Fortifying Android Builds with AppSweep

5 min readAug 29, 2023

By Swagata Acharyya

For any mobile app, security is one of the most important things to consider. Among some other tools we have evaluated GuardSquare’s AppSweep for our Android and iOS apps. In this article I will briefly cover the capabilities as observed in AppSweep and how we can integrate this in our app pipelines, focusing on Android.

Brief about AppSweep

AppSweep is a Mobile Application Security Testing (MAST) tool developed by Guardsquare. It is a free tool that helps developers identify and fix security issues in their mobile apps. This uses a variety of static and dynamic analysis techniques to scan apps for security vulnerabilities, including OWASP Mobile Security Verification Standard (MASVS) violations. AppSweep also provides detailed security reports with actionable recommendations for fixing the identified issues.

Here are some of the key features of AppSweep:

It can be used for both Android and iOS apps.
It uses a variety of static and dynamic analysis techniques to scan apps for security vulnerabilities.
It provides detailed security reports with actionable recommendations for fixing the identified issues.
It is easy to use and integrates with popular IDEs like Android Studio.

Overall, AppSweep is a powerful and easy-to-use MAST tool that can help developers improve the security of their mobile apps.

Setting up Continuous Integration with AppSweep

We use gitlab as our source code repository. So this description will have steps tailor made for gitlab. However same/similar steps will work for others as well.

Step 1: Setup account, projects etc.

Go to https://appsweep.guardsquare.com/ and create an account for yourself. You can sign up with github and google. Also you can sign up with your own email address.

Once logged in, create a project. This will be the place where you will upload the builds.

Once the project is created, you are ready to upload builds and perform analysis on the build. At the time of writing, AppSweep for Android supports aab, aar, and apk files.

Step 2: Running AppSweep analysis via gradle

API Key:
To connect a gitlab project with AppSweep, you will need one API key. This key is different for different projects on board. You can get this API key by going to the project → Settings → API keys.

This API key will be used to connect your app to AppSweep. This is important you store the key securely as this key will be displayed only once. Once you navigate away from the screen where the API key is displayed, it will never be displayed again in full.

Note: This is a no-brainer. But please keep the API key secure.

build.gradle changes:
At top level build.gradle, include gradle’s plugin repository (if not already included)

maven {
 url ‘https://plugins.gradle.org/plugin/'
 }

At module level build.gradle file,first add the plugin information

plugins {
 id “com.guardsquare.appsweep” version “latest.release”
}

Inside android block, add the API key generated earlier:

appsweep{
        apiKey "YOUR_API_KEY"
    }

Note: This appsweep block can be used to configure many other variables. Refer to AppSweep documentation for details.

Once these changes are done, we can run the gradle job by invoking

./gradlew uploadToAppsweep{Flavor}{buildType}

The flavor can depend on the defined flavors in the app. buidType can be either debug or release, based on what kind of app we want to scan.

If you do till this, you have successfully configured an AppSweep project in the portal and connected it by means of API keys to the project which needs to be evaluated. As standalone execution, you can run the command as mentioned above and the buid will be generated and uploaded to AppSweep, where you will be able to see the report.

Step 3: Connecting with GitLab pipeline

Once the build creation was successful, we wanted to extend it to a level where each merge requests (pull requests) go through the security analysis and we ensure the code being merged is free from any security issues.

To achieve this, we added a new stage in our gitlab-ci.yml

stages:
  - build
  - test
  - sonar
  - appsweep-security

The following task is defined to run the security scan within pipeline

appsweep_mr:
  stage: appsweep-security
  script:
    - export APPSWEEP_API_KEY=YOUR_API_KEY
    - ./gradlew uploadToAppsweepSecurityDebug
  allow_failure: true
  rules:
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
      changes:
        - '**/*'

This runs the appsweep_mr task everytime a merge request is made. As this is an external site, we made the flag allow_failure as true, so the pipeline is not broken due to any failure to connect to AppSweep server.

Now, after all these setup is done, as soon as a merge request is raised, a build is uploaded to appsweep and a scan is performed.

Conclusion

The ease of setting up the tool and the detailed convenient report is something we liked about AppSweep. The entire integration was very smooth and there was enough documentation to go about it.

Another beautiful aspect of AppSweep is, this scans aar files as well. In our case this was a great advantage. We use micro app strategy and our modules are bundled as libraries. So we could actually scan individual modules and then the entire app as a whole.

The improvement point that we found probably is with the interactive scan. This tool gives a way to run the app on device while it captures the metrics. However, we didn’t get the clear segregation of issues raised in SAST and interactive scan. This is not a necessity but might be a good to have feature.

For a free tool this is already loaded with features especially when it comes to Android. The integration is quick, the results are immediately visible. Overall, a good tool to do quick security analysis for Android mobile apps.