Zimperium zScan is an automated Mobile Application Security Testing (MAST) platform that combines static, dynamic, and interactive analysis for Android and iOS applications. It scans app binaries and returns prioritized findings in 15-30 minutes.
What sets zScan apart from pure vulnerability scanners is that it also validates whether security controls like anti-tampering, anti-reversing, and SSL pinning are actually implemented correctly. Part of the Zimperium Mobile Application Protection Suite (MAPS), zScan can be used standalone or alongside zShield (app shielding), zDefend (runtime protection), and zKeybox (key protection).
Zimperium was founded in 2010 and is headquartered in Dallas, TX. The company holds a Forrester Wave Leader position in Mobile Threat Defense, won the 2025 Mobile Breakthrough Award for “Mobile Security Solution of the Year,” and is a 2025 SPARK Matrix Leader for In-App Protection. A free 30-day trial is available.
What is Zimperium zScan?
zScan accepts APK, IPA, and AAB files uploaded directly or pulled from App Store and Google Play URLs. The scanner decompiles the binary and runs three types of analysis:
- Static Analysis (SAST): Examines decompiled code for security flaws, insecure API usage, and cryptographic issues
- Dynamic Analysis (DAST): Simulates runtime behavior to detect vulnerabilities and misconfigurations during execution
- Interactive Analysis (IAST): Combines static and dynamic testing under realistic runtime conditions
Unlike scanners that only find weaknesses, zScan also checks whether defensive measures are correctly implemented. If your team invested in certificate pinning, root detection, or code obfuscation, zScan confirms those protections are working as expected.
Key Features
| Feature | Details |
|---|---|
| Analysis Types | SAST + DAST + IAST |
| Scan Speed | 15-30 minutes |
| Input Formats | APK, IPA, AAB, App Store/Play Store URLs |
| Infrastructure | Cloud-based (no local setup required) |
| Report Formats | SARIF, PDF, JSON |
| CI/CD Plugins | GitHub Actions, GitLab CI, Jenkins, Harness, GoCD, Bitrise |
| Compliance | OWASP MASVS, PCI-DSS, HIPAA, GDPR, NIAP |
| Cross-Platform | Flutter, React Native, Xamarin, Cordova, Ionic |
| MAPS Suite | Works with zShield, zDefend, zKeybox |
| Trial | Free 30-day trial (unlimited apps) |
Anti-Tampering Validation
zScan verifies that anti-tampering controls are correctly implemented:
- Root/jailbreak detection
- Debugger detection
- Emulator detection
- Code integrity verification
- Hook detection
Organizations that use mobile hardening solutions (including Zimperium’s own zShield) can confirm these protections are actually working in production builds.
SSL Pinning Verification
zScan tests whether certificate pinning is properly implemented, including:
- Presence of pinning in network code
- Correct certificate or public key configuration
- Fallback behavior when pinning fails
- Pin rotation handling
Supply Chain Risk Detection
The platform generates Software Bills of Materials (SBOMs) and flags third-party SDKs and libraries with known vulnerabilities. This visibility into the software supply chain helps teams understand risk introduced by dependencies they didn’t write themselves.
Cross-Platform Support
zScan analyzes applications built with:
- Native: Swift, Objective-C (iOS), Kotlin, Java (Android)
- Cross-platform: Flutter, React Native, Xamarin
- Hybrid: Cordova, Ionic, PhoneGap
CI/CD Integration
Zimperium provides official plugins for GitHub Actions, GitLab CI, Jenkins, Harness, GoCD, and Bitrise. All integrations produce SARIF reports that can feed into code scanning dashboards.
GitHub Actions
The official Zimperium zScan GitHub Action integrates with GitHub Advanced Security (GHAS) to display findings directly in code scanning alerts.
name: Zimperium zScan
on:
push:
branches: [main, release/*]
pull_request:
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build APK
run: ./gradlew assembleRelease
- name: Run Zimperium zScan
uses: zimperium/zscanmarketplace@v1.4
timeout-minutes: 60
with:
console_url: https://zc202.zimperium.com
client_id: ${{ secrets.ZSCAN_CLIENT_ID }}
client_secret: ${{ secrets.ZSCAN_CLIENT_SECRET }}
app_file: app/build/outputs/apk/release/app-release.apk
team_name: Default
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: app-release_zscan.sarif
GitLab CI
Zimperium provides an official GitLab plugin as a shell script:
zscan:
stage: test
needs: [build]
script:
- wget -O zScan.tar.gz https://github.com/Zimperium/zscan-plugin-gitlab/archive/refs/tags/v1.0.0.tar.gz
- tar --strip-components=1 -xf zScan.tar.gz
- chmod +x zScan.sh
- ./zScan.sh
variables:
ZSCAN_CONSOLE_URL: "https://zc202.zimperium.com"
ZSCAN_CLIENT_ID: $ZSCAN_CLIENT_ID
ZSCAN_CLIENT_SECRET: $ZSCAN_CLIENT_SECRET
ZSCAN_INPUT_FILE: "app/build/outputs/apk/release/*.apk"
ZSCAN_REPORT_FORMAT: "sarif"
ZSCAN_TEAM_NAME: "Default"
ZSCAN_WAIT_FOR_REPORT: "true"
artifacts:
paths:
- "*.sarif"
Jenkins
An official Jenkins plugin (zscan-upload.hpi) is available from the Jenkins Marketplace or as a manual install:
- Navigate to Manage Jenkins > Manage Plugins > Advanced
- Search for “zScan” in the marketplace, or upload the
.hpifile manually - Configure server credentials in Manage Jenkins > System (Server URL, Client ID, Client Secret)
- Add the “Upload build artifacts to zScan” post-build action to your job
The plugin supports source file patterns (e.g., *.apk, *.ipa), optional report waiting (~10 minute timeout), SARIF output, and team assignment. Requires Java 17+ and API credentials with “zScan Builds - Upload” permission.
Other CI/CD Platforms
Zimperium also maintains official plugins for:
- Harness — Upload plugin for Harness CI pipelines
- GoCD — Binary upload plugin for GoCD pipelines
- Bitrise — Upload step for Bitrise mobile CI
Scanning Published Apps
zScan can pull and analyze applications directly from app stores using their public URLs. This is useful for competitive analysis, third-party app vetting, and validating that production deployments match what was tested during development.
Compliance
zScan validates applications against multiple compliance frameworks:
- OWASP MASVS: Mobile Application Security Verification Standard
- PCI-DSS: Payment Card Industry Data Security Standard
- HIPAA: Health Insurance Portability and Accountability Act
- GDPR: General Data Protection Regulation
- NIAP: National Information Assurance Partnership
OWASP MASVS
PCI-DSSGetting Started
When to Use Zimperium zScan
zScan fits best when you need to validate security controls, not just find vulnerabilities. If your team has invested in app hardening (certificate pinning, root detection, anti-tampering), zScan confirms those measures are correctly applied.
Consider zScan when:
- You need to verify that anti-tampering and anti-reversing controls are working
- SSL pinning implementation needs validation
- Supply chain visibility through SBOM analysis is a requirement
- You want to scan published apps from app stores for competitive analysis or third-party vetting
- Compliance reporting against OWASP MASVS, PCI-DSS, or HIPAA is needed
- You’re already using Zimperium zShield or other MAPS products
The platform works well for organizations in regulated industries (finance, healthcare, government) where demonstrating proper security control implementation is required for compliance.
Teams looking for other mobile security tools focused purely on vulnerability scanning without control validation may want to evaluate Oversecured or NowSecure as alternatives.
