At Guardsquare, we’ve created an open-source Gradle plugin, published in the Gradle plugin repository, that simplifies integrating our developer-focused mobile application security testing (MAST) tool, AppSweep, into your Android project. The result? Automated security scans that shift security left and catch vulnerabilities earlier. Let’s take a deeper look at AppSweep, our AppSweep Gradle plugin, and how using the plugin can improve your mobile application’s security posture.
Integrating MAST with your Android project to shift left
Shifting mobile app security testing (MAST) earlier in an app’s development timeline helps developers find security issues in their app’s code and dependencies earlier in the app’s development schedule. Using their MAST results, developers can resolve security vulnerabilities during the development process to prevent scheduling delays or publishing an app with security vulnerabilities.
While the benefits of MAST are clear, there’s considerable pressure for developers to meet deadlines and bring their app to market quickly. This pressure often leads developers to either push security to the end of the development lifecycle or completely neglect security considerations.
Manual vs. automation
In addition to the pressure of deadlines, there’s also the question of how best to integrate MAST. Mobile app security testing can be done manually, but this often places a larger burden on the developer’s shoulders, especially if they lack the skills to comprehensively test the app on their own.
Automating the process with a MAST solution eliminates the pressure of manual security scans and helps fill in developer skill gaps. Developers using automated MAST solutions are able to scan their apps earlier and identify security issues before they become pervasive concerns later in the development process.
At Guardsquare, we considered how best to help developers introduce and automate MAST. This led us to develop AppSweep and a plugin for Gradle.
What does AppSweep do?
We developed AppSweep as a free mobile application security testing tool. AppSweep helps developers find security issues in their mobile app quickly and offers actionable recommendations to fix the concerns based on internationally recognized security standards like OWASP. AppSweep automates the testing process, which allows developers to test early during development, effectively shifting security left.
Here are some other key AppSweep benefits:
- High confidence test results to eliminate the frustration of investigating false positives.
- Continuous security checks when integrated with your DevOps toolchain.
- Android APK and bundle (AAB) support to automate the scanning of Android applications
- Android Archive (AAR) support to automate the scanning of Android libraries
Guardsquare’s AppSweep plugin for Gradle
While AppSweep offers a free way for developers to access comprehensive scans for their mobile app projects, we wanted to make the integration process even easier for Android developers. The AppSweep plugin allows developers to easily integrate the rigorous security testing of AppSweep in their Android application or library projects. Once added, the plugin automates security testing and flags issues for developers to fix early on in the development process, which creates a more secure app.
As a non-disruptive addition to a developer’s existing processes, the plugin’s efficient addition of security scanning can help ensure that apps reach the finish line secured and on time — with minimal to zero additional load on developers.
Once you’ve created an API key in your AppSweep project settings, you can easily apply the AppSweep Gradle plugin with a few lines of code:
plugins {
// Keep your other plugins here
id "com.guardsquare.appsweep" version "latest.release"
}
You’ll then need to put your API key in the APPSWEEP_API_KEY
environmental variable or in the `appsweep` block:
appsweep {
apiKey "gs_appsweep_SOME_API_KEY"
}
You can then initiate a scan by executing a Gradle task (where `<Variant>`
is the specific variant that you want to scan e.g. `Release`).
./gradlew uploadToAppSweep<Variant>
For more information, refer to the README on the project’s GitHub page.
Conclusion: MAST is crucial and automation is key
When developers neglect mobile app security testing (MAST), they risk sending their apps to market with unresolved security vulnerabilities. These vulnerabilities can be exploited by threat actors to wreak havoc within the app: elevating privileges, stealing intellectual property, and pilfering user data. Implementing MAST can help flag these issues before the app goes to market, giving developers an opportunity to resolve and strengthen the security posture of their mobile app. MAST, however, works best when integrated early. Shifting left reduces the frustration of finding security issues later, when they’re more likely to be pervasive and require significant work to correct.
Without the right tools, MAST integration can feel clunky and slow. The AppSweep plugin for Gradle quickly and easily integrates with the build automation tool to automate application code security scans.
Ready to get started with the Gradle plugin? Access the plugin’s setup here
Executive Summary (TL;DR)
- Mobile app security testing (MAST) is a crucial, but often neglected part of the development process that helps developers find security vulnerabilities before the app goes to market.
- Using Guardsquare’s AppSweep Gradle plugin automates MAST and shifts security left. This enables developers to find security vulnerabilities before they become pervasive, delay the app’s release, or cause significant frustration.