Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Mobile Application Security Risk Vector

Ingrid

The Mobile Application Security is a Diligence risk vector. It analyzes the security aspects of an organization’s mobile application offerings that are publicly available in official marketplaces, such as the Apple App Store and Google Play.

  • It helps identify published applications that are at-risk, preventing the software from affecting its users and simultaneously reducing exposure to reputation damage.
    • Understand which, if any, applications at an insured present a risk for known vulnerabilities and other threats.
    • Verify quality and other contractual agreements with clients or vendors; for example, verify that a client has created secure software from a security standpoint.
  • Mobile Application Security verifies the presence of support and email domains that should be provided in mobile applications. Mobile application offerings are evaluated to find security risks that can compromise end-users' devices and networks.

See data collection methods.

Risks

  • System failure (vendor devices are not being maintained).
  • Disruption of business continuity.
  • Attackers may be able to use unpatched vulnerabilities to gain system access.
  • Reputation damage to the organization.

Grading

See how the Mobile Application Security risk vector is graded.

This risk vector does not currently affect security ratings. It is being evaluated for a period before being factored into security ratings.

Application Assessment

Assessment results depending on the action taken during testing.

Result: Pass/Fail

Behavior:

Assessment is immediate. If a new app version is available, the new version replaces all assessments related to the previous one.

If an assessment for a specific version is improved, it also replaces the associated finding.

Insufficient Data

A default risk vector grade is assigned if there is insufficient or no data.

Duration: grade-na.png

Not all organizations have mobile application offerings.

Lifetime

Lifetime is the number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. This is defined by the number of days a finding will impact the risk vector grade. Learn why findings have a decay and lifetime period.

Duration: 1 year, with no decay period.

Unless updated, all findings have the same impact throughout their lifetime. Their impact is fully removed when updated or after 1 year.

If an app is removed from all app stores or updated to a software version that is not supported (and therefore cannot be scanned), its impact is fully removed.

Weight

The Mobile Application Security risk vector is part of the Diligence risk category, which aggregates the weights of all risk vectors in the category to 70.5% towards Bitsight Security Ratings.

Weight: Not Applicable

Remediation

Review Mobile Application Security findings.

Our analysis is based on the analysis of application behavior, as opposed to a line-by-line reading of the source code. Remediation is application-specific because each implementation varies between software development teams. Remediation will need to be assessed by the organization based on the issues detected; in some cases, we are able to provide remediation information in the explanation.

The information from detected issues can be used to determine where to apply software updates, remove software, or investigate brand abuse.

  • Identify mobile applications that are not adhering to application security best practices.
  • Verify questionnaire data from vendors. For example, to verify claims that their organization is free of a particular operating system.
  • Understand which, if any, applications at an insured present a risk for known vulnerabilities and other threats.
  • Verify quality and other contractual agreements with clients or vendors; for example, verify that a client created secure software from a security standpoint and adhered to a policy of keeping end-user operating systems up-to-date.
  • If your company is developing and supporting apps for third party customers, please ensure your support emails and support URLs reflect the appropriate ownership information.

Rescan Base Duration

The Bitsight platform regularly checks for new observations. Findings are rescanned as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated.

Automated Scan: Up to 2 weeks after a new version is released.

User-Requested Rescan: 11 days. See timeline for details.

Finding Behavior

The behavior of findings based on remediation and rescan statuses:

New Observation

The old finding is replaced by a new finding. If a new app version is available, the new version replaces the previous one.

Remediated

If an app is removed from all app stores or its version is not supported (and therefore cannot be scanned), the finding is considered to be expired and the status is Remediated.

  • June 25, 2025: Finding behavior grouped by rescan statuses.
  • June 6, 2024: Updated language re: apps that are removed from all app stores or unable to be scanned.
  • March 25, 2024: “No findings/low findings” changed to “insufficient data.”
Was this article helpful?
4 out of 9 found this helpful
Return to top

Related articles

Feedback

0 comments

Please sign in to leave a comment.