esChecker is a Dynamic Application Security Testing (DAST) tool for mobile applications that executes security tests on real devices rather than emulators.

The platform identifies vulnerabilities in Android APK and iOS IPA files through runtime analysis, producing actionable results with minimal false positives.

What is esChecker?

esChecker addresses a fundamental limitation of mobile security testing: emulator-based analysis misses vulnerabilities that only manifest on actual hardware.

Many mobile applications implement emulator detection to prevent analysis, and certain security issues related to hardware security modules, secure enclaves, and device-specific APIs only appear on physical devices. esChecker maintains a farm of real Android and iOS devices that execute applications under controlled conditions.

The platform targets security teams at financial institutions, healthcare organizations, and enterprises with stringent mobile security requirements.

Rather than replacing manual penetration testing, esChecker automates routine security checks to free up security professionals for deeper analysis.

Key Features

Real Device Testing

The core differentiator is execution on physical mobile hardware.

This approach provides:

Accurate results unaffected by emulator detection mechanisms
Testing of hardware-backed security features like Secure Enclave and TrustZone
Realistic network and sensor behavior
Coverage of device-specific vulnerabilities

User Journey Recording

Security testers can record interaction sequences that guide the scanner through application workflows.

This enables testing of functionality behind authentication or complex navigation paths.

Recorded Journey Example:
1. Launch application
2. Tap "Sign In" button
3. Enter test credentials
4. Navigate to "Account Settings"
5. Access "Payment Methods"
6. Return to home screen

Recorded journeys ensure the scanner reaches critical functionality that automated crawling might miss, such as payment flows, sensitive data screens, and administrative features.

OWASP Preset Campaigns

esChecker includes preconfigured testing campaigns aligned with OWASP Mobile Application Security Verification Standard (MASVS) categories:

Campaign	Focus Areas
Banking	Encryption, certificate pinning, secure storage, session management
Healthcare	PHI protection, HIPAA controls, data encryption at rest
Gaming	Anti-cheat bypass, in-app purchase security, user data protection
General	OWASP Mobile Top 10 coverage

Intelligent Result Analysis

The platform includes contextual analysis to distinguish actual vulnerabilities from benign findings.

It recognizes common UI patterns, error messages, and expected application behaviors to minimize noise in results.

Reports reflect genuine security issues rather than theoretical risks.

How to Use esChecker

Testing Workflow

Upload Binary: Submit your APK or IPA file through the web interface
Record User Journeys: Optionally capture interaction sequences for thorough coverage
Select Campaign: Choose a preset profile matching your application category
Configure Parameters: Set credentials, environment variables, and test scope
Execute Scan: Launch testing on the real device farm
Review Results: Reports generate within 20-30 minutes

Uploading Applications

# Upload via API
curl -X POST "https://eschecker.eshard.com/api/v1/applications" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -F "[email protected]" \
  -F "name=MyBankingApp" \
  -F "platform=android"

Starting a Scan

# Initiate security scan
curl -X POST "https://eschecker.eshard.com/api/v1/scans" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "application_id": "app_123",
    "campaign": "banking",
    "journey_id": "journey_456"
  }'

Integration

GitHub Actions

name: Mobile Security Scan
on:
  release:
    types: [created]

jobs:
  eschecker-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build Android App
        run: ./gradlew assembleRelease

      - name: Upload to esChecker
        id: upload
        run: |
          APP_ID=$(curl -X POST "https://eschecker.eshard.com/api/v1/applications" \
            -H "Authorization: Bearer ${{ secrets.ESCHECKER_TOKEN }}" \
            -F "file=@app/build/outputs/apk/release/app-release.apk" \
            | jq -r '.id')
          echo "app_id=$APP_ID" >> $GITHUB_OUTPUT

      - name: Run Security Scan
        run: |
          curl -X POST "https://eschecker.eshard.com/api/v1/scans" \
            -H "Authorization: Bearer ${{ secrets.ESCHECKER_TOKEN }}" \
            -H "Content-Type: application/json" \
            -d '{"application_id": "${{ steps.upload.outputs.app_id }}", "campaign": "general"}'

GitLab CI

mobile-security:
  stage: security
  script:
    - |
      # Upload IPA and run scan
      APP_ID=$(curl -X POST "https://eschecker.eshard.com/api/v1/applications" \
        -H "Authorization: Bearer $ESCHECKER_TOKEN" \
        -F "file=@build/MyApp.ipa" \
        -F "platform=ios" | jq -r '.id')

      curl -X POST "https://eschecker.eshard.com/api/v1/scans" \
        -H "Authorization: Bearer $ESCHECKER_TOKEN" \
        -d '{"application_id": "'$APP_ID'", "campaign": "healthcare"}'
  only:
    - tags
  artifacts:
    reports:
      junit: eschecker-results.xml

esCoaching Training

eshard offers companion training programs covering:

Android and iOS reverse engineering fundamentals
Advanced mobile security assessment techniques
Cryptography analysis for mobile applications
Hands-on penetration testing scenarios

Training sessions combine esChecker platform instruction with broader mobile security skills development.

When to Use esChecker

esChecker suits organizations with high-value mobile applications where security accuracy matters more than scan volume.

The real-device approach eliminates false positives from emulator artifacts while catching vulnerabilities that emulator-based tools miss.

Consider esChecker when you need:

Testing applications with emulator detection or anti-tampering measures
Compliance validation for regulated industries like finance or healthcare
Accurate results without manual false positive triage
Coverage of hardware security features like Secure Enclave

Teams with many low-risk applications or those seeking free tooling may prefer open-source alternatives like MobSF for initial assessments. esChecker works best as a thorough validation step for production releases rather than continuous development scanning.