NAV
shell

Introduction

Codifiedsecurity.com API documentation

Authentication

curl "https://api.codifiedsecurity.com/apps?apiKey=some-key"

Get your api key from settings page, add ?apiKey=<your api key> argument to all of the request urls

Apps

Get all apps

curl "https://api.codifiedsecurity.com/apps?apiKey=some-key"

The above command returns JSON structured like this:

[
  {
    "package": "com.test.something",
    "platform": "android",
    "status": "completed",
    "lastScanDate": "2017-06-26T12:08:47.702Z",
    "problemCount": {
      "critical": 1,
      "severe": 2,
      "warning": 1
    },
    "appDetails": {
      "type": "android",
      "title": "com.test.something",
      "package": "com.test.something",
      "version": "1.0",
      "versionCode": 1,
      "developer": "Unknown",
      "logo": "https://storage.googleapis.com/codsec-staging-image-cache/c2c17c4217eb51464f67eb826aa0b09f94192311d0e810dd2c42a5fb99787888.png"
    },
    "failure": null,
    "grade": 80
  }
  {
    "package": "com.twitter.android",
    "platform": "android",
    "status": "completed",
    "lastScanDate": "2016-03-07T15:30:42.324Z",
    "problemCount": {
      "critical": 3,
      "severe": 31,
      "warning": 25
    },
    "appDetails": {
      "type": "android",
      "title": "Twitter",
      "package": "com.twitter.android",
      "version": "5.98.0",
      "versionCode": 5110036,
      "developer": "Twitter, Inc.",
      "developerAdditional": {
        "email": "[email protected]",
        "website": "https://support.twitter.com/articles/20169915"
      },
      "logo": "https://storage.googleapis.com/codsec-image-cache/52aa957810939037e010b01e0d15aac61f062641c3f3e17ef0916eaef43e7293.png"
    },
    "failure": null,
    "grade": 80
  }
]

This endpoint retrieves all apps that have been scanned

HTTP Request

GET https://api.codifiedsecurity.com/apps?apiKey=<your api key>

Get list of scans for app

curl "https://api.codifiedsecurity.com/apps/android/com.test.something?apiKey=some-key"

The above command returns JSON structured like this:

{
  "totalCount": 1,
  "results": [
    {
      "id": "73b05ac4-c13e-4141-a42a-afec248c2b52",
      "status": "completed",
      "completed": "2017-06-26T12:08:47.702Z",
      "appDetails": {
        "type": "android",
        "title": "com.test.something",
        "package": "com.test.something",
        "version": "1.0",
        "versionCode": 1,
        "developer": "Unknown",
        "logo": "https://storage.googleapis.com/codsec-image-cache/c2c17c4217eb51464f67eb826aa0b09f94192311d0e810dd2c42a5fb99787888.png"
      },
      "problemCount": {
        "critical": 1,
        "severe": 2,
        "warning": 1
      },
      "grade": 80
    }
  ]
}

This endpoint retrieves list of scans that have been performed using for given application.

HTTP Request

GET https://api.codifiedsecurity.com/apps/<platform>/<package>?apiKey=<your api key>

Scans

Get single scan

curl "https://api.codifiedsecurity.com/scans/73b05ac4-c13e-4141-a42a-afec248c2b52?apiKey=some-key"

The above command returns JSON structured like this:

{
  "_id": "73b05ac4-c13e-4141-a42a-afec248c2b52",
  "type": "android",
  "scanDate": "2017-06-26T12:08:47.702Z",
  "status": "completed",
  "pdf": "https://api.codifiedsecurity.com/result/pdf/bea2fc7b-9adb-43ba-99dc-d7de58e00b1c/73b05ac4-c13e-4141-a42a-afec248c2b52",
  "appDetails": {
    "type": "android",
    "title": "com.test.something",
    "package": "com.test.something",
    "version": "1.0",
    "versionCode": 1,
    "developer": "Unknown",
    "logo": "https://storage.googleapis.com/codsec-image-cache/c2c17c4217eb51464f67eb826aa0b09f94192311d0e810dd2c42a5fb99787888.png"
  },
  "platform": {
    "mono": false,
    "phonegap": false
  },
  "manifestData": {
    "appDetails": {
      "versionCode": 1,
      "versionName": "1.0",
      "platformBuildVersionCode": 25,
      "platformBuildVersionName": "7.1.1",
      "package": "com.test.something"
    },
    "sdk": {
      "minSdkVersion": "15",
      "maxSdkVersion": null,
      "targetSdkVersion": "25"
    }
  },
  "failure": null,
  "paid": true,
  "problems": [
    {
      "type": "android.manifest_issue.debugEnabled",
      "severity": "critical",
      "description": "Debug is enabled for the app [android:debuggable=true]",
      "longDescription": "The app has debugging enabled, this makes it easier for anyone who wants to reverse engineer the app to hook a debugger to it. Users will be able to dump a stack trace and access debugging helper classes.",
      "fix": null,
      "codeFix": null,
      "pci": false,
      "pciInfo": "",
      "hipa": false,
      "hipaInfo": "",
      "owasp": false,
      "owaspInfo": "",
      "gdpr": false,
      "gdprInfo": "",
      "cweId": "215",
      "cweInfo": "The application contains debugging code that can expose sensitive information to untrusted parties.",
      "id": "881102f9b2a0aee95c2f1c21a74983f7784e8ec1",
      "new": true,
      "isIgnored": false
    },
    {
      "type": "android.code_issue.log",
      "severity": "severe",
      "description": "App logging.",
      "longDescription": "The Android OS allows other applications to read the Android log. It is therefore possible if sensitive data is logged other applications can read, store and transmit this data.",
      "fix": " Avoid logging sensitive information. ",
      "codeFix": null,
      "pci": false,
      "pciInfo": "",
      "hipa": true,
      "hipaInfo": "Access Control Requirements",
      "owasp": true,
      "owaspInfo": "M4 Unintended Data Leakage\r\n",
      "gdpr": true,
      "gdprInfo": "App logging.\r\n\r\nThe app may be in breach of GDPR Article 25: data protection by design and by default.",
      "cweId": "532",
      "cweInfo": "Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.",
      "id": "7babc233de26ab19ead1b9c278128d5c434910ee",
      "classes": [
        {
          "class": "example/codified/new_version_test/MainActivity.java",
          "id": "ae437ddd3ea983e1514bae60accdd29b6554fe29",
          "lines": [
            {
              "lines": "    super.onCreate(paramBundle);\n    setContentView(2130968603);\n    Log.d(\"test\", \"test\");\n  }\n",
              "id": "0ddc5d8d8623928088591549d066fdbedb1ef264",
              "new": true
            }
          ],
          "new": true
        },
        {
          "class": "example/codified/new_version_test/Test.java",
          "id": "47a37b79167b9596a59685489d00dab0d587a196",
          "lines": [
            {
              "lines": "  public Test()\n  {\n    Log.d(\"test\", \"test\");\n  }\n",
              "id": "f35fb8a2a10bc1eefffb5c08ee8f23821a05eecb",
              "new": true
            }
          ],
          "new": true
        }
      ],
      "new": true,
      "isIgnored": false
    },
    {
      "type": "android.manifest_issue.backupEnabled",
      "severity": "severe",
      "description": "It is possible for application data to be backed up [android:allowBackup=true]",
      "longDescription": "This flag lets users backup your application data via ADB. Users who have enabled USB debugging will be able to copy application data off the device. ",
      "fix": null,
      "codeFix": null,
      "pci": false,
      "pciInfo": "",
      "hipa": false,
      "hipaInfo": "",
      "owasp": false,
      "owaspInfo": "",
      "gdpr": false,
      "gdprInfo": "",
      "cweId": "538",
      "cweInfo": "The product stores sensitive information in files or directories that are accessible to actors outside of the intended control sphere.",
      "id": "5fdb6721eaf8b1285d151b2db08ce707ace2c979",
      "new": true,
      "isIgnored": false
    },
    {
      "type": "android.manifest_permission.INTERNET",
      "severity": "warning",
      "description": "android.permission.INTERNET : full Internet access",
      "longDescription": "Allows an application to create network sockets.",
      "fix": null,
      "codeFix": null,
      "pci": false,
      "pciInfo": "",
      "hipa": false,
      "hipaInfo": "",
      "owasp": false,
      "owaspInfo": "",
      "gdpr": false,
      "gdprInfo": "",
      "cweId": "285",
      "cweInfo": "The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.",
      "id": "0e63caa65c113b873581ff3d87d32469beb56da8",
      "new": true,
      "isIgnored": false
    }
  ],
  "problemCount": {
    "critical": 1,
    "severe": 2,
    "warning": 1
  },
  "apis": {
    "stripe": false
  },
  "rules": ["pci", "hipaa", "gdpr", "owasp", "other"],
  "grade": 80
}

This endpoint retrieves single scan result. Status could be one of the following:

HTTP Request

GET https://api.codifiedsecurity.com/scans/<id>?apiKey=<your api key>

Query Parameters

Parameter Description
ignoreThirdParty If set, will omit configured third party libraries

Submit new scan

curl -XPOST -F "[email protected]/home/user/some.apk" "https://api.codifiedsecurity.com/scan?apiKey=some-key"

The above command returns JSON structured like this:

{
  "_id": "73b05ac4-c13e-4141-a42a-afec248c2b52",
  "status": "new"
}

This request will perform new scan

HTTP Request

POST https://api.codifiedsecurity.com/scan?apiKey=<your api key>

Request must be multipart http request

Request body

Parameter Description
file Either apk or ipa file to be scanned

Query Parameters

Parameter Description
dontStoreResult If set result won’t be stored

Soft scan

curl -XPOST -F "[email protected]/home/user/some.apk" "https://api.codifiedsecurity.com/scan?apiKey=some-key&softscan=1"

The above command returns JSON structured like this:

{
  "_id": "73b05ac4-c13e-4141-a42a-afec248c2b52",
  "status": "new"
}

Retrieve scan results by returned scan id:

curl "https://api.codifiedsecurity.com/scans/73b05ac4-c13e-4141-a42a-afec248c2b52?apiKey=some-key"

The above command returns JSON structured like this:

{
  "_id": "73b05ac4-c13e-4141-a42a-afec248c2b52",
  "status": "completed",
  "appDetails": {
    "type": "android",
    "title": "com.test.something",
    "package": "com.test.something",
    "version": "1.0",
    "versionCode": 1,
    "developer": "Unknown",
    "logo": "https://storage.googleapis.com/codsec-image-cache/c2c17c4217eb51464f67eb826aa0b09f94192311d0e810dd2c42a5fb99787888.png"
  },
  "problemCount": {
    "critical": 1,
    "severe": 2,
    "warning": 1
  },
  "failure": null,
  "grade": 80
}

Performs scan but returns only issue count

HTTP Request

POST https://api.codifiedsecurity.com/scan?apiKey=<your api key>&softscan=1

Request must be multipart http request

Request body

Parameter Description
file Either apk or ipa file to be scanned

PDF report

curl "https://api.codifiedsecurity.com/scans/73b05ac4-c13e-4141-a42a-afec248c2b52?apiKey=some-key"

The above command returns a JSON response which contains a download link to the PDF report file (JSON trimmed for brevity):

{
  "_id": "73b05ac4-c13e-4141-a42a-afec248c2b52",
  "type": "android",
  "scanDate": "2017-06-26T12:08:47.702Z",
  "status": "completed",
  "pdf": "https://api.codifiedsecurity.com/result/pdf/bea2fc7b-9adb-43ba-99dc-d7de58e00b1c/73b05ac4-c13e-4141-a42a-afec248c2b52"
}

If there are new issues found in the latest test, the PDF link is appended with “/new”:

{
  "_id": "73b05ac4-c13e-4141-a42a-afec248c2b52",
  "type": "android",
  "scanDate": "2017-06-26T12:08:47.702Z",
  "status": "completed",
  "pdf": "https://api.codifiedsecurity.com/result/pdf/bea2fc7b-9adb-43ba-99dc-d7de58e00b1c/73b05ac4-c13e-4141-a42a-afec248c2b52/new"
}

PDF download links that are appended with “/new” only contain the vulnerabilities detected in the most recent scan. To get the PDF report containing all vulnerabilities, ensure this is removed from the end of the link for the steps below.

Retrieve PDF report via returned url:

curl -H "Accept-Language: en" https://api.codifiedsecurity.com/result/pdf/bea2fc7b-9adb-43ba-99dc-d7de58e00b1c/73b05ac4-c13e-4141-a42a-afec248c2b52 -o /home/user/Report.pdf

Downloads PDF report file to specified location. You can specify content language with a http header. We’re currently supporting English and Korean (‘en’ and 'ko’, respectively). Link to PDF file is contained in scan results.

HTTP Request

GET https://api.codifiedsecurity.com/result/pdf/<id1>/<id2>

Request headers

Parameter Description
Accept-Language Which language is preferred for pdf content. Falls back to 'en’

Errors

Error body example

{
  "code" : "BadRequestError",
  "message" : "Phonegap isnt supported"
}

The Codified security API uses the following error codes:

Error Code Meaning
400 Bad Request – Invalid arguments supplied
401 Unauthorized – Your API key is wrong
404 Not Found – Requested item could not be found
405 Method Not Allowed – You tried to execute invalid method
500 Internal Server Error – We had a problem with our server. Try again later.
503 Service Unavailable – We’re temporarially offline for maintanance. Please try again later.

CLI

./codified-security-cli -p android -a 'your-api-key' -c 0 -s 3 -w 10 -i yourApp.apk

When failed

Critical errors(2) above treshold
exit status 1

To see usage run ./codifed-security-cli -h

Exit status codes

Status code Meaning
255 Bad input values
254 Codified security service failure
1 App scan returned error count above treshold