- August 16, 2023: New Grading & Finding Behavior sections.
- May 27, 2021: Linked to analysis.
- May 11, 2020: Linked to related topics (rating details, data collection methods, & finding details).
The Mobile Application Security risk vector analyzes the security aspects of an organization’s mobile application offerings that are publicly available in official marketplaces, such as the Apple App Store and Google Play.
- It helps identify published applications that are at-risk, preventing the software from affecting its users and simultaneously reducing exposure to reputation damage.
- Understand which, if any, applications at an insured present a risk for known vulnerabilities and other threats.
- Verify quality and other contractual agreements with clients or vendors; for example, verify that a client has created secure software from a security standpoint.
- Mobile Application Security verifies the presence of support and email domains that should be provided in mobile applications. Mobile application offerings are evaluated to find security risks that can compromise end-users' devices and networks.
Risks
- System failure (vendor devices are not being maintained).
- Disruption of business continuity.
- Attackers may be able to use unpatched vulnerabilities to gain system access.
- Reputation damage to the organization.
Grading
See how the Mobile Application Security risk vector is graded.
Only developer organizations that have mobile applications published in the US Android and iOS markets are evaluated for this risk vector. Therefore, apps published in other country marketplaces are not included for evaluation, i.e., Portugal, UK, Singapore, etc.
This risk vector does not currently affect security ratings. It is being evaluated for a period before being factored into security ratings.
| Concept | Behavior |
|---|---|
| Lifetime |
1 Year Since apps cannot be verified to have been removed from or updated for all devices, a given app can impact the grade after the initial observation for the lifetime of this risk vector. This includes unlisted apps. |
| No Findings |
Not all organizations have mobile application offerings. |
|
(Out of 70.5% in Diligence) |
Not applicable. |
Remediation
Review Mobile Application Security findings.
Our analysis is based on the analysis of application behavior, as opposed to a line-by-line reading of the source code. Remediation is application-specific because each implementation varies between software development teams. Remediation will need to be assessed by the organization based on the issues detected; in some cases, we are able to provide remediation information in the explanation.
The information from detected issues can be used to determine where to apply software updates, remove software, or investigate brand abuse.
- Identify mobile applications that are not adhering to application security best practices.
- Verify questionnaire data from vendors. For example, to verify claims that their organization is free of a particular operating system.
- Understand which, if any, applications at an insured present a risk for known vulnerabilities and other threats.
- Verify quality and other contractual agreements with clients or vendors; for example, verify that a client created secure software from a security standpoint and adhered to a policy of keeping end-user operating systems up-to-date.
- If your company is developing and supporting apps for third party customers, please ensure your support emails and support URLs reflect the appropriate ownership information.
Finding Behavior
| Concept | Behavior |
|---|---|
| Refresh |
Automated: 2 Weeks User-Requested: 10 Days |
| Remediated | The old finding is replaced by a new finding. If a new app version is available, the new version replaces the previous one. |