NAV
shell

Introduction

Codifiedsecurity.com API documentation

Authentication

curl "https://api.codifiedsecurity.com/apps?apiKey=some-key"

Get your api key from settings page, add ?apiKey=<your api key> argument to all of the request urls

Apps

Get all apps

curl "https://api.codifiedsecurity.com/apps?apiKey=some-key"

The above command returns JSON structured like this:

[
  {
    "package": "com.test.something",
    "platform": "android",
    "problemCount": {
      "critical": 3,
      "severe": 3,
      "warning": 2
    },
    "appDetails": {
      "type": "android",
      "title": "com.test.something",
      "package": "com.test.something",
      "version": "1.0",
      "versionCode": "1",
      "developer": "Unknown",
      "logo": null
    },
    "lastScanDate": "2016-03-07T15:38:19.497Z"
  },
  {
    "package": "com.twitter.android",
    "platform": "android",
    "problemCount": {
      "critical": 3,
      "severe": 31,
      "warning": 25
    },
    "appDetails": {
      "type": "android",
      "title": "Twitter",
      "package": "com.twitter.android",
      "version": "5.98.0",
      "versionCode": 5110036,
      "developer": "Twitter, Inc.",
      "developerAdditional": {
        "email": "[email protected]",
        "website": "https://support.twitter.com/articles/20169915"
      },
      "logo": "https://storage.googleapis.com/codsec-image-cache/52aa957810939037e010b01e0d15aac61f062641c3f3e17ef0916eaef43e7293.png"
    },
    "lastScanDate": "2016-03-07T15:30:42.324Z"
  }
]

This endpoint retrieves all apps that have been scanned

HTTP Request

GET https://api.codifiedsecurity.com/apps?apiKey=<your api key>

Get list of scans for app

curl "https://api.codifiedsecurity.com/apps/android/com.test.something?apiKey=some-key"

The above command returns JSON structured like this:

{
  "totalCount": 1,
  "results": [
    {
      "id": "4105dcdf-fc48-4632-a173-36483e25a550",
      "appDetails": {
        "type": "android",
        "title": "com.test.something",
        "package": "com.test.something",
        "version": "1.0",
        "versionCode": "1",
        "developer": "Unknown",
        "logo": null
      },
      "problemCount": {
        "critical": 3,
        "severe": 3,
        "warning": 2
      },
      "completed": "2016-03-07T15:38:19.497Z"
    }
  ]
}

This endpoint retrieves list of scans that have been performed using for given application.

HTTP Request

GET https://api.codifiedsecurity.com/apps/<platform>/<package>?apiKey=<your api key>

Scans

Get single scan

curl "https://api.codifiedsecurity.com/scans/4105dcdf-fc48-4632-a173-36483e25a550?apiKey=some-key"

The above command returns JSON structured like this:

{

  "_id": "4105dcdf-fc48-4632-a173-36483e25a550",
  "typs": "android",
  "status": "completed",
  "appDetails": {
    "type": "android",
    "title": "com.test.something",
    "package": "com.test.something",
    "version": "1.0",
    "versionCode": "1",
    "developer": "Unknown",
    "logo": null
  },
    "platform": {
    "mono": false
  },
  "manifestData": {
    "appDetails": {
      "versionCode": 1,
      "versionName": "1.0",
      "platformBuildVersionCode": 19,
      "platformBuildVersionName": "4.4.2-1456859",
      "package": "com.test.something"
    },
    "sdk": {
      "minSdkVersion": "16",
      "maxSdkVersion": null,
      "targetSdkVersion": null
    }
  },
  "failure": null,
  "paid": true,
  "problems": [
    {
      "pciInfo": null,
      "severity": "critical",
      "fix": null,
      "longDescription": "Debugging was enabled on the app which makes it easier for reverse engineers to hook a debugger to it. This allows dumping a stack trace and accessing debugging helper classes.",
      "pci": false,
      "type": "debugEnabled",
      "description": "Debug Enabled For App [android:debuggable=true]"
    },
    {
      "pciInfo": null,
      "pci": false,
      "description": "Senstive data found in these files",
      "severity": "critical",
      "fix": null,
      "classes": [
        {
          "regex": "password = \"|secret = \"|username = \"|key = \"",
          "lines": [
            "  private static final String KEY_LABEL = \"label\";\n  private static final String KEY_RESULT_KEY = \"resultKey\";\n  public static final String RESULTS_CLIP_LABEL = \"android.remoteinput.results\";\n"
          ],
          "class": "android/support/v4/app/RemoteInputCompatJellybean.java"
        },
        {
          "regex": "password = \"|secret = \"|username = \"|key = \"",
          "lines": [
            "{\n  static final String ADVERTISING_ID_KEY = \"advertisingId\";\n  static final String ANDROID_ID_KEY = \"androidId\";\n",
            "  static final String APP_BUNDLE_ID_KEY = \"appBundleId\";\n  static final String APP_VERSION_CODE_KEY = \"appVersionCode\";\n  static final String APP_VERSION_NAME_KEY = \"appVersionName\";\n",
            "  static final String BETA_DEVICE_TOKEN_KEY = \"betaDeviceToken\";\n  static final String BUILD_ID_KEY = \"buildId\";\n  static final String CUSTOM_ATTRIBUTES = \"customAttributes\";\n",
            "  static final String CUSTOM_TYPE = \"customType\";\n  static final String DETAILS_KEY = \"details\";\n  static final String DEVICE_MODEL_KEY = \"deviceModel\";\n",
            "  static final String EXECUTION_ID_KEY = \"executionId\";\n  static final String INSTALLATION_ID_KEY = \"installationId\";\n  static final String LIMIT_AD_TRACKING_ENABLED_KEY = \"limitAdTrackingEnabled\";\n",
            "  static final String PREDEFINED_TYPE = \"predefinedType\";\n  static final String TIMESTAMP_KEY = \"timestamp\";\n  static final String TYPE_KEY = \"type\";\n"
          ],
          "class": "com/crashlytics/android/answers/SessionEventTransform.java"
        }
      ],
      "type": "codeIssue",
      "longDescription": null
    },
    {
      "pciInfo": null,
      "pci": false,
      "description": "Unencrypted SQLite database detected.",
      "severity": "critical",
      "fix": null,
      "classes": [
        {
          "regex": "SQLiteDatabase",
          "lines": [
            "import android.database.DatabaseErrorHandler;\nimport android.database.sqlite.SQLiteDatabase;\nimport android.database.sqlite.SQLiteDatabase.CursorFactory;\n",
            "  \n  public SQLiteDatabase openOrCreateDatabase(String paramString, int paramInt, SQLiteDatabase.CursorFactory paramCursorFactory)\n  {\n",
            "  @TargetApi(11)\n  public SQLiteDatabase openOrCreateDatabase(String paramString, int paramInt, SQLiteDatabase.CursorFactory paramCursorFactory, DatabaseErrorHandler paramDatabaseErrorHandler)\n  {\n"
          ],
          "class": "io/fabric/sdk/android/FabricContext.java"
        }
      ],
      "type": "codeIssue",
      "longDescription": null
    },
    {
      "pciInfo": null,
      "severity": "severe",
      "fix": null,
      "longDescription": "This flag allows anyone to backup your application data via adb. It allows users who have enabled USB debugging to copy application data off of the device.",
      "pci": false,
      "type": "backupEnabled",
      "description": "Application Data can be Backed up [android:allowBackup=true]"
    },
    {
      "pciInfo": null,
      "pci": false,
      "description": "The App uses an insecure Random Number Generator.",
      "severity": "severe",
      "fix": null,
      "classes": [
        {
          "regex": "java\\.util\\.Random;",
          "lines": [
            "import io.fabric.sdk.android.services.concurrency.internal.Backoff;\nimport java.util.Random;\n\n"
          ],
          "class": "com/crashlytics/android/answers/RandomBackoff.java"
        }
      ],
      "type": "codeIssue",
      "longDescription": null
    }
  ]
}

This endpoint retrieves single result

HTTP Request

GET https://api.codifiedsecurity.com/scans/<id>?apiKey=<your api key>

Query Parameters

Parameter Description
ignoreThirdParty If set, will omit configured third party libraries

Submit new scan

curl -XPOST -F "file=@/home/user/some.apk" "https://api.codifiedsecurity.com/scan?apiKey=some-key"

The above command returns JSON structured like this:

{

  "_id": "4105dcdf-fc48-4632-a173-36483e25a550",
  "typs": "android",
  "status": "completed",
  "appDetails": {
    "type": "android",
    "title": "com.test.something",
    "package": "com.test.something",
    "version": "1.0",
    "versionCode": "1",
    "developer": "Unknown",
    "logo": null
  },
  "platform": {
    "mono": false
  },
  "manifestData": {
    "appDetails": {
      "versionCode": 1,
      "versionName": "1.0",
      "platformBuildVersionCode": 19,
      "platformBuildVersionName": "4.4.2-1456859",
      "package": "com.test.something"
    },
    "sdk": {
      "minSdkVersion": "16",
      "maxSdkVersion": null,
      "targetSdkVersion": null
    }
  },
  "failure": null,
  "paid": true,
  "problems": [
    {
      "pciInfo": null,
      "severity": "critical",
      "fix": null,
      "longDescription": "Debugging was enabled on the app which makes it easier for reverse engineers to hook a debugger to it. This allows dumping a stack trace and accessing debugging helper classes.",
      "pci": false,
      "type": "debugEnabled",
      "description": "Debug Enabled For App [android:debuggable=true]"
    },
    {
      "pciInfo": null,
      "pci": false,
      "description": "Senstive data found in these files",
      "severity": "critical",
      "fix": null,
      "classes": [
        {
          "regex": "password = \"|secret = \"|username = \"|key = \"",
          "lines": [
            "  private static final String KEY_LABEL = \"label\";\n  private static final String KEY_RESULT_KEY = \"resultKey\";\n  public static final String RESULTS_CLIP_LABEL = \"android.remoteinput.results\";\n"
          ],
          "class": "android/support/v4/app/RemoteInputCompatJellybean.java"
        },
        {
          "regex": "password = \"|secret = \"|username = \"|key = \"",
          "lines": [
            "{\n  static final String ADVERTISING_ID_KEY = \"advertisingId\";\n  static final String ANDROID_ID_KEY = \"androidId\";\n",
            "  static final String APP_BUNDLE_ID_KEY = \"appBundleId\";\n  static final String APP_VERSION_CODE_KEY = \"appVersionCode\";\n  static final String APP_VERSION_NAME_KEY = \"appVersionName\";\n",
            "  static final String BETA_DEVICE_TOKEN_KEY = \"betaDeviceToken\";\n  static final String BUILD_ID_KEY = \"buildId\";\n  static final String CUSTOM_ATTRIBUTES = \"customAttributes\";\n",
            "  static final String CUSTOM_TYPE = \"customType\";\n  static final String DETAILS_KEY = \"details\";\n  static final String DEVICE_MODEL_KEY = \"deviceModel\";\n",
            "  static final String EXECUTION_ID_KEY = \"executionId\";\n  static final String INSTALLATION_ID_KEY = \"installationId\";\n  static final String LIMIT_AD_TRACKING_ENABLED_KEY = \"limitAdTrackingEnabled\";\n",
            "  static final String PREDEFINED_TYPE = \"predefinedType\";\n  static final String TIMESTAMP_KEY = \"timestamp\";\n  static final String TYPE_KEY = \"type\";\n"
          ],
          "class": "com/crashlytics/android/answers/SessionEventTransform.java"
        }
      ],
      "type": "codeIssue",
      "longDescription": null
    },
    {
      "pciInfo": null,
      "pci": false,
      "description": "Unencrypted SQLite database detected.",
      "severity": "critical",
      "fix": null,
      "classes": [
        {
          "regex": "SQLiteDatabase",
          "lines": [
            "import android.database.DatabaseErrorHandler;\nimport android.database.sqlite.SQLiteDatabase;\nimport android.database.sqlite.SQLiteDatabase.CursorFactory;\n",
            "  \n  public SQLiteDatabase openOrCreateDatabase(String paramString, int paramInt, SQLiteDatabase.CursorFactory paramCursorFactory)\n  {\n",
            "  @TargetApi(11)\n  public SQLiteDatabase openOrCreateDatabase(String paramString, int paramInt, SQLiteDatabase.CursorFactory paramCursorFactory, DatabaseErrorHandler paramDatabaseErrorHandler)\n  {\n"
          ],
          "class": "io/fabric/sdk/android/FabricContext.java"
        }
      ],
      "type": "codeIssue",
      "longDescription": null
    },
    {
      "pciInfo": null,
      "severity": "severe",
      "fix": null,
      "longDescription": "This flag allows anyone to backup your application data via adb. It allows users who have enabled USB debugging to copy application data off of the device.",
      "pci": false,
      "type": "backupEnabled",
      "description": "Application Data can be Backed up [android:allowBackup=true]"
    },
    {
      "pciInfo": null,
      "pci": false,
      "description": "The App uses an insecure Random Number Generator.",
      "severity": "severe",
      "fix": null,
      "classes": [
        {
          "regex": "java\\.util\\.Random;",
          "lines": [
            "import io.fabric.sdk.android.services.concurrency.internal.Backoff;\nimport java.util.Random;\n\n"
          ],
          "class": "com/crashlytics/android/answers/RandomBackoff.java"
        }
      ],
      "type": "codeIssue",
      "longDescription": null
    }
  ]
}

This request will perform new scan

HTTP Request

POST https://api.codifiedsecurity.com/scan?apiKey=<your api key>

Request must be multipart http request

Request body

Parameter Description
file Either apk or ipa file to be scanned

Query Parameters

Parameter Description
dontWait If set, response will be returned once scan has been initialized, response will contain only id of scan
dontStoreResult If set result won’t be stored

Soft scan

curl -XPOST -F "file=@/home/user/some.apk" "https://api.codifiedsecurity.com/scan?apiKey=some-key&softscan=1"

The above command returns JSON structured like this:

{
  "_id": "4105dcdf-fc48-4632-a173-36483e25a550",
  "appDetails": {
    "type": "android",
    "title": "com.test.something",
    "package": "com.test.something",
    "version": "1.0",
    "versionCode": "1",
    "developer": "Unknown",
    "logo": null
  },
  "problemCount": {
    "critical": 0,
    "severe": 2,
    "warning": 0
  }
}

Performs scan but returns only issue count

HTTP Request

POST https://api.codifiedsecurity.com/scan?apiKey=<your api key>&softscan=1

Request must be multipart http request

Request body

Parameter Description
file Either apk or ipa file to be scanned

Ignored libraries

Get

curl "https://api.codifiedsecurity.com/ignored-libraries?apiKey=some-key"

The above command returns JSON structured like this:

[
  "com/google/**",
  "com/facebook/**",
  "com/crashlytics/**",
  "com/twitter/**",
  "io/fabric/**",
  "org/apache/log4j/**",
  "com/mixpanel/**",
  "org/slf4j/**",
]

This endpoint retrieves all configured libraries that can be ignored

HTTP Request

GET https://api.codifiedsecurity.com/ignored-libraries?apiKey=<your api key>

Update

curl -X POST -d '[
  "com/google/**",
  "com/facebook/**",
  "com/crashlytics/**",
  "com/twitter/**",
  "io/fabric/**",
  "org/apache/log4j/**",
  "com/mixpanel/**",
  "org/slf4j/**",
  "com/something/**"
]' "https://api.codifiedsecurity.com/ignored-libraries?apiKey=some-key"

The above command returns JSON structured like this:

[
  "com/google/**",
  "com/facebook/**",
  "com/crashlytics/**",
  "com/twitter/**",
  "io/fabric/**",
  "org/apache/log4j/**",
  "com/mixpanel/**",
  "org/slf4j/**",
  "com/something/**"
]

This endpoint retrieves all configured libraries that can be ignored

HTTP Request

POST https://api.codifiedsecurity.com/ignored-libraries?apiKey=<your api key>

Request body

JSON array with libraries to ignore

Errors

Error body example

{
  "code" : "BadRequestError",
  "message" : "Phonegap isnt supported"
}

The Codified security API uses the following error codes:

Error Code Meaning
400 Bad Request – Invalid arguments supplied
401 Unauthorized – Your API key is wrong
404 Not Found – Requested item could not be found
405 Method Not Allowed – You tried to execute invalid method
500 Internal Server Error – We had a problem with our server. Try again later.
503 Service Unavailable – We’re temporarially offline for maintanance. Please try again later.

CLI

./codified-security-cli -p android -a 'your-api-key' -c 0 -s 3 -w 10 -i yourApp.apk

When failed

Critical errors(2) above treshold
exit status 1

To see usage run ./codifed-security-cli -h

Exit status codes

Status code Meaning
255 Bad input values
254 Codified security service failure
1 App scan returned error count above treshold