The Mobile Application Security risk vector analyzes the security aspects of an organization’s mobile application offerings that are publicly available in official marketplaces, such as the Apple App Store and Google Play.
- It helps identify published applications that are at-risk, preventing the software from affecting its users and simultaneously reducing exposure to reputation damage.
- Understand which, if any, applications at an insured present a risk for known vulnerabilities and other threats.
- Verify quality and other contractual agreements with clients or vendors; for example, verify that a client has created secure software from a security standpoint.
- Mobile Application Security verifies the presence of support and email domains that should be provided in mobile applications. Mobile application offerings are evaluated to find security risks that can compromise end-users' devices and networks.
Risks
- System failure (vendor devices are not being maintained).
- Disruption of business continuity.
- Attackers may be able to use unpatched vulnerabilities to gain system access.
- Reputation damage to the organization.
Grading
See how the Mobile Application Security risk vector is graded.
This risk vector does not currently affect security ratings. It is being evaluated for a period before being factored into security ratings.
Concept | Behavior |
---|---|
Assessment results depending on the action taken during testing. |
Result: Pass/Fail Assessment is immediate. If a new app version is available, the new version replaces all assessments related to the previous one. If an assessment for a specific version is improved, it also replaces the associated finding. |
Duration: 1 year, with no decay period. Unless updated, all findings have the same impact throughout their lifetime. Their impact is fully removed when updated or after 1 year. If an app is removed from all app stores or updated to a software version that is not supported (and therefore cannot be scanned), its impact is fully removed. The following software versions are supported:
|
|
A default risk vector grade is assigned. |
Not all organizations have mobile application offerings. |
Percentage (out of 70.5% in Diligence): Not Applicable |
Remediation
Review Mobile Application Security findings.
Our analysis is based on the analysis of application behavior, as opposed to a line-by-line reading of the source code. Remediation is application-specific because each implementation varies between software development teams. Remediation will need to be assessed by the organization based on the issues detected; in some cases, we are able to provide remediation information in the explanation.
The information from detected issues can be used to determine where to apply software updates, remove software, or investigate brand abuse.
- Identify mobile applications that are not adhering to application security best practices.
- Verify questionnaire data from vendors. For example, to verify claims that their organization is free of a particular operating system.
- Understand which, if any, applications at an insured present a risk for known vulnerabilities and other threats.
- Verify quality and other contractual agreements with clients or vendors; for example, verify that a client created secure software from a security standpoint and adhered to a policy of keeping end-user operating systems up-to-date.
- If your company is developing and supporting apps for third party customers, please ensure your support emails and support URLs reflect the appropriate ownership information.
Finding Behavior
Concept | Behavior |
---|---|
The Bitsight platform regularly checks for new observations. Bitsight findings are updated as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated. |
Automated Scan Duration: Up to 2 weeks after a new version is released. User-Requested Refresh Duration: 6-11 Days |
Remediated | The old finding is replaced by a new finding. If a new app version is available, the new version replaces the previous one. If an app is removed from all app stores or its version is not supported (and therefore cannot be scanned), the finding will be marked as Expired. |
- June 6, 2024: Updated language re: apps that are removed from all app stores or unable to be scanned.
- March 25, 2024: “No findings/low findings” changed to “insufficient data.”
- January 10, 2024: Mobile Application Security refresh from 10 days to 6-11 days.
Feedback
0 comments
Please sign in to leave a comment.