Edit this Doc Security

The Appium team makes every effort to ensure the security of the Appium server. This is especially important when Appium is run in a multitenant environment, or when multiple users are running sessions on the same Appium server. In general, if you're running your own Appium server locally, and not sharing it with anyone else, and don't expose Appium's port to the wider internet, you should have nothing to worry about, and can safely enable all Appium's features.

But because many Appium users might not be able to guarantee such a safe environment, the Appium team puts many features behind a security protection mechanism which forces system admins (the people that are in charge of starting the Appium server) to opt-in to these features explicitly.

For security reasons, Appium client sessions can not request feature enablement via capabilities. This is the responsibility of the one who launches the Appium server.

Security Server Args

The server args doc outlines three relevant arguments which may be passed to Appium when starting it from the command line:

Insecure Features

Each Appium driver is responsible for its own security, and can create its own feature names. These are the features and names we know about for the officially-supported Appium drivers.

Feature Name Description AutomationName
get_server_logs Allows retrieving of Appium server logs via the Webdriver log interface IOS, XCUITest, Android, UiAutomator2, Espresso
adb_shell Allows execution of arbitrary shell commands via ADB, using the mobile: shell command Android, UiAutomator2, Espresso
shutdown_other_sims Allow any session to use a capability to shutdown any running simulators on the host XCUITest
perf_record Allow recording the system performance and other metrics of the simulator XCUITest
chromedriver_autodownload Allow to downalod ChromeDriver automatically if Appium does not have proper the version Android, UiAutomator2, Espresso
execute_driver_script Allows to send a request which has multiple Appium commands. Read documentation for more details All

For Driver Developers

2 methods exist on objects of classes which extend BaseDriver, which make the life of the driver developer easier when checking availability of insecure features: