynamic testing
Updates to the way that we sign applications on the iOS dynamic test devices
Fixed a bug that caused reports not to render correctly when data came back for the SQLite test that we perform
Fixed a bug that wouldn’t display reports from older apps when either static or dynamic results were missing.
Updated descriptions and regulatory mappings for some of the results
Users now have the ability to add any number of named search terms (CCN: 4147-2022-1237-8481) in the configuration section of an app. These search terms are treated and searched in the artifacts just like login credentials. If they are found, they will be shown in the Sensitive Data in transit results tables.
A fix for the XML issue with Android dynamic analysis that would keep the assessment from fully completing. This would cause some of the network issues to not be reported.
Multipass for iOS This allows users to run each app multiple times to check for different levels of encryption over the network. The addition of multipass to iOS brings feature parity between iOS and Android rigs in regards to network testing.
Sensitive Data in Transit results have been split into four different results for both iOS and Android. These include Sensitive Data in transit (no encryption), Sensitive Data in transit (with encryption), Invalid TLS/SSL and TLS Traffic with sensitive data.
iOS Descriptions and Recommendations updated for the following sections: Application Metadata, Dynamic Log, Keychain SQlite
Regulatory Mappings: Each result in the report shows the relevant CWE, OWASP and NIAP (when applicable) regulations with links.
Persistent API Tokens: Users will no longer have to refresh their API token every 24 hours. They can now set it and forget it! Users also have the ability to revoke token access.
iOS Screenshots: When users upload iOS applications, they will now see screenshots of the analysis like the ones currently shown for Android.
Increased screen real estate for tables. Data is easier to view. Users can now select a cell in one of the tables and view the entire output.
Various stability fixes
Set the config upon upload. Now when you upload a binary you can set login credentials and a DSL script before uploading the application binary.
DSL script uploads. These allow the user to write a simple interaction script to navigate through the UI.
Screenshots are now present when the app is being run on the rig. This will allow you to see how far the UI Automator or DSL script got within the app.
Improved Login, Logout, and Begin Trial experience
New tables within the reports to improve how data is shown. You can now zoom in on larger portions of data and sort by column.
PDF Downloads are now being tracked in Intercom
Improved error handling
Ongoing Reporting Updates
iOS Dynamic analysis added to the production environment
Began improving reporting for iOS Dynamic analysis
Android Dynamic bug fixes and improvements
Multiple account support
Allowing the user to add login credentials/search terms via the API
New iOS Static tests with more accurate results
App icons and other relevant metadata for application uploads
App summary at the top of the report. This is the start to restructuring the report to provide the user with the best and most relevant information for their app assessments.
Single Sign On (SSO) allowing users to authenticate their accounts with Google Authenticator or Github
Completely restructured RESTful API with full documentation
New front end built in React
Status messages which provide updates to the web UI as tests are being ran