REDVEIL/Docs

Mobile Application Testing User Guide

How to set up, run, and troubleshoot RedVeil mobile application testing for APK and IPA uploads.

This guide explains how to use RedVeil's Mobile Application Testing feature from start to finish, including setup, what testing is performed, what results to expect, and how to troubleshoot common issues.

What Mobile Application Testing Covers

RedVeil mobile testing is an automated static security assessment for mobile binaries:

  • Android applications (.apk)
  • iOS applications (.ipa)

The workflow combines automated reconnaissance and static analysis with AI-driven validation so reported issues are confirmed and reproducible.

Before You Start

Requirements

  • An active subscription is required to start scans.
  • Your organization must have access to the Mobile Application project type.
    • On Perimeter plans, Mobile Application is restricted and shown as "Available in Full Coverage".
  • You must have enough available Agent Ops to run the scan.

Supported Upload Types

  • *.apk (Android)
  • *.ipa (iOS)

Any other format is rejected.

Quick Start: Create and Launch a Mobile Test

  1. Open Projects -> New Project.
  2. In Details, enter a project name and select Mobile Application.
  3. Go to Settings (Scope is not required for mobile projects).
  4. In Mobile Application Uploads, click Upload APK / IPA and select one or more files.
  5. Confirm your files appear in the uploaded list with platform and size.
  6. Continue to Review, verify project information, then click Create Project and confirm.
  7. You will be routed to the dashboard. Click Start Scan to begin testing.

What Types of Mobile Testing Are Performed

RedVeil focuses on high-impact mobile security categories, including:

  • Manifest and entitlement weaknesses
    • Android exported components, risky permissions, missing security flags
    • iOS entitlement and plist configuration risks
  • Hardcoded secrets and credentials
    • API keys, tokens, and credentials exposed in binary artifacts
  • Insecure local data handling
    • Sensitive data in local storage or insecure token handling patterns
  • Weak cryptography and trust logic
    • Deprecated/weak crypto usage and risky certificate validation logic
  • Deep link and intent exposure
    • Unsafe URL schemes, exposed components, and triggerable app behavior
  • Transport security weaknesses
    • Cleartext allowance and insecure network configuration patterns

Testing Mode

  • Mobile testing is static-analysis-first (binary upload, decompilation, artifact analysis, and validated findings).
  • There is no separate runtime/mobile-device mode toggle in the project setup flow.
  • You start mobile testing by selecting Mobile Application and uploading .apk / .ipa artifacts.

How the Scan Works

When you start a mobile scan, RedVeil runs this pipeline for each uploaded app:

  1. Mobile Reconnaissance
    • Downloads the uploaded artifact from secure storage.
    • Decompiles the package (apktool for Android, extraction for iOS).
    • Extracts strings, URLs, and potential secrets from the binary.
    • Runs static scanner analysis to generate leads.
  2. AI Validation
    • The testing agent investigates scanner leads and decompiled artifacts.
    • Findings are only added after independent validation.
  3. Findings and Evidence
    • Confirmed issues are written with actionable evidence and reproduction context.
  4. Completion
    • Each uploaded app target is marked complete, and the project scan closes when all targets are in terminal states.

What You Will See During Execution

Dashboard and Activity

  • Start Scan launches testing for all uploaded apps in the project.
  • The dashboard displays activity and status updates while scanning.
  • Project scan status transitions typically include states like running, completed, failed, or cancelled.

Hosts and Progress

Each uploaded app appears as its own target in Hosts. Progress includes stages such as:

  • Started
  • Reconnaissance (mobile-specific profiling states)
  • Testing
  • Complete / Failed / Cancelled

Mobile-specific progress messages may include:

  • "Preparing mobile app for security analysis"
  • "Profiling mobile app package"
  • "Mobile app profiling complete"

Results and Reporting

Findings

Validated findings include:

  • A clear issue description
  • Affected component/file/path evidence
  • Reproduction-oriented technical evidence
  • Severity and remediation guidance

Reports

Mobile findings are included in the standard RedVeil reporting workflow alongside other supported surfaces.

Retesting

After remediation, upload an updated app build and run another scan to verify fixes. You can also use issue-level retesting flows where available in your workspace.

Limits and Boundaries

Understanding what this feature is and is not:

  • Static testing focused: upload-based binary analysis and validation
  • Not a device/emulator runtime test workflow
  • Only .apk and .ipa files are accepted
  • Scan duration and depth are bounded by operational limits (for example, turn/ops limits)
  • Very large recon outputs may be summarized/truncated to keep workflows stable

Troubleshooting

"Upload at least one .apk or .ipa file"

  • Add at least one valid mobile file before creating the project.

"Unsupported mobile file format ... Only .apk and .ipa are allowed"

  • Convert/export your app to a supported package format and re-upload.

"Failed to upload ..."

  • Retry upload.
  • Confirm file integrity and network reliability.
  • If repeated, check storage/network policies in your environment.

"Active subscription required to start scans"

  • Activate or upgrade your subscription, then retry.

Mobile Application type is disabled with "Available in Full Coverage"

  • Your current entitlement does not include this project type.
  • Upgrade to a plan that includes Mobile Application testing, then create the project again.

"Insufficient ops available" or required ops message

  • Purchase/add more ops, then start the scan again.

Runtime connectivity warnings during testing

  • Temporary runtime connection issues can occur.
  • If warnings persist, re-run the scan and contact support with project details and timestamps.

Best Practices for Better Mobile Test Results

  • Upload production-equivalent builds whenever possible.
  • Use clear versioned filenames (for example, myapp-2.3.1-release.apk).
  • Re-scan after each significant security fix to confirm remediation.
  • Keep uploads focused to current target builds to simplify triage.

FAQ

Can I upload multiple mobile apps in one project?

Yes. You can upload one or more .apk/.ipa files. Each file is tested as its own target.

Can I mix Android and iOS uploads in the same project?

Yes. Mixed Android and iOS artifacts are supported in the same Mobile Application project.

Do I need devices, emulators, or jailbreak/root setup?

No. This workflow is upload-based static testing and does not require device farm setup.

Why was my scan completed before I expected?

Scans can end when operational limits are reached (for example, turn or ops constraints) or when the workflow reaches a safe terminal condition.

How do I verify a fix?

Upload the updated binary and run a new scan (and/or use retest workflows available in your issue management flow).

What Happens After Starting a Test

Explaining what happens after hitting "Start Test"

Cancelling or Stopping a Test

How to stop/cancel your actively running test

On this page

What Mobile Application Testing CoversBefore You StartRequirementsSupported Upload TypesQuick Start: Create and Launch a Mobile TestWhat Types of Mobile Testing Are PerformedTesting ModeHow the Scan WorksWhat You Will See During ExecutionDashboard and ActivityHosts and ProgressResults and ReportingFindingsReportsRetestingLimits and BoundariesTroubleshooting"Upload at least one .apk or .ipa file""Unsupported mobile file format ... Only .apk and .ipa are allowed""Failed to upload ...""Active subscription required to start scans"Mobile Application type is disabled with "Available in Full Coverage""Insufficient ops available" or required ops messageRuntime connectivity warnings during testingBest Practices for Better Mobile Test ResultsFAQCan I upload multiple mobile apps in one project?Can I mix Android and iOS uploads in the same project?Do I need devices, emulators, or jailbreak/root setup?Why was my scan completed before I expected?How do I verify a fix?