NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:
AppVet Logo

7.  Tool Services


To be compatible with AppVet, a tool service must conform to the API and protocol specifications described here.

7.1 Synchronous Tool Service

7.1.1 App Submission API

AppVet requires synchronous tool services to implement an API for submitting apps. The API specification must include the following entities as shown in Table 7-1a.


Table 7-1a. App submission API.

Entity Name and/or Value Description
Method POST HTTP Request method.
Parameter appfile = <appfile> App file.



Note that a tool service may require additional parameters for app submission (e.g., a username and password for authenticating with the tool service).

7.1.2 HTTP Response

AppVet requires that synchronous services return a report and risk assessment . Here, the risk assessment determined by the tool service should be defined as the named header toolrisk in the HTTP Response. The risk assessment value should be based on a standardized scoring system such as the Common Vulnerability Scoring System (CVSS) and mapped to one of three values: PASS, WARNING, or FAIL. If an error occurs with the tool service, then ERROR should be returned as the toolrisk header value. The HTTP Response for an app submission is shown in Table 8-1b.


Table 7-1b. HTTP response.

Entity Name and/or Value Description
Status Code <statuscode> HTTP status code.
Payload <sessionid> AppVet session ID.



7.1.3 Example Synchronous Service

An example synchronous tool service for verifying signatures of Android apps is available here.

7.2 Asynchronous Tool Service

7.2.1 App Submission API

AppVet requires that asynchronous services support an appid parameter in an incoming HTTP Request as shown in Table 7-2a.


Table 7-2a. App submission API.

Entity Name and/or Value Description
Method POST HTTP Request method.
Parameter appfile = <appfile> App file.
Parameter appid = <appid> The AppVet ID of the submitted app. When returning reports and risk assessments back to AppVet, this ID should be included. See the AppVet SUBMIT_REPORT API.



7.2.2 HTTP Response

AppVet requires that asynchronous services return an HTTP Response with status code HTTP 202 Accepted immediately after receiving an app. The HTTP status code should reflect the state of receipt of an app and related information. Because the service is asynchronous, a separate SUBMIT_REPORT must be used to return the service's reports and risk assessments.


Table 7-2b. HTTP response.

Entity Name and/or Value Description
Status Code <statuscode> HTTP status code.
Payload <sessionid> AppVet session ID.



7.2.3 Example Asynchronous Service

An example asynchronous tool service for identifying the Android Master Key and Extra Field vulnerabilities is available here.

7.4 Asynchronous and Push Tool Reports

When sending reports and risk assessments to AppVet, an asynchronous or push tool service must use the AppVet SUBMIT_REPORT service.

7.3 Tool Service Adapter

To facilitate plug-n-play integration of a tool with AppVet, the vendor of the tool will provide a tool service adapter that is used by AppVet. A tool service adapter is an XML file that reflects the API of the specified service and is placed in the $APPVET_FILES_HOME/conf/tool_adapters directory. To define an XML tool adapter file for a tool service, consult the Tool Service Adapter Schema. For more information on adding or removing a tool adapter to AppVet, see Tool Service Adapters .