Mobile Apps Endpoints

These endpoints let you access information about the mobile apps registered with your organization’s Data Theorem account. They correspond to the apps that are displayed in the menu on the left-hand size of Data Theorem’s App Secure portal.

See the Introduction for an overview of the API and information relevant to all API operations.

List Mobile Apps

This endpoint provides a JSON object with a mobile_apps and a pagination_information keys. The mobile_apps key contains a summary of all apps registered within a Data Theorem’s customer’s account while the pagination_information key provides cursor based pagination details for the JSON object response.

In addition to the app and scan metadata, the JSON object contains links to other API resources related to the current resource, a link to the app on the customer facing portal and a link to the app on the app stores if any.

The JSON object response can be filtered based on the following query parameters:

  • cursor - retrieve a paginated list of apps using the specified cursor.

  • platform - filters the list of apps by one of the following supported platform values:

    • ANDROID - A generic Android app or an Android app distributed through the Google Play Store
    • ANDROID_AMAZON - An Android app distributed through the Amazon App Store
    • ANDROID_OCULUS - An Android App distributed through the Oculus App Store
    • WINDOWS_PHONE - A Windows app
    • IOS - An iOS app

  • release_type - filters the list of apps by one of the following supported release type values:

    • APP_STORE
    • PRE_PROD

  • results_since - filters the list of apps based upon when they last had activity due to scans.

  • scan_status - filters the list of apps by the status of the app’s most recent scan. Supported statuses include:

    • NO_SCANS_INITIATED
    • SCAN_ONGOING
    • SCAN_COMPLETED

  • subscription - filters the list of apps by one or several of the following supported subscription level values:

    • APP_LOGIC
    • DYNAMIC
    • NO_SUBSCRIPTION
    • P1_ALERTS
    • STATIC

  • blocked_scan_reason - filters the list of mobile apps based on the reason as to why a scan may be blocked. The following values are supported:

    • NOT_BLOCKED - filters the list for mobile apps that do not have any blocked scans.
    • NO_CREDENTIALS - filters the list for mobile apps that have blocked scans due to missing or invalid dynamic scanning credentials.
    • CORRUPTED_APP_PACKAGE - filters the list for mobile apps that have blocked scans due to a corrupted app package e.g. ipa or apk.
    • OTHER - filters the list for mobile apps that have blocked scans due to a variety of other non-specific reasons depending on the app.

  • external_id - filters the list of mobile apps based on their external ID. External ID are arbitrary identifier you can give to the mobile app when you upload a build using the Upload API.

For the response, here are some details on the possible values that are returned from the API:

  • scan_status: Current state of the scan in question.
    • ONGOING
    • COMPLETED
  • portal_url:
    • A URL pointing to a web page in the Portal for this App
  • blocked_scan_reason:
    • NOT_BLOCKED
    • NO_CREDENTIALS
    • CORRUPTED_APP_PACKAGE
    • OTHER

The response may also include the following optional fields. They are included based on whether certain information is available, or under certain circumstances

  • store_url:
    • App Store or Play Store URL
  • links:
    • Links to Mobile Apps, Security Findings and Security Finding Targets resources related to the App
  • external_id:
    • External App Identifier, present in Pre Prod Apps
  • scans_require_mapping_file:
    • If the App ever has a Mapping File uploaded, future App uploads will be required to also upload the Mapping File
  • is_enterprise_internal:
    • Whether the Pre Prod app is Enterprise
  • linked_app_store_mobile_app_id:
    • Parent App Store App ID, present in Pre Prod Apps
  • asset_tags:
    • List of Asset Tags

Sample Request

1
GET https://api.securetheorem.com/apis/mobile_security/results/v2/mobile_apps

Sample Response

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
{
  "mobile_apps": [
    {
      "asset_tags" : [
        {
         "id" : "77c3a86f-67ff-474f-8089-8bbd5a30d4dc",
         "tag" : "internal-id",
         "tag_id" : "b5db707e-af18-4c61-9a45-88cb2a089688",
         "value" : "12345678"
        },
        {
         "id" : "0c546d60-8d92-4264-9266-065540094f2f",
         "tag" : "another-tag",
         "tag_id" : "8cc0c246-057e-4c15-9876-982ef97d52f0",
         "value" : "another value"
        }
      ],
      "blocked_scan_reason": "NO_CREDENTIALS",
      "bundle_id": "com.test",
      "external_id": "MyApp-123-TestOrg", // optional
      "has_ci_cd_integration": false,
      "has_issue_tracker_integration": false,
      "has_trustkit_integration": true,
      "id": "123",
      "links": [
        {
          "href": "mobile_apps/123",
          "rel": "self",
          "type": "GET"
        },
        {
          "href": "security_findings?mobile_app_id=123",
          "rel": "security_findings",
          "type": "GET"
        },
        {
          "href": "security_finding_targets?mobile_app_id=123",
          "rel": "security_finding_targets",
          "type": "GET"
        }
      ],
      "minimum_sdk_version": "23",  // optional
      "name": "Testabc",
      "platform": "ANDROID",
      "portal_url": "https://securetheorem.com/app/123/issues",
      "release_type": "PRE_PROD",
      "results_last_updated": "2016-11-02T19:25:16.664990-00:00",
      "scan_status": "SCAN_COMPLETED",
      "scan_status_date": "2016-11-02T19:25:16.664990-00:00",  // optional
      "scanned_release_id": "2.3.4",  // optional
      "scanned_version": "2.3.4",  // optional
      "store_url": "https://play.google.com/foo",  // optional
      "subscription": "DYNAMIC",
      "uuid": "12345678-abcd-ef12-3456-7890abcdef12", // Asset UUID for the mobile app within some of our newer APIs
      "last_seen_online_date": "2016-11-02T19:25:16.664990-00:00"  // optional
    }
  ],
  "pagination_information": {
    "total_count": "1",
    "next_cursor": "kEgkIjrCzvdns0QISRmoRc35kaXNjb"
  }
}

Get Mobile App

This endpoint returns a JSON object which contains a summary of a specific app within a Data Theorem’s customer’s account specified by a mobile app id.

Sample Request

1
GET https://api.securetheorem.com/apis/mobile_security/results/v2/mobile_apps/:id

Sample Response

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
{
  "asset_tags" : [
    {
     "id" : "77c3a86f-67ff-474f-8089-8bbd5a30d4dc",
     "tag" : "internal-id",
     "tag_id" : "b5db707e-af18-4c61-9a45-88cb2a089688",
     "value" : "12345678"
    },
    {
     "id" : "0c546d60-8d92-4264-9266-065540094f2f",
     "tag" : "another-tag",
     "tag_id" : "8cc0c246-057e-4c15-9876-982ef97d52f0",
     "value" : "another value"
    }
  ],
  "blocked_scan_reason": "NO_CREDENTIALS",
  "bundle_id": "com.test",
  "external_id": "MyApp-123-TestOrg", // optional
  "has_ci_cd_integration": false,
  "has_issue_tracker_integration": false,
  "has_trustkit_integration": true,
  "id": "123",
  "links": [
    {
      "href": "mobile_apps/123",
      "rel": "self",
      "type": "GET"
    },
    {
      "href": "security_findings?mobile_app_id=123",
      "rel": "security_findings",
      "type": "GET"
    },
    {
      "href": "security_finding_targets?mobile_app_id=123",
      "rel": "security_finding_targets",
      "type": "GET"
    }
  ],
  "minimum_sdk_version": "23",  // optional
  "name": "Testabc",
  "platform": "ANDROID",
  "portal_url": "https://securetheorem.com/app/123/issues",
  "release_type": "PRE_PROD",
  "results_last_updated": "2016-11-02T19:25:16.664990-00:00",
  "scan_status": "SCAN_COMPLETED",
  "scan_status_date": "2016-11-02T19:25:16.664990-00:00",  // optional
  "scanned_release_id": "2.3.4",  // optional
  "scanned_version": "2.3.4",  // optional
  "store_url": "https://play.google.com/foo",  // optional
  "subscription": "DYNAMIC",
  "uuid": "12345678-abcd-ef12-3456-7890abcdef12", // Asset UUID for the mobile app within some of our newer APIs
  "last_seen_online_date": "2016-11-02T19:25:16.664990-00:00"  // optional
}

Patch Mobile App

This endpoint provides the ability to set an optional external_id field on a mobile app. The external_id field should represent your organization’s custom identifier for the app, if any, which may be different from the app id or app name provided by Data Theorem. The endpoint does not provide the ability to edit any other fields on an app.

Sample Request

1
PATCH https://api.securetheorem.com/apis/mobile_security/results/v2/mobile_apps/:mobile_app_id

Sample Request Body

1
{"external_id": "MyApp-123-TestOrg"}

Sample Response

The response has the same structure as the request to GET a particular mobile app, but the new external_id will be set in the response.

Get Mobile Apps Subscription Stats

This endpoint provides a quick way to know how many apps are subscribed to each subscription level. The API key used to perform the request must have access to all mobile apps.

Sample Request

1
GET https://api.securetheorem.com/apis/mobile_security/results/v2/mobile_apps/subscriptions

Sample Response

1
2
3
4
5
6
7
{
    "APP_LOGIC": 11,
    "DYNAMIC": 6,
    "NO_SUBSCRIPTION": 5,
    "P1_ALERTS": 8,
    "STATIC": 25,
}

List Mobile Apps SDKs

This endpoint returns information about the SDKs found in a mobile app.

Sample Request

1
GET https://api.securetheorem.com/apis/mobile_security/results/v2/mobile_apps/:id/sdks

Sample Response

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
{
  "sdks_in_mobile_apps": [
    {
      "id": "4567-005432",
      "sdk_id": "44d15a7a-e0b5-5a21-94b6-a61d5e427dc7",
      "mobile_app_id": "4567",
      "date_created": "2016-11-02T19:25:16.664990-00:00",
      "currently_present": true,
      "title": "FirebaseAnalytics",
      "description": "Insights on app usage.",
      "associated_domains": ["https://firebase.google.com"],
      "associated_security_finding_target_ids": ["001234", "56789"],
      "portal_url": "https://securetheorem.com/app/1234/sdks",
      "license_information": [
        {
          "detail": "Apache-2.0",
          "license": "APACHE"
        }
      ],
      "history": [
        {
          "date": "2020-04-01T19:25:16.664990-00:00",
          "present": false
        },
        {
          "date": "2020-03-23T19:25:16.664990-00:00",
          "present": true
        },
        {
         "date": "2020-02-13T19:25:16.664990-00:00",
         "present": true
        }
      ],
      "links": [
        {
          "href": "sdks_in_mobile_apps?mobile_app_id=4567&sdk_id=44d15a7a-e0b5-5a21-94b6-a61d5e427dc7",
          "rel": "self",
          "type": "GET"
        },
        {
          "href": "mobile_apps/4567",
          "rel": "mobile_app",
          "type": "GET"
        }
      ],
      "has_ios_privacy_manifest": true
    }
  ],
  "pagination_information": {
    "total_count": "1",
    "next_cursor": "kEgkIjrCzvdns0QISRmoRc35kaXNjby1vcmRlci03"
  }
}

Details on some of the fields:

  • has_ios_privacy_manifest
    • There is iOS Privacy Manifest data, retrievable through the GET endpoint below.

Get Mobile Apps SDK

This endpoint returns information about an SDK found in a mobile app. It may include iOS Privacy Manifest data depending on the platform the SDK was found in.

Sample Request

1
GET https://api.securetheorem.com/apis/mobile_security/results/v2/mobile_apps/:id/sdks/:id

Sample Response

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
{
  "id": "4567-005432",
  "sdk_id": "44d15a7a-e0b5-5a21-94b6-a61d5e427dc7",
  "mobile_app_id": "4567",
  "date_created": "2016-11-02T19:25:16.664990-00:00",
  "currently_present": true,
  "title": "FirebaseAnalytics",
  "description": "Insights on app usage.",
  "associated_domains": ["https://firebase.google.com"],
  "associated_security_finding_target_ids": ["001234", "56789"],
  "portal_url": "https://securetheorem.com/app/1234/sdks",
  "license_information": [
    {
      "detail": "Apache-2.0",
      "license": "APACHE"
    }
  ],
  "history": [
    {
      "date": "2020-04-01T19:25:16.664990-00:00",
      "present": false
    },
    {
      "date": "2020-03-23T19:25:16.664990-00:00",
      "present": true
    },
    {
     "date": "2020-02-13T19:25:16.664990-00:00",
     "present": true
    }
  ],
  "links": [
    {
      "href": "sdks_in_mobile_apps?mobile_app_id=4567&sdk_id=44d15a7a-e0b5-5a21-94b6-a61d5e427dc7",
      "rel": "self",
      "type": "GET"
    },
    {
      "href": "mobile_apps/4567",
      "rel": "mobile_app",
      "type": "GET"
    }
  ],
  "has_ios_privacy_manifest": true,
  "ios_privacy_manifest": {
    "is_manifest_required_by_apple": false,
    "is_manifest_included": true,
    "is_manifest_available": false,
    "sdk_manifest_as_json": "{\"NSPrivacyTracking\": false, \"NSPrivacyTrackingDomains\": [], \"NSPrivacyCollectedDataTypes\": [{\"NSPrivacyCollectedDataType\": \"NSPrivacyCollectedDataTypeOtherDiagnosticData\", \"NSPrivacyCollectedDataTypeLinked\": false, \"NSPrivacyCollectedDataTypeTracking\": false, \"NSPrivacyCollectedDataTypePurposes\": [\"NSPrivacyCollectedDataTypePurposeAnalytics\"]}], \"NSPrivacyAccessedAPITypes\": []}",
    "sdk_manifest_data_types": [
      {
        "data_type": "Unknown",
        "store_data_type": "Diagnostics",
        "data_type_icon_url": "https://prod-horizon.static.securetheorem.com/assets/images/icons/privacy/DIAGNOSTICS.svg"
      }
    ],
    "unreported_data_types": [
      {
        "data_type": "Location",
        "store_data_type": "Location",
        "data_type_icon_url": "https://prod-horizon.static.securetheorem.com/assets/images/icons/privacy/LOCATION.svg",
        "affected_components": [
          {
            "code_location": "_unnamed_function\n[MyClass getIdentifiers]",
            "rel": "security_finding_targets/001234",
            "security_finding_id": "102468",
            "security_finding_target_id": "001234"
          }
        ]
      }
    ]
  }
}

ios_privacy_manifest, when available, contains entries with the following details:

  • sdk_manifest_data_types and unreported_data_types
    • data_type - Data Type.
    • store_data_type - Data Type category name in the App Store/Play Store.
  • unreported_data_types
    • affected_components - List of related Findings and Targets.