iOS Apps Security scanners practical comparison

YevhSec1
5 min readFeb 20, 2022

--

In this article, I tried to overview: What iOS Apps Security Scanners exist on the market, What capabilities they provide, and what vulnerabilities they can discover. Given that new solutions and vulnerable applications often appear on the market, this article will be updated further. Separate article will be created for the Android Apps Security scanners.

Structure:

  1. Introduction
  2. Vulnerable applications
  3. iOS Security scanners solutions list
  4. iOS Security scanners solutions are free
  5. Solutions Plans
  6. Results of scanning vulnerable iOS apps with existing solutions
  7. Advantages and disadvantages
  8. Conclusion

Introduction

Some time ago, I found that there are many solutions on the market, but there is no comparison about how good they are and what security issues they can discover. I hope after reading this article you will be able to conclude which solution is best for you.

Vulnerable applications

I took the following vulnerable iOS applications:

1) DVIA-v2

2) iGoat-Swift

Note: A comparison of real production applications where the vulnerabilities were found and confirmed by manual investigation would be better, but this is not possible for several reasons.

iOS Security scanners solutions list

  1. Ostorlab
  2. Oversecured
  3. Immuniweb
  4. Quixxi
  5. MobSF

iOS Security scanners solutions are free?

Solutions Plans

Ostorlab

Oversecured

Immuniweb

Quixxi

MobSF

Open Source ;)

Scanning vulnerable iOS apps with existing solutions

DVIAv2 vulnerable application

Ostorlab full paid scan results for DVIAv2

Findings overview

How it looks like in the application?

PDF report: Unfortunately not available.

Oversecured full paid scan results for DVIAv2

Findings overview

How it looks like in the application?

PDF report: https://github.com/yevh/iOS-Security-Scanners/blob/main/iOS-Oversecured-DVIA-v2.pdf

Immuniweb community edition scan for DVIAv2

Findings overview

How it looks like in the application?

PDF report: https://github.com/yevh/iOS-Security-Scanners/blob/main/iOS-ImmuniWeb-DVIA-v2.pdf

Quixxi full paid scan for DVIAv2

Findings overview

How it looks like in the application?

PDF report: Unfortunately not available.

MobSF full scan DVIAv2

Findings overview

How it looks like in the application?

PDF report: https://github.com/yevh/iOS-Security-Scanners/blob/main/iOS-mobSF-DVIA-v2.pdf

iGoat-Swift vulnerable application

Ostorlab full paid scan results for iGoat-Swift

Findings overview

How it looks like in the application?

PDF report: Unfortunately not available.

Oversecured full paid scan results for iGoat-Swift

Findings overview

How it looks like in the application?

PDF report: https://github.com/yevh/iOS-Security-Scanners/blob/main/Oversecured_iGoat-Swift.pdf

Immuniweb community edition scan for iGoat-Swift

Findings overview

How it looks like in the application?

PDF report: https://github.com/yevh/iOS-Security-Scanners/blob/main/iOS-ImmuniWeb-iGoat.pdf

Quixxi full paid scan for iGoat-Swift

Findings overview

How it looks like in the application?

PDF report: Unfortunately not available.

MobSF full scan for iGoat-Swift

Findings overview

How it looks like in the application?

PDF report: https://github.com/yevh/iOS-Security-Scanners/blob/main/iOS-mobSF-iGoat-Swift.pdf

Advantages and disadvantages

Note: Advantages and disadvantages were made based on comparison to each other. It’s clear that some security issues were not detected, and false positives were present.

Ostorlab

Oversecured

Immuniweb

Quixxi

MobSF

Conclusion

Of course, security scanners cannot replace the manual investigation, but sometimes you still want to do a quick scan and get something as an initial step in return. If you are looking for a free only solution, you can choose between MobSF, Ostorlab Community Edition and ImmuniWeb Mobile Community Edition. If we speak about the paid scanner, I recommend choosing between Ostorlab and Oversecured.

Read more

Implementing Application Security on your project

DevSecOps — What Security Controls exist and when to implement them?

OSCP Preparation

Follow me and stay secure!

--

--

YevhSec1

MSc in Cyber Security, OSCP, eWPTXv2, CEH Master. Awarded by Apple, Trello, Paysera..