App-Ray mobile security


App-Ray is a powerful security analysis tool designed to automatically scan applications in order to detect vulnerability to hacking, data leaks, malicious code and other weaknesses. Both internally developed and external applications (used in BYOD) can be analyzed, allowing organizations to protect their employees and IT assets from external threats.

App-Ray’s fast and accurate scans enable organizations to analyze every new version of all applications that they distribute to their customers. Modules developed by subcontractors and 3rd party libraries can also be scanned to detect any potential security issues that could affect their customers. By examining all new revisions, App-Ray lets you detect possible regressions in a timely manner, which also saves development costs and resources.

Its fully automated scan process means that App-Ray can be used to aid the application vetting of internal and public app stores. It provides a comprehensive yet straightforward overview of all scanned applications that could be used to integrate with existing solutions. It does not require any deep and costly expertise to conduct scans and interpret their results.

  • Analyze any apps

    All kinds of apps can be analyzed, source code is not required


  • Fast and accurate results

    Multiple in-depth analysis on latest mobile security vulnerabilities


  • Easy to use, easy to scale

    No deep expertise required, App-Ray can be scaled up to x000 scans/year


  • Cloud & on-premises supported

    App-Ray is available via cloud or can be installed on your premise

How it works

App-Ray combines bleeding-edge static and dynamic analysis techniques developed by Fraunhofer AISEC research. It operates on Android bytecode and does not require the source code of an application. Users can choose whether they want to manually interact with the application in the test environment or whether the analysis should run fully automatically and unassisted.

Meta Data Analysis

In a first preparatory step, an app’s metadata is assessed, revealing information about the application’s permissions, components, and structure. Information gathered in this step sets the scope for the following static analysis.


Static Analysis

The static analysis investigates the bytecode and structure of an application without executing it. App-Ray features a highly efficient bidirectional data flow tracing, revealing unwanted data flows which can impose violations of security and privacy requirements. Threats to data integrity and secrecy, such as SQL injections or unprotected Intents, will be identified in this step.


Plain Dynamic Analysis

During plain dynamic analysis, the original app is executed in a test environment and its behaviour is analyzed. Screenshots are taken, network traffic is recorded, and a full trace of syscalls and accessed files is created. Private information sent out to advertisement and user profiling platforms is identified. Users can choose whether they wish to interact with the app or whether the analysis runs entirely automatically.



Instrumentation makes a slight modification to the app to extract specific information from it in a hybrid static/dynamic analysis. Guided by potential findings from the static analysis step, particular versions of the app are crafted, which automatically jump to relevant parts and provide meaningful information when executed.


Hybrid Analysis

Guided by knowledge gained from static analysis and modifications injected by instrumentation, App-Ray’s hybrid analysis engine investigates the app’s runtime behaviour under specific security-relevant conditions. It ensures that critical parts of the app are executed and observed. Tracing of individual function calls and register values allow deep insights into the app’s behaviour. The hybrid engine attempts to provoke execution of vulnerable code fragments and records encrypted traffic in plaintext, allowing inspection for private information.



App-Ray presents its most relevant findings in a structured overview. A drill-down into detailed analysis results and raw data of the analysis is possible. All analysis results are stored in App-Ray and can be retrieved at a later time. Also, a signed report document can be downloaded.

  • Fully automated scans

    No manual interaction is required


  • Comprehensive reports

    • Executive overview
    • Highlighting all issues found


  • API for integration

    Automatic and batch mode processing


  • Multiple different analysis techniques


  • Drilling down into detected issues

    Highlight SMALI source for further analytics


  • Static code analysis

    • Coding problems (e.g. SQL injections, deprecated API usage)
    • Encryption related issues (SSL/TLS problems)
    • Capability & data leaks
    • Anti-debugging techniques


  • Easy to use, easy to scale

    • Unmodified & instrumented testing in emulator
    • Network communication
    • File access


  • Disassembling & analyzing obfuscated apps

    Code decompile (SMALI)


Our colleagues will gladly give you more information on how App-Ray can help you in enhancing your security in terms of mobile applications.

Schedule a demo
Go to downloads
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from Youtube
Consent to display content from Vimeo
Google Maps
Consent to display content from Google