Skip to content

Appium Server Security

The Appium team makes every effort to ensure the security of the Appium server. This is especially important when Appium is run in a multitenant environment, or when multiple users are running sessions on the same Appium server. In general, you can only safely enable all Appium's features if all the following are true:

  • You're running your own Appium server locally or within a protected internal network
  • You're not sharing it with any untrusted parties
  • You don't expose Appium's port(s) to the wider internet

But because many Appium users might not be able to guarantee such a safe environment, the Appium team puts many features behind a security protection mechanism which forces system admins (the people that are in charge of starting the Appium server) to explicitly opt-in to these features. (Third-party driver and plugin authors can also hide behaviour behind security flags.)

For security reasons, Appium client sessions can not request feature enablement via capabilities; this is the responsibility of the server admin who configures and launches the Appium server.

Security Server Args

The Server CLI Args doc outlines three relevant arguments which may be passed to Appium when starting it from the command line:

Parameter
Description
--relaxed-security Setting this flag turns on all insecure features (unless blocked by --deny-insecure; see below)
--allow-insecure Setting this flag to a comma-separated list of feature names or a path to a file containing a feature list (each name on a separate line) will allow only the features listed. For example, --allow-insecure=adb_shell will cause only the ADB shell execution feature to be enabled. This is true unless --relaxed-security is also used, in which case all features will still be enabled. It makes no sense to combine this flag with --relaxed-security.
--deny-insecure This flag can likewise be set to a comma-separated list of feature names, or a path to a feature file. Any features listed here will be disabled, regardless of whether --relaxed-security is set and regardless of whether the names are also listed with --allow-insecure.

Insecure Features

Each Appium driver is responsible for its own security, and can create its own feature names. Thus you should read through the documentation for a particular driver to know which feature names it might use. Here is an incomplete list of examples from some of Appium's official drivers:

Feature Name
Description Supported Extension(s)
get_server_logs Allows retrieving of Appium server logs via the Webdriver log interface IOS, XCUITest, Android, UiAutomator2, Espresso
adb_shell Allows execution of arbitrary shell commands via ADB, using the mobile: shell command Android, UiAutomator2, Espresso
record_audio Allow recording of host machine audio inputs XCUITest
execute_driver_script Allows to send a request which has multiple Appium commands. Execute Driver Plugin

Driver-scope security

Since Appium server version 2.12.3 there is a possibility to prefix each feature name with the corresponding automationName where it is going to be applied. For example, if you provide the following features to allow: uiautomator2:adb_shell,xcuitest:get_server_logs,*:record_audio, then the adb_shell would only be allowed for the UiAutomator2 driver, get_server - for the XCUITest driver and the record_audio one - for all installed drivers. Feature names provided without explicit automation name prefix are equivalent to these having the *: prefix. The same feature naming rule applies to the list of denied features.

Examples

To turn on the get_server_logs feature for my Appium server, I could start it like this:

appium --allow-insecure=get_server_logs

To turn on multiple features:

appium --allow-insecure=get_server_logs,record_audio

To allow all features except one:

appium --relaxed-security --deny-insecure=adb_shell