Zimperium zScan is an automated Mobile Application Security Testing (MAST) solution that combines static, dynamic, and interactive analysis.
Part of the Zimperium Mobile Application Protection Suite (MAPS), zScan validates whether security controls like anti-reversing, anti-tampering, and SSL pinning are properly implemented.
The platform uses AI-driven analysis to identify vulnerabilities with minimal false positives.
What is Zimperium zScan?
Zimperium zScan provides comprehensive security analysis for Android and iOS applications.
Unlike scanners that only find vulnerabilities, zScan also verifies that defensive measures are correctly implemented.
This validation approach helps ensure applications are not just free of known vulnerabilities but also hardened against reverse engineering and runtime attacks.
zScan is part of Zimperium MAPS, which includes additional products for runtime protection (zShield), threat detection (zDefend), and developer tools.
Organizations can use zScan standalone or as part of the complete mobile security platform.
The scanner accepts APK, IPA, and AAB files, or can pull applications directly from App Store and Google Play URLs.
This flexibility allows security teams to analyze both internal builds and published applications.
Key Features
AI-Driven Analysis
zScan uses machine learning models trained on millions of mobile applications to identify vulnerability patterns.
The AI approach reduces false positives by understanding context and distinguishing between genuine vulnerabilities and benign code patterns that trigger traditional scanners.
Anti-Tampering Validation
The scanner verifies that anti-tampering controls are correctly implemented:
- Root/jailbreak detection
- Debugger detection
- Emulator detection
- Code integrity verification
- Hook detection
Organizations that have invested in mobile hardening solutions can confirm these protections are working as expected.
SSL Pinning Verification
zScan tests whether certificate pinning is properly implemented, including:
- Presence of pinning in network code
- Correct certificate or public key configuration
- Fallback behavior when pinning fails
- Pin rotation handling
Supply Chain Risk Detection
The platform identifies third-party SDKs and libraries, flagging those with known vulnerabilities or security concerns.
This visibility into the software supply chain helps organizations understand the risk introduced by dependencies they may not have written themselves.
Cross-Platform Support
zScan analyzes applications built with:
- Native: Swift, Objective-C (iOS), Kotlin, Java (Android)
- Cross-platform: Flutter, React Native, Xamarin
- Hybrid: Cordova, Ionic, PhoneGap
The analysis engine understands framework-specific vulnerability patterns and tests appropriately for each technology.
SAST + DAST + IAST
zScan combines multiple analysis approaches:
- Static Analysis (SAST): Examines decompiled code without execution
- Dynamic Analysis (DAST): Tests running application behavior
- Interactive Analysis (IAST): Instruments the application to observe internal operations
This multi-layered approach catches vulnerabilities that single-technique scanners miss.
Integration
Zimperium zScan integrates with CI/CD platforms through CLI tools and APIs.
GitHub Actions
name: Zimperium zScan
on:
push:
branches: [main, release/*]
pull_request:
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up JDK
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
- name: Build APK
run: ./gradlew assembleRelease
- name: Zimperium zScan
uses: zimperium/zscan-action@v1
with:
api_key: ${{ secrets.ZIMPERIUM_API_KEY }}
app_file: app/build/outputs/apk/release/app-release.apk
fail_on_severity: high
- name: Upload Report
uses: actions/upload-artifact@v4
with:
name: zscan-report
path: zscan-results.json
GitLab CI
stages:
- build
- security
build:
stage: build
image: gradle:8-jdk17
script:
- ./gradlew assembleRelease
artifacts:
paths:
- app/build/outputs/apk/release/
zscan:
stage: security
image: python:3.11
before_script:
- pip install zimperium-cli
script:
- |
zscan upload \
--api-key "${ZIMPERIUM_API_KEY}" \
--file app/build/outputs/apk/release/app-release.apk \
--wait
zscan results \
--api-key "${ZIMPERIUM_API_KEY}" \
--format json \
--output zscan-report.json
# Fail on high severity
zscan check \
--api-key "${ZIMPERIUM_API_KEY}" \
--min-severity high
artifacts:
paths:
- zscan-report.json
Jenkins Pipeline
pipeline {
agent any
environment {
ZIMPERIUM_API_KEY = credentials('zimperium-api-key')
}
stages {
stage('Build') {
steps {
sh './gradlew assembleRelease'
}
}
stage('zScan Analysis') {
steps {
sh '''
pip install zimperium-cli
# Upload and scan
zscan upload \
--api-key $ZIMPERIUM_API_KEY \
--file app/build/outputs/apk/release/app-release.apk \
--wait
# Export results
zscan results \
--api-key $ZIMPERIUM_API_KEY \
--format json \
--output zscan-results.json
'''
}
}
stage('Security Gate') {
steps {
script {
def results = readJSON file: 'zscan-results.json'
def criticals = results.findings.findAll { it.severity == 'critical' }
if (criticals.size() > 0) {
error("Found ${criticals.size()} critical vulnerabilities")
}
}
}
}
}
post {
always {
archiveArtifacts artifacts: 'zscan-results.json', allowEmptyArchive: true
}
}
}
Azure DevOps
trigger:
- main
- release/*
pool:
vmImage: 'ubuntu-latest'
steps:
- task: Gradle@3
inputs:
gradleWrapperFile: 'gradlew'
tasks: 'assembleRelease'
- script: |
pip install zimperium-cli
zscan upload \
--api-key $(ZIMPERIUM_API_KEY) \
--file $(Build.SourcesDirectory)/app/build/outputs/apk/release/app-release.apk \
--wait
zscan results \
--api-key $(ZIMPERIUM_API_KEY) \
--format json \
--output $(Build.ArtifactStagingDirectory)/zscan-results.json
displayName: 'Zimperium zScan'
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: '$(Build.ArtifactStagingDirectory)/zscan-results.json'
artifactName: 'SecurityReport'
Scanning Published Apps
zScan can analyze applications directly from app stores:
# Scan from Google Play URL
zscan analyze \
--api-key YOUR_API_KEY \
--url "https://play.google.com/store/apps/details?id=com.example.app"
# Scan from App Store URL
zscan analyze \
--api-key YOUR_API_KEY \
--url "https://apps.apple.com/app/id123456789"
This capability is useful for competitive analysis, third-party app vetting, and validating production deployments.
API Reference
# Upload application for scanning
curl -X POST \
-H "Authorization: Bearer YOUR_API_KEY" \
-F "[email protected]" \
https://api.zimperium.com/zscan/v1/upload
# Check scan status
curl -H "Authorization: Bearer YOUR_API_KEY" \
https://api.zimperium.com/zscan/v1/scans/SCAN_ID/status
# Get vulnerability findings
curl -H "Authorization: Bearer YOUR_API_KEY" \
https://api.zimperium.com/zscan/v1/scans/SCAN_ID/findings
# Get anti-tampering validation results
curl -H "Authorization: Bearer YOUR_API_KEY" \
https://api.zimperium.com/zscan/v1/scans/SCAN_ID/protections
When to Use Zimperium zScan
zScan is well-suited for organizations that need to validate security controls, not just find vulnerabilities.
Consider zScan when:
- You use mobile hardening solutions and need to verify they work correctly
- Anti-tampering and anti-reversing validation is a requirement
- SSL pinning implementation needs to be verified
- AI-driven analysis with low false positives is important
- You need to scan published apps from app stores
- The complete MAPS suite for protection and detection is of interest
The platform works particularly well for organizations in regulated industries (finance, healthcare, government) where demonstrating proper implementation of security controls is required for compliance.
The ability to validate defensive measures rather than just find vulnerabilities differentiates zScan from scanners that only identify weaknesses.
Teams already using Zimperium zShield for application hardening will find zScan particularly valuable for confirming their protections are correctly applied.