Introduction
Codifiedsecurity.com API documentation
Authentication
curl "https://api.codifiedsecurity.com/apps?apiKey=some-key"
Get your api key from settings page, add ?apiKey=<your api key> argument
to all of the request urls
Apps
Get all apps
curl "https://api.codifiedsecurity.com/apps?apiKey=some-key"
The above command returns JSON structured like this:
[
{
"package": "com.test.something",
"platform": "android",
"status": "completed",
"lastScanDate": "2017-06-26T12:08:47.702Z",
"problemCount": {
"critical": 1,
"severe": 2,
"warning": 1
},
"appDetails": {
"type": "android",
"title": "com.test.something",
"package": "com.test.something",
"version": "1.0",
"versionCode": 1,
"developer": "Unknown",
"logo": "https://storage.googleapis.com/codsec-staging-image-cache/c2c17c4217eb51464f67eb826aa0b09f94192311d0e810dd2c42a5fb99787888.png"
},
"failure": null,
"grade": 80
}
{
"package": "com.twitter.android",
"platform": "android",
"status": "completed",
"lastScanDate": "2016-03-07T15:30:42.324Z",
"problemCount": {
"critical": 3,
"severe": 31,
"warning": 25
},
"appDetails": {
"type": "android",
"title": "Twitter",
"package": "com.twitter.android",
"version": "5.98.0",
"versionCode": 5110036,
"developer": "Twitter, Inc.",
"developerAdditional": {
"email": "[email protected]",
"website": "https://support.twitter.com/articles/20169915"
},
"logo": "https://storage.googleapis.com/codsec-image-cache/52aa957810939037e010b01e0d15aac61f062641c3f3e17ef0916eaef43e7293.png"
},
"failure": null,
"grade": 80
}
]
This endpoint retrieves all apps that have been scanned
HTTP Request
GET https://api.codifiedsecurity.com/apps?apiKey=<your api key>
Get list of scans for app
curl "https://api.codifiedsecurity.com/apps/android/com.test.something?apiKey=some-key"
The above command returns JSON structured like this:
{
"totalCount": 1,
"results": [
{
"id": "73b05ac4-c13e-4141-a42a-afec248c2b52",
"status": "completed",
"completed": "2017-06-26T12:08:47.702Z",
"appDetails": {
"type": "android",
"title": "com.test.something",
"package": "com.test.something",
"version": "1.0",
"versionCode": 1,
"developer": "Unknown",
"logo": "https://storage.googleapis.com/codsec-image-cache/c2c17c4217eb51464f67eb826aa0b09f94192311d0e810dd2c42a5fb99787888.png"
},
"problemCount": {
"critical": 1,
"severe": 2,
"warning": 1
},
"grade": 80
}
]
}
This endpoint retrieves list of scans that have been performed using for given application.
HTTP Request
GET https://api.codifiedsecurity.com/apps/<platform>/<package>?apiKey=<your api key>
Scans
Get single scan
curl "https://api.codifiedsecurity.com/scans/73b05ac4-c13e-4141-a42a-afec248c2b52?apiKey=some-key"
The above command returns JSON structured like this:
{
"_id": "73b05ac4-c13e-4141-a42a-afec248c2b52",
"type": "android",
"scanDate": "2017-06-26T12:08:47.702Z",
"status": "completed",
"pdf": "https://api.codifiedsecurity.com/result/pdf/bea2fc7b-9adb-43ba-99dc-d7de58e00b1c/73b05ac4-c13e-4141-a42a-afec248c2b52",
"appDetails": {
"type": "android",
"title": "com.test.something",
"package": "com.test.something",
"version": "1.0",
"versionCode": 1,
"developer": "Unknown",
"logo": "https://storage.googleapis.com/codsec-image-cache/c2c17c4217eb51464f67eb826aa0b09f94192311d0e810dd2c42a5fb99787888.png"
},
"platform": {
"mono": false,
"phonegap": false
},
"manifestData": {
"appDetails": {
"versionCode": 1,
"versionName": "1.0",
"platformBuildVersionCode": 25,
"platformBuildVersionName": "7.1.1",
"package": "com.test.something"
},
"sdk": {
"minSdkVersion": "15",
"maxSdkVersion": null,
"targetSdkVersion": "25"
}
},
"failure": null,
"paid": true,
"problems": [
{
"type": "android.manifest_issue.debugEnabled",
"severity": "critical",
"description": "Debug is enabled for the app [android:debuggable=true]",
"longDescription": "The app has debugging enabled, this makes it easier for anyone who wants to reverse engineer the app to hook a debugger to it. Users will be able to dump a stack trace and access debugging helper classes.",
"fix": null,
"codeFix": null,
"pci": false,
"pciInfo": "",
"hipa": false,
"hipaInfo": "",
"owasp": false,
"owaspInfo": "",
"gdpr": false,
"gdprInfo": "",
"cweId": "215",
"cweInfo": "The application contains debugging code that can expose sensitive information to untrusted parties.",
"id": "881102f9b2a0aee95c2f1c21a74983f7784e8ec1",
"new": true,
"isIgnored": false
},
{
"type": "android.code_issue.log",
"severity": "severe",
"description": "App logging.",
"longDescription": "The Android OS allows other applications to read the Android log. It is therefore possible if sensitive data is logged other applications can read, store and transmit this data.",
"fix": " Avoid logging sensitive information. ",
"codeFix": null,
"pci": false,
"pciInfo": "",
"hipa": true,
"hipaInfo": "Access Control Requirements",
"owasp": true,
"owaspInfo": "M4 Unintended Data Leakage\r\n",
"gdpr": true,
"gdprInfo": "App logging.\r\n\r\nThe app may be in breach of GDPR Article 25: data protection by design and by default.",
"cweId": "532",
"cweInfo": "Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.",
"id": "7babc233de26ab19ead1b9c278128d5c434910ee",
"classes": [
{
"class": "example/codified/new_version_test/MainActivity.java",
"id": "ae437ddd3ea983e1514bae60accdd29b6554fe29",
"lines": [
{
"lines": " super.onCreate(paramBundle);\n setContentView(2130968603);\n Log.d(\"test\", \"test\");\n }\n",
"id": "0ddc5d8d8623928088591549d066fdbedb1ef264",
"new": true
}
],
"new": true
},
{
"class": "example/codified/new_version_test/Test.java",
"id": "47a37b79167b9596a59685489d00dab0d587a196",
"lines": [
{
"lines": " public Test()\n {\n Log.d(\"test\", \"test\");\n }\n",
"id": "f35fb8a2a10bc1eefffb5c08ee8f23821a05eecb",
"new": true
}
],
"new": true
}
],
"new": true,
"isIgnored": false
},
{
"type": "android.manifest_issue.backupEnabled",
"severity": "severe",
"description": "It is possible for application data to be backed up [android:allowBackup=true]",
"longDescription": "This flag lets users backup your application data via ADB. Users who have enabled USB debugging will be able to copy application data off the device. ",
"fix": null,
"codeFix": null,
"pci": false,
"pciInfo": "",
"hipa": false,
"hipaInfo": "",
"owasp": false,
"owaspInfo": "",
"gdpr": false,
"gdprInfo": "",
"cweId": "538",
"cweInfo": "The product stores sensitive information in files or directories that are accessible to actors outside of the intended control sphere.",
"id": "5fdb6721eaf8b1285d151b2db08ce707ace2c979",
"new": true,
"isIgnored": false
},
{
"type": "android.manifest_permission.INTERNET",
"severity": "warning",
"description": "android.permission.INTERNET : full Internet access",
"longDescription": "Allows an application to create network sockets.",
"fix": null,
"codeFix": null,
"pci": false,
"pciInfo": "",
"hipa": false,
"hipaInfo": "",
"owasp": false,
"owaspInfo": "",
"gdpr": false,
"gdprInfo": "",
"cweId": "285",
"cweInfo": "The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.",
"id": "0e63caa65c113b873581ff3d87d32469beb56da8",
"new": true,
"isIgnored": false
}
],
"problemCount": {
"critical": 1,
"severe": 2,
"warning": 1
},
"apis": {
"stripe": false
},
"rules": ["pci", "hipaa", "gdpr", "owasp", "other"],
"grade": 80
}
This endpoint retrieves single scan result. Status could be one of the following:
- new: application is waiting to be scanned.
- pendingVerification: scan result pending verification of a Codified Security member.
- completed: application scan finished.
- failed: application scan failed.
HTTP Request
GET https://api.codifiedsecurity.com/scans/<id>?apiKey=<your api key>
Query Parameters
| Parameter | Description |
|---|---|
| ignoreThirdParty | If set, will omit configured third party libraries |
Submit new scan
curl -XPOST -F "file=@/home/user/some.apk" "https://api.codifiedsecurity.com/scan?apiKey=some-key"
The above command returns JSON structured like this:
{
"_id": "73b05ac4-c13e-4141-a42a-afec248c2b52",
"status": "new"
}
This request will perform new scan
HTTP Request
POST https://api.codifiedsecurity.com/scan?apiKey=<your api key>
Request must be multipart http request
Request body
| Parameter | Description |
|---|---|
| file | Either apk or ipa file to be scanned |
Query Parameters
| Parameter | Description |
|---|---|
| dontStoreResult | If set result won’t be stored |
Soft scan
curl -XPOST -F "file=@/home/user/some.apk" "https://api.codifiedsecurity.com/scan?apiKey=some-key&softscan=1"
The above command returns JSON structured like this:
{
"_id": "73b05ac4-c13e-4141-a42a-afec248c2b52",
"status": "new"
}
Retrieve scan results by returned scan id:
curl "https://api.codifiedsecurity.com/scans/73b05ac4-c13e-4141-a42a-afec248c2b52?apiKey=some-key"
The above command returns JSON structured like this:
{
"_id": "73b05ac4-c13e-4141-a42a-afec248c2b52",
"status": "completed",
"appDetails": {
"type": "android",
"title": "com.test.something",
"package": "com.test.something",
"version": "1.0",
"versionCode": 1,
"developer": "Unknown",
"logo": "https://storage.googleapis.com/codsec-image-cache/c2c17c4217eb51464f67eb826aa0b09f94192311d0e810dd2c42a5fb99787888.png"
},
"problemCount": {
"critical": 1,
"severe": 2,
"warning": 1
},
"failure": null,
"grade": 80
}
Performs scan but returns only issue count
HTTP Request
POST https://api.codifiedsecurity.com/scan?apiKey=<your api key>&softscan=1
Request must be multipart http request
Request body
| Parameter | Description |
|---|---|
| file | Either apk or ipa file to be scanned |
PDF report
curl "https://api.codifiedsecurity.com/scans/73b05ac4-c13e-4141-a42a-afec248c2b52?apiKey=some-key"
The above command returns a JSON response which contains a download link to the PDF report file (JSON trimmed for brevity):
{
"_id": "73b05ac4-c13e-4141-a42a-afec248c2b52",
"type": "android",
"scanDate": "2017-06-26T12:08:47.702Z",
"status": "completed",
"pdf": "https://api.codifiedsecurity.com/result/pdf/bea2fc7b-9adb-43ba-99dc-d7de58e00b1c/73b05ac4-c13e-4141-a42a-afec248c2b52"
}
If there are new issues found in the latest test, the PDF link is appended with “/new”:
{
"_id": "73b05ac4-c13e-4141-a42a-afec248c2b52",
"type": "android",
"scanDate": "2017-06-26T12:08:47.702Z",
"status": "completed",
"pdf": "https://api.codifiedsecurity.com/result/pdf/bea2fc7b-9adb-43ba-99dc-d7de58e00b1c/73b05ac4-c13e-4141-a42a-afec248c2b52/new"
}
PDF download links that are appended with “/new” only contain the vulnerabilities detected in the most recent scan. To get the PDF report containing all vulnerabilities, ensure this is removed from the end of the link for the steps below.
Retrieve PDF report via returned url:
curl -H "Accept-Language: en" https://api.codifiedsecurity.com/result/pdf/bea2fc7b-9adb-43ba-99dc-d7de58e00b1c/73b05ac4-c13e-4141-a42a-afec248c2b52 -o /home/user/Report.pdf
Downloads PDF report file to specified location. You can specify content language with a http header. We’re currently supporting English and Korean (‘en’ and 'ko’, respectively). Link to PDF file is contained in scan results.
HTTP Request
GET https://api.codifiedsecurity.com/result/pdf/<id1>/<id2>
Request headers
| Parameter | Description |
|---|---|
| Accept-Language | Which language is preferred for pdf content. Falls back to 'en’ |
Errors
Error body example
{
"code" : "BadRequestError",
"message" : "Phonegap isnt supported"
}
The Codified security API uses the following error codes:
| Error Code | Meaning |
|---|---|
| 400 | Bad Request – Invalid arguments supplied |
| 401 | Unauthorized – Your API key is wrong |
| 404 | Not Found – Requested item could not be found |
| 405 | Method Not Allowed – You tried to execute invalid method |
| 500 | Internal Server Error – We had a problem with our server. Try again later. |
| 503 | Service Unavailable – We’re temporarially offline for maintanance. Please try again later. |
CLI
./codified-security-cli -p android -a 'your-api-key' -c 0 -s 3 -w 10 -i yourApp.apk
When failed
Critical errors(2) above treshold
exit status 1
To see usage run ./codifed-security-cli -h
Exit status codes
| Status code | Meaning |
|---|---|
| 255 | Bad input values |
| 254 | Codified security service failure |
| 1 | App scan returned error count above treshold |