Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

The following steps allow organizations to automatically scan pre-production releases of their mobiles apps using existing developer tools & processes. DevOps can fully automate the SDLC by integrating our API to existing CI/CD tools such as Travis CI, Jenkins, Bitrise, fastlane, Xcode server, etc. Please send the following info do your developers.

Data Theorem CI/CD API

The Upload API can be used to upload PreProd mobile binaries directly to Data Theorem for scanning.

In order to upload a PreProd mobile app binary, two API calls are needed:

  • The first one is to generate and retrieve an upload_url.
  • The second one is a standard multipart upload to the upload_url with the actual App binary (IPA, APK, etc.) and some additional, optional meta data (such as comments, or credentials needed for dynamic scanning).

Current Version

There is only one version: v1, available at https://api.securetheorem.com/uploadapi/v1/.

Endpoints

Step 1 - Upload Init

The upload process can be initialized by calling the this method.

Authentication

Authentication is done by passing your organization’s Upload API key as part of the the Authorizationheader:

Authorization: Bearer 1234567890abcdefgh

The Upload API key can be retrieved by users in the Data Theorem portal athttps://www.securetheorem.com/sdlc within the “API Key” section.

Request

POST /uploadapi/v1/upload_init

For example, this method can be called via curl using:

$ curl -X POST -H "Authorization: Bearer AAAABBBBCCCCAJ82/iNaIQ=="  --data ""  https://api.securetheorem.com/uploadapi/v1/upload_init

Response

{
 "upload_url": "https://appupload.securetheorem.com/_ah/upload/AMm[...]/"
}

The response contains the upload_url, to be used for uploading the mobile binary; this URL will only be valid for 10 minutes.

Step 2 - Actual upload

After retrieving the upload_url, the mobile app binary should be sent as a standard multipart file upload, with the following arguments:

  • file: The mobile binary (APK, IPA, APPX or XAP) to be scanned.
  • username (optional): Username to be used to log into the application for dynamic scanning.
  • password (optional): Password to be used to log into the application for dynamic scanning.
  • comments (optional): Miscellaneous comments regarding the upload.
  • release_id (optional): Only useful when processing results via the Webhook API. This custom ID will be present in the result payload and can be used to map a specific build with its scan results. If not set, it will default to the build version.

Authentication

Since the upload_url is unique for each upload, there is no need to authenticate with the Upload API Key.

Request

POST {upload_url}

The request must be a standard multipart file upload, the mobile app binary is expected in the file field.

For example, this method can be called via curl using:

$ curl -F file=@androidapp.apk -F "comments=uploaded with curl" -F "username=testuser" -F "password=testpass" https://appupload.securetheorem.com/_ah/upload/Aewsadw[...]/

Note: Pay special attention to the @ character that needs to be put in front of the file’s name, for the curl command to work.

Since the upload_url is unique for each upload, there is no need to authenticate with the Upload API key.

Response

A successful upload returns a status code 200 and status text ok.

{
  "session_id": "<session_id>",
  "status": "ok",
  "bundle_id": "com.myapp",
  "name": "My App",
  "is_app_new": false,
  "platform": "IOS"
}

Errors are also JSON formatted.

{
  "status": "package_corrupted",
  "error": "Build looks corrupted",
  "session_id": "<session_id>"
}
Status/error code mapping
  • 200/ok: upload succeed
  • 401/unauthorized: unauthorized (bad credentials or the url may have expired)
  • 403/mobile_app_has_no_subscription: this mobile app has no active subscription, please contact Data Theroem
  • 415/unauthorized_package_extension: unauthorized extension, must be ipa/apk/xap/appx, case insensitive
  • 422/package_corrupted: package corrupted
  • 500/error: internal server error


Once the CI/CD API is integrated, pre-production scans will be completed automatically. Please note:

  • Scan alerts will still be sent when pre-production scans start and complete
  • Public app store releases will still be scanned as well
  • All results will be published to the portal (where pre-prod apps are labeled as “PreProd”)
  • No labels