Solar appScreener brief description
Purpose
Solar appScreener is a static app code analyzer capable of identifying vulnerabilities and undocumented features. Its distinctive feature is the ability to analyze not only source code, but also executables (i.e. binaries) and to return much better results than when using DAST.
The analyzer can test apps written in 29 programming languages or that have been compiled into an executable file with one of 7 extensions, including those for Google Android, Apple iOS, and Apple macOS. The mobile app code can be tested simply by pasting the app link in Google Play or App Store to the analyzer, which may be considered as full mAST.
Supported programming languages
Supported executable file formats
To detect vulnerabilities and undocumented features, Solar appScreener leverages 10+ analysis methods, including lexical, syntax, semantic, taint, constant propagation, type propagation, synonym and control flow graph analysis. Users can configure analysis settings, exclude some vulnerabilities, or start incremental analysis when only changed code segments are checked.
Detected vulnerabilities and undocumented features are highlighted directly in the analyzed app code, even if found in executables (debug_info file not needed here). It is possible to compare test results of a project while taking account of any changes, which are usually made when writing code, with the relevant notification being emailed.
Solar appScreener employs Fuzzy Logic Engine, which is based on Rostelecom-Solar’s technological know-how and uses fuzzy set and fuzzy logic mathematical tools in order to minimize the number of both false positives and false negatives (vulnerabilities or undocumented features).
Eliminating vulnerabilities and undocumented features requires not only detection, but also the correct description of rules to exploit or fix them. Solar appScreener provides detailed advice on eliminating detected vulnerabilities and undocumented features, describes the ways they can be exploited, and recommends how to configure WAF. The Solar appScreener’s database of vulnerability and undocumented feature search rules is continuously updated by analyzer developers after R&D activities.
To enable Secure SDLC, Solar appScreener can be easily integrated with the Git repository and CI/CD servers, such as Jenkins, Azure DevOps Server 2019 and TeamCity, offering quick analysis for both source and binary codes. The solution can also be integrated with the Atlassian JIRA issue tracking system, which monitors the process of eliminating vulnerabilities and undocumented features. Support for Microsoft Active Directory streamlines control over access to Solar appScreener in cases where multiple developers are present.
For interoperability with other systems and services, the analyzer offers an open API.
Application areas
Solar appScreener is a must if companies need to:
Interface
Solar appScreener GUI primarily targets cybersecurity officers rather than developers. The solution offers more intuitive user interaction logic and does not require deep technical knowledge to interpret analytical reports. For this reason, Solar appScreener features a simple and intuitive interface, with analysis being fully automated, thus enabling a user to analyze the app code in just two clicks.
The latest release of Solar appScreener offers easy navigation across projects and analysis reports, more descriptive and detailed statistical information on projects, new project filters, and a dramatically improved admin page. Moreover, the old interface is still one click away.
Russian/English user interfaces are available, with it being possible to easily change operating language at any time.
In addition to Solar appScreener GUI, a command line is also available.
Licensing and supply
Solar appScreener can be either deployed at a customer’s site or provided as a Rostelecom-Solar cloud-based service (SaaS). If the analyzer is deployed on the customer’s servers, licensing is based on the number of users with system access. In the case of SaaS, payment depends on the number of code verifications.
For smaller vendors and companies using custom apps, SaaS is the best solution, because they need app code verification from time to time only. This way, the customer only needs to purchase licenses for the required number of code verifications, upload the code to the cloud via the web interface and wait until the analyzer finishes its work. It is also possible to test code via a secure communication channel using virtual private networks (VPN).
Regulatory compliance
Solar appScreener is ideal for companies focused on compliance with security standards, with users being able to generate a report in line with vulnerability classification adopted in PCI DSS, OWASP Top 2017, OWASP Mobile Top 10 2016, HIPAA or CWE/SANS Top 25, thus dramatically facilitating regulatory compliance.

Solar appScreener
Get first-hand knowledge of
our new products.