Uploading XCUITest Bundles Using the DevOps API

The Mobile Security DevOps API can be used to upload XCUITest bundles. These bundles can be used by Data Theorem to perform a fully-automated dynamic scan of its associated mobile app in your Data Theorem account, using the bundle’s test cases to drive our dynamic scanner.

Overview

Uploading a XCUITest bundle is a 2-step process:

  1. Make an API call in order to initialize the upload
  2. Upload a zip archive containing the UI Tests packaged in a .xctest bundle produced by XCode (or xcodebuild), along with a few extra fields (discussed in detail below)

Note: For more detailed instructions on extracting .xctest bundles containing UI Tests, please refer to this guide.

Step 1 - Initialize the Upload

The upload process can be initialized by calling this method.

Authentication

Authentication is done by passing your organization’s Upload API key as part of the Authorization header:

1
Authorization: APIKey 1234567890abcdefgh

The Upload API key can be retrieved by users in the Data Theorem portal by navigating to https://www.securetheorem.com/devsecops/scancicd

See API Conventions – Authentication and Authorization for more information.

Request

POST /apis/mobile_security/devops/v1/upload_xcuitest_attachment_init

For example, this method can be called via curl using:

1
curl -X POST -H "Authorization: APIKey AAAABBBBCCCCAJ82/iNaIQ=="  --data ""  https://api.securetheorem.com/apis/mobile_security/devops/v1/upload_xcuitest_attachment_init

Response

1
2
3
{
"upload_url": "https://prod-dopinder-v2.securetheorem.com/_ah/upload/AMm[...]/"
}

The response contains the upload_url, to be used for uploading the zipped .xctest bundle. This URL will only be valid for 10 minutes.

Step 2 - Upload the Tests

After retrieving the upload_url, the zipped .xctest bundle should be sent as a standard multipart file upload, with the following arguments:

  • file: The zipped .xctest bundle.
  • release_type: either APP_STORE or PRE_PROD of the associated mobile app as set in your Data Theorem account.
  • bundle_id: the bundle id of the associated mobile app in your Data Theorem account.
  • version: the version of the app this UI Test bundle belongs to.

Authentication

Since the upload_url is unique for each upload, there is no need to authenticate with the Upload API Key.

Request

POST {upload_url}

The request must be a standard multipart file upload, the zipped .xctest bundle is expected in the file field.

For example, this method can be called via curl using:

1
curl -F file=@TestAppUITests.xctest.zip -F "bundle_id=com.yourcompany.TestApp" -F "version=2.5" -F "release_type=APP_STORE" https://prod-dopinder-v2.securetheorem.com/_ah/upload/Aewsadw[...]/

Note: Pay special attention to the @ character. It needs to be put in front of the file’s name for curl to upload the file.

Response

A successful upload returns a status code 200 and status text ok.

1
2
3
4
{
"session_id": "<session_id>",
"success": true
}

Errors are also JSON formatted.

1
2
3
4
{
"status": "invalid_attachment",
"session_id": "<session_id>"
}

Status/error code mapping

  • 200/ok: upload succeeded
  • 401/unauthorized: unauthorized (bad credentials or the url may have expired)
  • 422/invalid_attachment: XCUITest attachment is not valid
  • 422/bad_zip_file: corrupted or malformed zip file
  • 500/error: internal server error