Overview

This module provides a cross-platform command line interface for developers and IT administrators to create, scan and protect Android and iOS mobile apps

Features

  1. Login
  2. Create an app container in Quixxi
  3. List apps in your account
  4. Scan your app
  5. Download scan report
  6. List the current Shield settings values
  7. Configure the Shield settings
  8. Download the protected unsigned app
  9. Download the protected debug signed app [Android ONLY]
  10. Logout

Installation

Minimum requirements

  1. Node.js version: 10.13.0
  2. npm version: 6.4.1
  3. Python version: 2.7.15
  4. for Unix systems also: gcc [Mac] or g++ [Ubuntu]

Verify the requirements

In order to check the current version of Node.js, npm and Python independently from the operating system please run:

nodejs -v
npm -v
python -V

Installing Quixxi-CLI

Run the following command on your shell or command prompt to install quixxi-cli. If you are on a Windows machine, please run it as administrator

npm i quixxi-cli -g

NOTE: the -g flag will install the package globally on the machine

Starting Quixxi-CLI

After the installation, in order to run Quixxi-CLI please type:

quixxi

Available Commands

List of Quixxi-CLI commands

This command provides the list of all the available commands
Usage

help

Login

Login to your Quixxi account
Usage

login -u [email] or login –username [email]
password: [password]

Example

login -u test@test.com
password: [password]

Example Output

login -u test@test.com
password: [enter your password]
Login Success

List the apps

This command shows the list of apps under your Quixxi account
Command

list apps

Example Output

App Nameid
ExampleAppxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Create a new app container

This command allows you to create the app container that will host both the Android and iOS versions of your app
Usage

create app –a [app container name] or create app –appname [app container name]

Example

create app -a MyNewApp

Example Output

create app -a MyNewApp
App created successfully

Scan your app and get the Vulnerability Report link

This command scans your app and makes the related Vulnerability Report available on the portal in the selected app container. Finally, it gives back a publicly available link to this document
Usage

scan [options]

Options:
-a, --appIdOrName – Name of the app Container or Application GUID
-f, --filepath – Absolute path for the file to be uploaded for scan
-d , --destinationPath [destinationPath] – (Optional Parameter) Absolute Path to save the report. Default Value - Provides a link to download
-t, --type [type] – (Optional Parameter) type of the format to download. Default Format is pdf.

Allowed formats:

TypeFormat
Pdfpdf
Xmlxml
Jsonjson

-o, --onlyVulnerabilitiesPresent [true/false] – (Optional Parameter) Generate report with all vulnerabilities scanned or the vulnerabilities present in the application. Default values is true.

Allowed Values:

TypeValue
Report with Vulnerabilities Presenttrue
Report with all vulnerabilities scannedfalse

Example

To scan and get report link in default (pdf) format

scan -a MyNewApp -f "/Users/MyName/MyNewAppFolder/MyNewApp.ipa"
scan -a MyNewApp -f "C:Users/MyName/MyOriginalApps/MyNewApp.apk"

To scan and get report link in xml format

Scan -a MyNewApp -f “/Users/MyName/MyApps/MyNewApp.apk”-t xml

To scan and get report link with vulnerabilities that is present in the app

scan -a MyNewApp -f /Users/MyName/MyApps/MyNewApp.apk -t pdf -o true

To scan and get report link with all vulnerabilities that is scanned

scan -a MyNewApp -f /Users/MyName/MyApps/MyNewApp.apk -t pdf -o false

To scan and save report in the local path

scan -a MyNewApp -f /Users/MyName/MyApps/MyNewApp.apk -d /Users/MyName /Downloads/sample.pdf -o true

Output

scan -a MyNewApp -f "C:UsersMyNameMyOriginalAppsMyNewApp.apk"
Uploading File [100%====================]
Scanning your App [100%====================]
PDF link :
https://portal-api.quixxi.com/storage/VulnerabilityTest/2f0nv64d-fg2a-4370-878a-7420ff0ed446_com.mycompany.mynewapp.pdf

To get the Vulnerability Report link for the last scan

This command generates the related Vulnerability Report available on the portal in the selected app container. Finally, it gives back a publicly available link to this document

Usage

download scanReport [options]

Options:
-a, --appIdOrName - Name of the app container or application GUID
-p, --platformName - Name of the platform

PlatformValue
Androidandroid
iOSiOS

-d, --destinationPath [destinationPath] – (Optional Parameter) Absolute path to download the report.
-t, --type [type] – (Optional Parameter) type of the format to download. Default Format is pdf.

Allowed formats:

TypeFormat
Pdfpdf
Xmlxml
Jsonjson

-o, --onlyVulnerabilitiesPresent [true/false] – (Optional Parameter) Generate report with all vulnerabilities scanned or the vulnerabilities present in the application. Default values is true.

Allowed Values:

TypeValue
Report with Vulnerabilities Presenttrue
Report with all vulnerabilities scannedfalse

Example

To get report link in default (pdf) format

download scanReport -a MyNewApp -p android

To download report to local machine

download scanReport -a VulnerableApp -p android -d /Users/MyName/Downloads/sampleReport.pdf

To download report in xml format

download scanReport -a VulnerableApp -p android -d /Users/MyName/Downloads/sampleReport.xml
or
download scanReport -a VulnerableApp -p android -t xml

To download report with vulnerabilities detected on the app

download scanReport -a VulnerableApp -p android -o true

To download report with all vulnerabilities scanned

download scanReport -a VulnerableApp -p android -o false

Output

download scanReport -a VulnerableApp -p android -o false
PDF link :
https://quixxistorage.blob.core.windows.net/storage/VulnerabilityTest/e11f1f05-89e2-4d29-b16a-ca4784355641_damnvulnerableapp.pdf?sv=???

List the current Shield settings

The purpose of this command is twofold. First of all it is needed to list the optionKeys that will be used to configure the Shield Settings through the next command. Moreover, it is the command to run to double-check the Shield settings before protecting the app. In fact, the settings changes made by the following command are permanently saved against the app, so closing the terminal will NOT discard the previous changes even if the Shield was not launched

Usage :

list protectionOptions for [options]

Options:
-a, --appIdOrName Name of the application or application GUID
-p, --platformName Name of the Plaform

PlatformValue
Androidandroid
iOSiOS

Example

list protectionOptions for -a MyNewApp -p android
list protectionOptions for -a MyNewApp -p iOS

Configure the Shield settings

Before protecting the app it is important to set up the single Shield options, exactly as it happens on the portal. So this command allows you to customize the security parameters. In order to speed up the Shield configuration it is highly suggested to modify only those options that will be chosen differently from the default configurations of each platform. Again, the Shield settings changes are permanently saved against the app, so closing the terminal will NOT discard the changes made till that moment IMPORTANT - ONLY the options that are editable on the portal will be modifiable also from command line

Usage:

set protectionOptions for [options]

Options:
-a, --appIdOrName Name of the application or Application GUID
-p, --platformName Name of the Platform
-o, --optionName Name of the shield setting
-v, --optionValue Value for the shield setting [1 for ON and 0 for OFF]

Example

set protectionOptions for -a MyNewApp -p android -o disableScreenshots -v 1
set protectionOptions for -a XXXX-XXXX-XXXXXXX-XXXXX-XXXX -p android -o disableScreenshots -v 1

Output

Configuration Updated

IMPORTANT: all the options in the following table that are marked with [N] will work ONLY on Native apps, i.e. Android apps written in Java or Kotlin and iOS apps written in Obj-C or Swift. The option marked with [C] instead is destined to Cordova apps. If you don't know the technology behind the app to be shielded don't worry because Quixxi will detect it for you. So you can still select every option you like and if they don't match your app then Quixxi will simply skip them while producing the final protected app. The entries whose default values are indicated with a hyphen are editable only if the value of the preceding entry with an assigned default value will be set to 1

Android entryoptionKeyDefault Value
[N] Remove app logsremoveDebugLogs1
[N] Disable Copy & Paste FunctionalitycopyPasteProtection0
Disable screenshots capture & screen sharingdisableScreenshots0
Terminate the app when running in rooted devicerootDetection0
Allow apps installed from Google Play, Samsung and Amazon stores to bypass the root protectionplayStoreDetection-
Terminate the app when connected to the emulatoremulatorDetection0
Integrate Malware Detector SDKquixxiMalwareDetection0
Machine Learning based malware detectionquixxiMachineLearningBasedMalwareDetection-
Warn the UserquixxiPresenceOfMalware-
Stop the app executionquixxiApplicationExcuteMalware-
Disable ADB BackupADBBackup0
Report to Quixxi portal after threat detectionthreatLogToCloud1
Terminate the app when running with the debugger attacheddebuggerDetection0
[C] Encrypt the assets folderencryptResourceFiles0
Terminate the app when “USB debugging” is enableddetectUSBDebugging0
Terminate the app if installation from “Unknown Sources” is enableddetectUnknownSourcesInstallation0
[N] Remove unused imagesremoveUnusedResources1
Send crash reports to Quixxi portalcrashLogReporting0
iOS entryoptionKeyDefault Value
Disable copy & paste functionality on standard text fieldscopyPasteProtection0
[N] Disable paste option on password text fieldsquixxiDisablePasteOption0
Prevent screen recording via QuickTime Player and Screen RecordingquixxiMovieRecording0
Prevent AirPlay Screen MirroringquixxiScreenMirroring0
Blur the app when put in backgroundblurApplicationScreen0
Terminate the app running in jailbroken devicesjailBrokenDevice0
Allow apps installed from AppStore to bypass the jailbreak protectionallowJailBrokenForAppStore0
Report to Quixxi portal after threat detectionThreatLogToCloud1
Validate app integrityquixxiChecksumValidation1
Terminate your Published or TestFlight app when resignedquixxiIntegrityVerification0
Terminate the app when running with the debugger attacheddebuggerDetection0
[N] Encrypt the UserDefaults valuesquixxiEncryptAppPreferences0
[N] Encrypt files created and used by the application at runtimequixxiEncryptFilecreate0
Send events and device info to Quixxi portal [basic version]reportUserAndDeviceUsage1
Send crash reports to Quixxi portalcrashLogReporting0

Shield the application

This command shields your app, returns the outcome of the Shield operation, makes its protected version available on the portal in the selected app container and finally downloads it too in the specified path

Usage

shield [options]

Options:
-a, --appIdOrName Name of the application
-f, --filepath Absolute file path to the app to be shielded.
-o, --outputFileName New name for the file to be downloaded.

Example

shield -a MyNewApp -f /Users/MyName/Downloads/MyNewApp.apk -o testfile

Example Output

shield -a MyNewApp -f /Users/MyName/Downloads/MyNewApk -o testfile.zip
Uploading File [100%====================]
Protecting your app [100%====================]
Protection successful, Downloading protected file
File downloaded successfully:/Users/apple/Downloads/testfile.zip

Download the protected unsigned app

This command will let you download a zipped copy of the last protected unsigned app without the need to shield it again

Usage

download protectedApp [options]

Options
-a, --appIdOrName Name of the application
-p, --platformName Name of the platform.
-o, --outputFileName New name for the file to be downloaded.

Example

download protectedApp -a MyNewApp -p android -o mynewname.zip

Example Output

download protectedApp -a MyNewApp -p android -o mynewname.zip
Protection successful, Downloading protected file
File downloaded successfully:/Users/apple/Downloads/mynewname.zip

Download the test app [Android only]

This command will download the latest test version of your protected app. The app will be signed by Quixxi debug.keystore, so it can be installed directly on device

Usage

download protectedDebugSignedApp [options]

Options:
-a, --appIdOrName - Application Name or Application GUID
-o, --outputFileName [outputFilename] – (Optional Parameter) New file name for the file to be downloaded.
By default, it save the downloaded file with name “protectedApp.apk”

Example

download protectedDebugSignedApp -a MyNewApp
download protectedDebugSignedApp -a MyNewApp -o sampleapp.apk

Example Output

ownload protectedDebugSignedApp -a ragutest
Protection successful, Downloading protected file
File downloaded successfully:/Users/MyName/Downloads/protectedApp.apk

Logout

Logout from your Quixxi account

Usage

logout

Exit

This command exits the Quixxi prompt

Usage

exit

Overview

This module provides a cross-platform command line interface for developers and IT administrators to create, scan and protect Android and iOS mobile apps

Features

  1. Login
  2. Create an app container in Quixxi
  3. List apps in your account
  4. Scan your app
  5. Download scan report
  6. List the current Shield settings values
  7. Configure the Shield settings
  8. Download the protected unsigned app
  9. Download the protected debug signed app [Android ONLY]
  10. Logout

Installation

Minimum requirements

  1. Node.js version: 10.13.0
  2. npm version: 6.4.1
  3. Python version: 2.7.15
  4. for Unix systems also: gcc [Mac] or g++ [Ubuntu]

Verify the requirements

In order to check the current version of Node.js, npm and Python independently from the operating system please run:

nodejs -v
npm -v
python -V

Installing Quixxi-CLI

Run the following command on your shell or command prompt to install quixxi-cli. If you are on a Windows machine, please run it as administrator

npm i quixxi-cli -g

NOTE: the -g flag will install the package globally on the machine

Starting Quixxi-CLI

After the installation, in order to run Quixxi-CLI please type:

quixxi

Available Commands

List of Quixxi-CLI commands

This command provides the list of all the available commands
Usage

help

Login

Login to your Quixxi account
Usage

login -u [email] or login –username [email]
password: [password]

Example

login -u test@test.com
password: [password]

Example Output

login -u test@test.com
password: [enter your password]
Login Success

List the apps

This command shows the list of apps under your Quixxi account
Command

list apps

Example Output

App Nameid
ExampleAppxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Create a new app container

This command allows you to create the app container that will host both the Android and iOS versions of your app
Usage

create app –a [app container name] or create app –appname [app container name]

Example

create app -a MyNewApp

Example Output

create app -a MyNewApp
App created successfully

Scan your app and get the Vulnerability Report link

This command scans your app and makes the related Vulnerability Report available on the portal in the selected app container. Finally, it gives back a publicly available link to this document
Usage

scan [options]

Options:
-a, --appIdOrName – Name of the app Container or Application GUID
-f, --filepath – Absolute path for the file to be uploaded for scan
-d , --destinationPath [destinationPath] – (Optional Parameter) Absolute Path to save the report. Default Value - Provides a link to download
-t, --type [type] – (Optional Parameter) type of the format to download. Default Format is pdf.

Allowed formats:

TypeFormat
Pdfpdf
Xmlxml
Jsonjson

-o, --onlyVulnerabilitiesPresent [true/false] – (Optional Parameter) Generate report with all vulnerabilities scanned or the vulnerabilities present in the application. Default values is true.

Allowed Values:

TypeValue
Report with Vulnerabilities Presenttrue
Report with all vulnerabilities scannedfalse

Example

To scan and get report link in default (pdf) format

scan -a MyNewApp -f "/Users/MyName/MyNewAppFolder/MyNewApp.ipa"
scan -a MyNewApp -f "C:Users/MyName/MyOriginalApps/MyNewApp.apk"

To scan and get report link in xml format

Scan -a MyNewApp -f “/Users/MyName/MyApps/MyNewApp.apk”-t xml

To scan and get report link with vulnerabilities that is present in the app

scan -a MyNewApp -f /Users/MyName/MyApps/MyNewApp.apk -t pdf -o true

To scan and get report link with all vulnerabilities that is scanned

scan -a MyNewApp -f /Users/MyName/MyApps/MyNewApp.apk -t pdf -o false

To scan and save report in the local path

scan -a MyNewApp -f /Users/MyName/MyApps/MyNewApp.apk -d /Users/MyName /Downloads/sample.pdf -o true

Output

scan -a MyNewApp -f "C:UsersMyNameMyOriginalAppsMyNewApp.apk"
Uploading File [100%====================]
Scanning your App [100%====================]
PDF link :
https://portal-api.quixxi.com/storage/VulnerabilityTest/2f0nv64d-fg2a-4370-878a-7420ff0ed446_com.mycompany.mynewapp.pdf

To get the Vulnerability Report link for the last scan

This command generates the related Vulnerability Report available on the portal in the selected app container. Finally, it gives back a publicly available link to this document

Usage

download scanReport [options]

Options:
-a, --appIdOrName - Name of the app container or application GUID
-p, --platformName - Name of the platform

PlatformValue
Androidandroid
iOSiOS

-d, --destinationPath [destinationPath] – (Optional Parameter) Absolute path to download the report.
-t, --type [type] – (Optional Parameter) type of the format to download. Default Format is pdf.

Allowed formats:

TypeFormat
Pdfpdf
Xmlxml
Jsonjson

-o, --onlyVulnerabilitiesPresent [true/false] – (Optional Parameter) Generate report with all vulnerabilities scanned or the vulnerabilities present in the application. Default values is true.

Allowed Values:

TypeValue
Report with Vulnerabilities Presenttrue
Report with all vulnerabilities scannedfalse

Example

To get report link in default (pdf) format

download scanReport -a MyNewApp -p android

To download report to local machine

download scanReport -a VulnerableApp -p android -d /Users/MyName/Downloads/sampleReport.pdf

To download report in xml format

download scanReport -a VulnerableApp -p android -d /Users/MyName/Downloads/sampleReport.xml
or
download scanReport -a VulnerableApp -p android -t xml

To download report with vulnerabilities detected on the app

download scanReport -a VulnerableApp -p android -o true

To download report with all vulnerabilities scanned

download scanReport -a VulnerableApp -p android -o false

Output

download scanReport -a VulnerableApp -p android -o false
PDF link :
https://quixxistorage.blob.core.windows.net/storage/VulnerabilityTest/e11f1f05-89e2-4d29-b16a-ca4784355641_damnvulnerableapp.pdf?sv=???

List the current Shield settings

The purpose of this command is twofold. First of all it is needed to list the optionKeys that will be used to configure the Shield Settings through the next command. Moreover, it is the command to run to double-check the Shield settings before protecting the app. In fact, the settings changes made by the following command are permanently saved against the app, so closing the terminal will NOT discard the previous changes even if the Shield was not launched

Usage :

list protectionOptions for [options]

Options:
-a, --appIdOrName Name of the application or application GUID
-p, --platformName Name of the Plaform

PlatformValue
Androidandroid
iOSiOS

Example

list protectionOptions for -a MyNewApp -p android
list protectionOptions for -a MyNewApp -p iOS

Configure the Shield settings

Before protecting the app it is important to set up the single Shield options, exactly as it happens on the portal. So this command allows you to customize the security parameters. In order to speed up the Shield configuration it is highly suggested to modify only those options that will be chosen differently from the default configurations of each platform. Again, the Shield settings changes are permanently saved against the app, so closing the terminal will NOT discard the changes made till that moment IMPORTANT - ONLY the options that are editable on the portal will be modifiable also from command line

Usage:

set protectionOptions for [options]

Options:
-a, --appIdOrName Name of the application or Application GUID
-p, --platformName Name of the Platform
-o, --optionName Name of the shield setting
-v, --optionValue Value for the shield setting [1 for ON and 0 for OFF]

Example

set protectionOptions for -a MyNewApp -p android -o disableScreenshots -v 1
set protectionOptions for -a XXXX-XXXX-XXXXXXX-XXXXX-XXXX -p android -o disableScreenshots -v 1

Output

Configuration Updated

IMPORTANT: all the options in the following table that are marked with [N] will work ONLY on Native apps, i.e. Android apps written in Java or Kotlin and iOS apps written in Obj-C or Swift. The option marked with [C] instead is destined to Cordova apps. If you don't know the technology behind the app to be shielded don't worry because Quixxi will detect it for you. So you can still select every option you like and if they don't match your app then Quixxi will simply skip them while producing the final protected app. The entries whose default values are indicated with a hyphen are editable only if the value of the preceding entry with an assigned default value will be set to 1

Android entryoptionKeyDefault Value
[N] Remove app logsremoveDebugLogs1
[N] Disable Copy & Paste FunctionalitycopyPasteProtection0
Disable screenshots capture & screen sharingdisableScreenshots0
Terminate the app when running in rooted devicerootDetection0
Allow apps installed from Google Play, Samsung and Amazon stores to bypass the root protectionplayStoreDetection-
Terminate the app when connected to the emulatoremulatorDetection0
Integrate Malware Detector SDKquixxiMalwareDetection0
Machine Learning based malware detectionquixxiMachineLearningBasedMalwareDetection-
Warn the UserquixxiPresenceOfMalware-
Stop the app executionquixxiApplicationExcuteMalware-
Disable ADB BackupADBBackup0
Report to Quixxi portal after threat detectionthreatLogToCloud1
Terminate the app when running with the debugger attacheddebuggerDetection0
[C] Encrypt the assets folderencryptResourceFiles0
Terminate the app when “USB debugging” is enableddetectUSBDebugging0
Terminate the app if installation from “Unknown Sources” is enableddetectUnknownSourcesInstallation0
[N] Remove unused imagesremoveUnusedResources1
Send crash reports to Quixxi portalcrashLogReporting0
iOS entryoptionKeyDefault Value
Disable copy & paste functionality on standard text fieldscopyPasteProtection0
[N] Disable paste option on password text fieldsquixxiDisablePasteOption0
Prevent screen recording via QuickTime Player and Screen RecordingquixxiMovieRecording0
Prevent AirPlay Screen MirroringquixxiScreenMirroring0
Blur the app when put in backgroundblurApplicationScreen0
Terminate the app running in jailbroken devicesjailBrokenDevice0
Allow apps installed from AppStore to bypass the jailbreak protectionallowJailBrokenForAppStore0
Report to Quixxi portal after threat detectionThreatLogToCloud1
Validate app integrityquixxiChecksumValidation1
Terminate your Published or TestFlight app when resignedquixxiIntegrityVerification0
Terminate the app when running with the debugger attacheddebuggerDetection0
[N] Encrypt the UserDefaults valuesquixxiEncryptAppPreferences0
[N] Encrypt files created and used by the application at runtimequixxiEncryptFilecreate0
Send events and device info to Quixxi portal [basic version]reportUserAndDeviceUsage1
Send crash reports to Quixxi portalcrashLogReporting0

Shield the application

This command shields your app, returns the outcome of the Shield operation, makes its protected version available on the portal in the selected app container and finally downloads it too in the specified path

Usage

shield [options]

Options:
-a, --appIdOrName Name of the application
-f, --filepath Absolute file path to the app to be shielded.
-o, --outputFileName New name for the file to be downloaded.

Example

shield -a MyNewApp -f /Users/MyName/Downloads/MyNewApp.apk -o testfile

Example Output

shield -a MyNewApp -f /Users/MyName/Downloads/MyNewApk -o testfile.zip
Uploading File [100%====================]
Protecting your app [100%====================]
Protection successful, Downloading protected file
File downloaded successfully:/Users/apple/Downloads/testfile.zip

Download the protected unsigned app

This command will let you download a zipped copy of the last protected unsigned app without the need to shield it again

Usage

download protectedApp [options]

Options
-a, --appIdOrName Name of the application
-p, --platformName Name of the platform.
-o, --outputFileName New name for the file to be downloaded.

Example

download protectedApp -a MyNewApp -p android -o mynewname.zip

Example Output

download protectedApp -a MyNewApp -p android -o mynewname.zip
Protection successful, Downloading protected file
File downloaded successfully:/Users/apple/Downloads/mynewname.zip

Download the test app [Android only]

This command will download the latest test version of your protected app. The app will be signed by Quixxi debug.keystore, so it can be installed directly on device

Usage

download protectedDebugSignedApp [options]

Options:
-a, --appIdOrName - Application Name or Application GUID
-o, --outputFileName [outputFilename] – (Optional Parameter) New file name for the file to be downloaded.
By default, it save the downloaded file with name “protectedApp.apk”

Example

download protectedDebugSignedApp -a MyNewApp
download protectedDebugSignedApp -a MyNewApp -o sampleapp.apk

Example Output

ownload protectedDebugSignedApp -a ragutest
Protection successful, Downloading protected file
File downloaded successfully:/Users/MyName/Downloads/protectedApp.apk

Logout

Logout from your Quixxi account

Usage

logout

Exit

This command exits the Quixxi prompt

Usage

exit

Comments are closed.