Applications - REST API

Josh Rodriguez

February 20, 2025 20:14

Create Application Resource
List Applications
Upload Application
View Application

Create Application Resource

Using POST /app/, you can create an application resource that does not have a binary associated with it. To run an assessment you must upload a binary with the same package name and platform, see the Upload Application section for further details.

POST https://lab-api.nowsecure.com/app/

curl -H 'Content-Type: application/json' -H "Authorization: Bearer ${API_TOKEN}" -X POST https://lab-api.nowsecure.com/app/ -d '{"platform": "android", "package": "com.example.app", "group": "363df3a1-0e8b-4960-bb6e-cc09aced37a1"}'

HTTP/1.1 200 OK
{
   "platform": "android",
   "package": "com.example.app",
   "group": "363df3a1-0e8b-4960-bb6e-cc09aced37a1",
   "created": "2016-04-08T19:06:00.257Z"
}

Header

Field	Type	Description
`Authorization`	String	Send header with value `Bearer: ${API_TOKEN}` to authenticate

Body

Field	Type	Description
`platform`	String	The platform associated with application Allowed values: `"ios"`, `"android"`
package	String	The package identifier of application
group	String	The uuid group ref to associate application with (only optional if user belongs to exactly one group)

List Applications

You can list all of the applications associated with an account using GET /app/.

GET https://lab-api.nowsecure.com/app/

curl -H "Authorization: Bearer ${API_TOKEN}" -X GET https://lab-api.nowsecure.com/app/

ns-cli app list --group-ref 312d2c93-1531-41be-b4f3-755799423393 --json

[
  {
    "ref": "7f0ab7a2-2068-11ec-a8e7-af699493e3e8",
    "platformType": "android",
    "group": {
      "ref": "376124c4-824b-485e-82d9-632e1754a53f",
      "name": "Demos"
    },
    "packageKey": "net.aljazeera.english",
    "title": "AJ English",
    "iconURL": "https://api.nowsecure.com/icon/50c72649490f517f988d94d53486a917af6883cdf431fba1d5b606f433340df3",
    "createdAt": "2021-09-28T14:29:32.173549Z",
    "archivedAt": null
  },
  {
    "ref": "f8fdada8-26c1-11ec-bfb0-9f806683e0c3",
    "platformType": "ios",
    "group": {
      "ref": "376124c4-824b-485e-82d9-632e1754a53f",
      "name": "Demos"
    },
    "packageKey": "com.nowsecure.rvia",
    "title": "RVIA",
    "iconURL": "https://api.nowsecure.com/icon/7e370e68ceeeb899aa39e3aaa3151c1555af7d05c36679497d80a4e750eda887",
    "createdAt": "2021-10-06T16:25:08.955524Z",
    "archivedAt": null
  },
  {
    "ref": "d087e974-3738-11ec-b709-e73c87197b74",
    "platformType": "ios",
    "group": {
      "ref": "376124c4-824b-485e-82d9-632e1754a53f",
      "name": "Demos"
    },
    "packageKey": "com.westernunion.mtapp",
    "title": "WesternUnion",
    "iconURL": "https://api.nowsecure.com/icon/2ae725dc422d0752ee60143f53d8982a5ddcd81a4e5736909432a1b2017f9d5d",
    "createdAt": "2021-10-27T15:16:09.790133Z",
    "archivedAt": null
  },

curl -H "Authorization: Bearer $API_TOKEN" 'https://lab-api.nowsecure.com/app/' | jq '.[] | select(.group == "312d2c93-1531-41be-b4f3-755799423393")'

{
  "ref": "ddffb656-b459-11ec-8971-030fcf3c415c",
  "group": "376124c4-824b-485e-82d9-632e1754a53f",
  "account": "376124c4-824b-485e-82d9-632e1754a53f",
  "platform": "android",
  "package": "co.babypenguin.androidlive",
  "created": "2022-04-04T20:57:41.125Z",
  "title": "imo live",
  "binary": "fa4ec877493538c03146e05706004308bb0f74e28c0aa63ac3869aa51d84dad1",
  "config_level": "baseline",
  "config": {},
  "appstore_application_key": "co.babypenguin.androidlive"
}
{
  "ref": "bb95025c-7d3a-11ec-a8e7-f7f2c8076362",
  "group": "376124c4-824b-485e-82d9-632e1754a53f",
  "account": "376124c4-824b-485e-82d9-632e1754a53f",
  "platform": "android",
  "package": "com.apartments.mobile.android",
  "created": "2022-01-24T17:26:15.031Z",
  "title": "Apartments",
  "binary": "4d037d7042ae4669e4c3dc5a433be87cfae34339431bca0422bc5f3fb44c40da",
  "config_level": "baseline",
  "config": {},
  "appstore_application_key": "com.apartments.mobile.android"
}

Header

Field	Type	Description
`Authorization`	String	Send header with value `Bearer: ${API_TOKEN}` to authenticate

Upload Application

Use POST /build/, with a request body of the app binary, to trigger an assessment. This will create a new application record if one does not already exist in specified group. If application record does it exist, this will use any previously specified configuration options. If it is the first time an application has been uploaded, the assessment will start with the default configuration options.

POST https://lab-api.nowsecure.com/build/

curl -H “Authorization: Bearer $TOKEN” -X POST “https://lab-api.nowsecure.com/build/?group=$GROUPREF” --http1.1 --data-binary @$APPNAME.apk

{
"binary": "2f1b3e54f8b994ac8614bd7478569d64d4feda3b646561f83230b94445339d1",
"platform": "ios",
"package": "com.nowsecure.rvia",
"group": "376124c4-824b-485e-82d9-632e1754a53f",
"ref": "08400856-efc3-11ef-ae08-8b4625c52a30",
"application": "f8fda8d8-26c1-11ec-bfb0-9c806838e0c3",
"account": "376124c4-824b-485e-82d9-632e1754a53f",
"task": 1740080640679,
"creator": "24d0d9b9-9825-4545-b9d1-30221ddc7b5b",
"created": "2025-02-20T19:44:00.781Z",
"updated": "2025-02-20T19:44:00.785Z",
"favorite": false,
"config": {
"static": {
"heartbleed_check": true,
"local_auth_check": true,
"change_cipher_spec_check": true,
"address_reference_counting_check": true,
"address_space_layout_rand_check": true,
"stack_smashing_protection_check": true
},
"dynamic": {
"actions": {
"find": [
"guest",
"sign in",
"sign_in",
"sign-in",
"login",
"log in",
"start",
"signin",
"continue",
"submit",
"sbmt",
"OK",
"yes",
"agree",
"accept",
"next",
"done",
"already a",
"skip",
"signup",
"register",
"create",
"get started",
"sign_up",
"sign up",
"my account",
"settings",
"options",
"apply",
"Account",
"dimiss",
"next"
],
"avoid": [
"facebook",
"G+",
"Google plus",
"Google",
"GOOGLE",
"twitter"
]
},
"search_data": {
"adid": {
"value": "DEADBEEF-1234-1234-1234-123456789ABC",
"search_strings": []
},
"idfv": {
"value": "CAFEBABE-1234-1234-1234-123456789ABC",
"search_strings": []
},
"name": {
"value": "nsDefaultName"
}
}
}
}
}

Header

Field	Type	Description
`Authorization`	String	Send header with value `Bearer: ${API_TOKEN}` to authenticate

Query

Field	Type	Description
`group`	String	The application group to use for the assessment (only optional if user belongs to exactly one group)

View Application

Using the GET /app/{platform}/{package} endpoint will allow the user to view a specific application package.

GET https://lab-api.nowsecure.com/app/:platform/:package

curl -H "Authorization: Bearer ${API_TOKEN}" -X GET https://lab-api.nowsecure.com/app/android/com.sample.android.testdpc?group=838929c6-73c8-11e8-a19d-27d57188d0f9

Header

Field	Type	Description
`Authorization`	String	Send header with value `Bearer: ${API_TOKEN}` to authenticate

Route

Field	Type	Description
`platform`	String	The platform associated with application. Allowed values: "`ios`", "`android`"
package	String	The package identifier of application

Query

Field	Type	Description
`group`	String	The uuid group ref of application (only optional if user belongs to exactly one group)