Wednesday 14 August 2013

A couple of words about licenses


If you used our service, possibly you saw a license alert, which was defined, as a bug. Why so?

Licenses are a few pages of text written in a confusing manner. Sometimes, it's really hard to understand what you can do with a thirdparty code snippet and what you can't. To figure it out, you could consider to use a compartaion matrix wich could be found on the net :

In other words, you have to understand which licenses are used for thirdparty libs you use in your app and to understand how these licenses affect your application and your distribution model.

To make this job for you in hackapp.com we have two severity levels for license issuses:
  • Info - when we just found, that something in an application bundle is under license control,
  • Critical - when something in your bundle is under licens, which makes you keep your sources open.
If you are not concerned about your sources and you are ready to share it with everyone on the net then thank you. And you can ignore this alert  :)

Monday 5 August 2013

New Checks and Features!

Friends, while (I hope so) you had a rest during this weekend, we were implementing brilliant features and checks for HackApp engine!

Version Control System Disclouser

Most of developers are using version control systems, but not all of them are clearing meta info, such as repository addresses and credentials. According to OWASP it's a serious information disclosure. And now we have a special check for the version control systems disclosure:

'Share' and 'Hide empty' buttons

Also we've added two useful interface features. 'Hide' button hides all reports which do not contain any bugs. It could be useful if you have a number of reports:


'Share' button makes a report available for everyone on the net:


Here is an example. You are very welcome to share this link everywhere it can be useful :)

Friday 2 August 2013

What is HackApp?

HackApp is a web based service designed for mobile apps' static security analysis. It identifies critical and suspicious information in a bundle, such as:
  • Certificates and keys,
  • Authentication secrets,
  • License Control,
  • Compilation flaws.
What HackApp is not:
  • Tool for software piracy,
  • AntiVirus system.
The main goal is to find information disclosure, which can be used in attacks against app's users or vendor's infrastructure. 

How to use it ?
At first, you have to sign-in, using your Twitter or LinkedIn account:



Then you will see a dashboard - the home page for logged users:


- Here you can add apps by clicking button "Add app". If you want to get apps directly from iTunes, use link to the app's page, such as https://itunes.apple.com/cn/app/betaround/id553850953 (Only free apps are supported). Or you can just upload a *.ipa bundle. 
- Then you click 'Analyse'. 
- HackApp will download and analyse your app. Usually it takes about 2-3 minutes.
- When the app changes status to 'Completed', you can open report by click on the app's name:
Here you can see basic app info (version, drm, etc), browse the bundle as a directory and get info about bugs:



That's it, all you need to know for start. If you will find any bugs in our's system you can always report it to our twitter:  @hackappcom