Posts

πŸ” How to Use OWASP Dependency-Check for Android and iOS Projects

When developing mobile apps, it’s crucial to keep third-party dependencies secure. OWASP Dependency-Check is an open-source tool that helps detect known vulnerabilities (CVEs) in software libraries. In this article, we’ll explore how to use it for both Android and iOS projects and integrate it into your CI/CD pipeline like Jenkins. βœ… What is OWASP Dependency-Check? OWASP Dependency-Check is a Software Composition Analysis (SCA) tool. It scans your project’s dependencies and checks for known vulnerabilities using data from the National Vulnerability Database (NVD) . 🟒 Using OWASP Dependency-Check for Android Android apps typically use Gradle , which means you can scan .jar and .aar files from your build outputs. πŸ”§ Step-by-Step Guide 1️⃣ Install Dependency-Check CLI You can download the latest release from GitHub: πŸ‘‰ https://github.com/jeremylong/DependencyCheck/releases If you're on macOS, you can also use Homebrew: bash Copy brew install dependency-check 2️⃣ Run...

πŸ” How to Use TruffleHog to Secure Your Ionic App from Leaked Secrets

 When developing a cross-platform Ionic app, one of the most overlooked but critical areas is security . Accidentally committing secrets like API keys or credentials into Git can lead to serious breaches. That’s where TruffleHog comes in β€” a powerful, open-source tool that scans your code and Git history to detect secrets. βœ… Why Use TruffleHog? Detects hardcoded secrets using regex + entropy (ML-based) scanning Scans the entire Git history and current codebase Easily integrates with CI/CD tools like Jenkins or GitHub Actions Helps you stay compliant and secure πŸš€ Steps to Use TruffleHog in Your Ionic App 🧩 Step 1: Install TruffleHog 🟒 On macOS/Linux/Windows (using pip): pip install trufflehog Need Python first? Install with: brew install python # for macOS πŸ§ͺ Step 2: Scan Your Ionic Project Repo Navigate to your Ionic project folder: cd your-ionic-app/ πŸ” To scan the full Git history: trufflehog git file://. --json --report=trufflehog-report.jso...

πŸ” How to Use GitLeaks in an Ionic App to Detect Secrets

Image
If you're building an Ionic app , keeping your codebase secure is essential. One powerful way to ensure that secrets like API keys, tokens, and passwords don’t accidentally make it into version control is by using GitLeaks . GitLeaks is a fast, lightweight, open-source tool that scans your Git repository for hardcoded secrets. It works seamlessly with Ionic apps, even though it's framework-agnostic. βœ… Steps to Use GitLeaks in an Ionic App 🧩 1. Install GitLeaks 🟒 For macOS (using Homebrew): brew install gitleaks 🟠 For Windows/Linux: Download the latest release from GitLeaks GitHub: πŸ‘‰ https://github.com/gitleaks/gitleaks/releases 🐳 Or Use Docker: docker run -- rm -v $( pwd ):/path zricethezav/gitleaks detect -- source =/path πŸ§ͺ 2. Run GitLeaks Manually on Your Ionic Project Navigate to your Ionic app root folder and run: cd your-ionic-app/ gitleaks detect -- source . --report-path=gitleaks-report.json βœ… What it does: Scans the current working directory for secrets...

πŸ” Information Security scanning tools for iOS mobile app with jenkins

 Here's a detailed list of information security tools you can integrate into an iOS development pipeline using Jenkins , along with a sample Jenkins pipeline setup. πŸ” Security Tools for iOS with Jenkins Integration βœ… 1. Static Application Security Testing (SAST) MobSF (Mobile Security Framework) Scans IPA or source code (Swift/Obj-C) for vulnerabilities. CLI + REST API support for Jenkins. GitHub: MobSF SonarQube (with Swift rules) Analyzes Swift, Objective-C for bugs, code smells, and security issues. Requires SonarScanner for CLI integration. Supports plugins for security rules (e.g., OWASP top 10). Fortify / Checkmarx (Enterprise tools) Provide deep source code scanning for iOS projects. Can be integrated via Jenkins CLI or pipeline plugins. πŸ”„ 2. Software Composition Analysis (SCA) OWASP Dependency-Check Scans for known CVEs in dependencies. Works best with CocoaPods or Swift Package Manager (via manual configuration)...

πŸ” Information Security scanning tools for Android mobile app with jenkins

Integrating information security tools into an Android mobile app pipeline with Jenkins helps automate vulnerability detection, enforce security policies, and ensure secure builds. Here are some commonly used tools you can integrate into your Jenkins pipeline for Android app security: πŸ” 1. Static Application Security Testing (SAST) These tools analyze your source code or APK for security flaws without executing the app. MobSF (Mobile Security Framework) Scans APKs for vulnerabilities, secrets, insecure permissions, etc. Jenkins Plugin/CLI support. Can be self-hosted. GitHub: https://github.com/MobSF/Mobile-Security-Framework-MobSF SonarQube with Security Rules SonarQube can be configured with Android-specific security rules (e.g., OWASP). Jenkins integration through SonarScanner. Detects code smells, vulnerabilities, and bugs. Checkmarx (Paid) Enterprise-grade SAST tool with Jenkins integration. Scans Java/Kotlin/Gradle files for security is...

πŸ”’ How to Obfuscate an iOS Swift Project Using SwiftShield

Introduction If you're developing an iOS app, you might want to protect your Swift code from reverse engineering. SwiftShield is a tool that helps obfuscate your code by renaming symbols like class names, functions, and properties. In this guide, we'll walk through how to install SwiftShield, use it correctly, and troubleshoot common issues . 1. Installing SwiftShield First, install SwiftShield using Homebrew : brew install rockbruno/tap/swiftshield https://github.com/rockbruno/swiftshield To check if the installation is successful, run: swiftshield --help If you see the list of available commands, SwiftShield is installed correctly. 2. Checking SwiftShield Version To verify the installed version, run: swiftshield version If this command works, you’re ready to move on. 3. Running SwiftShield for Obfuscation Now, navigate to your Xcode project directory in the terminal and run: swiftshield obfuscate --project-file DemoApp.xcodeproj --scheme DemoApp πŸ’‘ Repl...

πŸ“± Google Play's App Integrity API implementing for offline Android mobile app

If your Android app is offline and doesn't have a backend, you can still use Google Play Integrity API to check whether the app is installed from the Play Store and running on a genuine device. However, since there's no server to verify the integrity token, you will only be able to check basic integrity locally. βœ… Steps to Use Play Integrity API Without a Backend (Offline Mode) 1️⃣ Enable Play Integrity API in Google Play Console Go to Google Play Console . Select your app β†’ Navigate to Setup β†’ App Integrity . Enable the Play Integrity API . Save the License Key (you won’t need it for offline checks, but it's useful for future reference). 2️⃣ Add Dependencies In your app-level build.gradle , add the Play Integrity dependency: dependencies { implementation 'com.google.android.play:integrity:1.3.0' } Sync the project after adding the dependency. 3️⃣ Implement Play Integrity API Locally in Android App Since you don’t have a backend, you can directly verify the...