What’s New 🚀✨
BeVigil OSINT API Launch
We are happy to announce the launch of the NEW BeVigil OSINT Service!
The BeVigil OSINT Service is an innovation to aid asset discovery from mobile apps and create a new channel for asset recon. We have created and maintained a searchable repository of more than half a million – 500,000 Android apps that have been extracted and unpacked, with the number of apps on the platform continuously growing as users upload more apps in real time . Users can search for exposed/ hardcoded assets such as API Keys and secrets in the source codes of the apps and identify vulnerabilities such as cloud misconfigurations, leaking assets, exposed backend services, and many more.
Main services offered by the API
- Returns wordlist: For a given app package ID (example: com.whatsapp), get a wordlist combining paths, filenames, rest_api, URL parameters, and endpoints
- Finds Hosts: For a given app package ID, get all unique hostnames including domains and subdomains hardcoded inside the application
- Find S3 buckets: For a given package ID, get all s3 buckets from the source code of an APK. As well as for a given keyword, get all S3 URLs for the associated input keyword
- Find all assets: For a given package ID, get all associated assets including rest_api, paths, hostnames, subdomains, S3 buckets, IP addresses, filenames, AWS URLs, Azure containers, etc
- Find Apps: For a given hostname, get all apps that contain any reference to it
- Find subdomains: Find subdomains for a given domain
- Returns URLs: For a given domain name, get all associated URLs
This powerful tool provides access to millions of asset footprint data points including domain intel, cloud services, API information, and third-party assets extracted from millions of mobile apps being continuously uploaded and scanned by users on bevigil.com. This is the world’s first portal to access millions of untouched assets from mobile apps.
Enhancements to mobile app scanning
We have made major improvements to our app scanning capabilities by adding 56 new secret key detection rules (including eg. Juspay, Alibaba, Dropbox, and Azure) and 11 new cloud asset detection rules (including Zendesk, Pastebin, Heroku). We have added the top 12 CRM regexes including Salesforce Sales Cloud, Hubspot Sales, Zendesk, Streak, Freshsales, and Zoho.
Using this feature, we recently discovered exposed HubSpot API keys in several apps leading to comprise of 1.6 million users’ data. The blog post about this discovery can be found here.
These additions will help users gain access to more knowledge about the hardcoded sensitive information in mobile applications.
Blog Redesign and new articles!
The Blog section in BeVigil has a facelift, with a simple, more intuitive, and brand-new UI!
Check out the latest blogs:
- Unraveling assets from Android apps at scale
- Exposed HubSpot API Keys Compromise 1.6 Million Users’ Data
- The Surge of Cybersecurity Challenges in Neobanking
- Dangerous Android Permissions to look out for in your apps
We are happy to announce to you the launch of our new BeVigil logo as part of the ongoing evolution of our product’s brand.
As part of an ongoing effort to make credits more accessible to our users, we have changed our credit ratio. With BeVigil 3.0, 1 credit = $0.25, and this make all pro plans cheaper. Learn more on our pricing page.
We are also thrilled to give 25 credits for free for users signing up with personal emails and 200 credits for free for users signing up with business emails as part of the release.
Start downloading BeVigil reports!
For all BeVigil premium plans, we have added the capability to download reports. You can download the pdf version of our reports and share it with your team and network!
Hiding reports is easier
Users wishing to hide their security reports can easily do it by clicking on the “Hide Report” button on top of the security report. When the “Hide Report” button is clicked, an OTP will be sent to the developer mail address (mentioned in Google Play Store), and upon confirmation, your report will be private. This ensures the privacy of the intellectual property of users.
Important stats in the search bar on the homepage
Important statistics are now shown in the BeVigil homepage’s search bar to keep our users up to date with our most recent findings. These statistics are dynamic, to check it out yourself visit bevigil.com now!
Report page right section buttons ordering
We have changed the right section buttons ordering on the report page for applications. In this ordering, the “Download PDF Report” button comes first which draws the attention of the user to our newly added feature.
Scan App Page – UI/UX Improvements
Requesting for app scans was never this easy. BeVigil presents to you a new, revamped Scan app page with UI/UX improvements. See it for yourself at https://bevigil.com/scan-app.
Increase in apk file upload limit
You asked and we delivered! Previously, users were not able to upload apk files bigger than 100 MB on the Scan app page. We have increased the limit now to enable our users to have a better experience with our product.
Now searching for apps is faster than before with new enhancements. There is also an API key integration system that currently powers the OSINT API but will power all other clients including CLI, and CI which we plan to add in the next versions.
Other miscellaneous additions such as new error pages and UI improvements have been added.
To sum it up, we hope BeVigil 3.0 provides value to app developers, security researchers, and organizations when securing their mobile apps. If you have any ideas on what we should include in our next version, hit us up @ [email protected]
Until next time!