Versions Compared

Old Version 4

changes.mady.by.user Alban

Saved on

compared with

New Version 5

changes.mady.by.user Alban

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The following steps allow organizations to automatically scan pre-production releases of their mobiles apps using existing developer tools & processes. DevOps can fully automate the SDLC by integrating our API to existing CI/CD tools such as Travis CI, Jenkins, Bitrise, fastlane, Xcode server, etc. Please send the following info do your developers.

Data Theorem CI/CD API

The Upload API can be used to upload PreProd mobile binaries directly to Data Theorem for scanning.

...

  • The first one is to generate and retrieve an upload_url.
  • The second one is a standard multipart upload to the upload_url with the actual App binary (IPA, APK, etc.) and some additional, optional meta data (such as comments, or credentials needed for dynamic scanning).

Current Version

There is only one version: v1, available at https://api.securetheorem.com/uploadapi/v1/.

Endpoints

Step 1 - Upload Init

The upload process can be initialized by calling the this method.

Authentication

Authentication is done by passing your organization’s Upload API key as part of the the Authorizationheader:

...

The Upload API key can be retrieved by users in the Data Theorem portal athttps://www.securetheorem.com/sdlc within the “API Key” section.

Request

POST /uploadapi/v1/upload_init

...

$ curl -X POST -H "Authorization: Bearer AAAABBBBCCCCAJ82/iNaIQ=="  --data ""  https://api.securetheorem.com/uploadapi/v1/upload_init

Response

{
 "upload_url": "https://appupload.securetheorem.com/_ah/upload/AMm[...]/"
}

The response contains the upload_url, to be used for uploading the mobile binary; this URL will only be valid for 10 minutes.

Step 2 - Actual upload

After retrieving the upload_url, the mobile app binary should be sent as a standard multipart file upload, with the following arguments:

  • file: The mobile binary (APK, IPA, APPX or XAP) to be scanned.
  • username (optional): Username to be used to log into the application for dynamic scanning.
  • password (optional): Password to be used to log into the application for dynamic scanning.
  • comments (optional): Miscellaneous comments regarding the upload.
  • release_id (optional): Only useful when processing results via the Webhook API. This custom ID will be present in the result payload and can be used to map a specific build with its scan results. If not set, it will default to the build version.

Authentication

Since the upload_url is unique for each upload, there is no need to authenticate with the Upload API Key.

Request

POST {upload_url}

The request must be a standard multipart file upload, the mobile app binary is expected in the file field.

...

Since the upload_url is unique for each upload, there is no need to authenticate with the Upload API key.

Response

A successful upload returns a status code 200 and status text ok.

...

{
  "status": "package_corrupted",
  "error": "Build looks corrupted",
  "session_id": "<session_id>"
}
Status/error code mapping
  • 200/ok: upload succeed
  • 401/unauthorized: unauthorized (bad credentials or the url may have expired)
  • 403/mobile_app_has_no_subscription: this mobile app has no active subscription, please contact Data Theroem
  • 415/unauthorized_package_extension: unauthorized extension, must be ipa/apk/xap/appx, case insensitive
  • 422/package_corrupted: package corrupted
  • 500/error: internal server error

...