- November 10, 2022: The Mobile Application Security user-requested refresh is 10 days.
- April 15, 2022: Updated the length of the automated scan and user-requested refresh periods.
- October 12, 2021: Terminology, “grace period” changed to “finding behavior.”
Mobile Application Security evaluates an organization’s mobile application offerings in Android and iOS app stores (assets) to find security risks that can compromise end-users’ devices and networks (findings).
This risk vector does not currently affect security ratings. It is being evaluated for a period before being factored into security ratings.
|Field||Description||Details & Values|
|Application Behavior||Assessment results as listed in the platform depending on the action taken during testing.||
Assessment is immediate. If a new app version is available, the new version replaces all assessments related to the previous one.
If an assessment for a specific version is improved, it also replaces the associated finding.
|Lifetime||The number of days a finding will impact the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information.||
1 year, with no decay period. Unless updated, all findings have the same impact throughout their lifetime. When updated or after 1 year, their impact will be fully removed.
Since apps cannot be verified to have been removed from or updated for all devices, a given app can impact the grade after the initial observation for the lifetime of this risk vector. This includes unlisted apps.
|No Assets||The risk vector grade if the organization has not published any mobile applications.||
Not all organizations have mobile application offerings.
|Refresh||The Bitsight platform regularly checks for new observations. Bitsight findings are updated as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated.|
|Automated Scan Duration||The duration of a regularly scheduled finding refresh, as the Bitsight platform checks for new observations.||60 Days|
|User-Requested Refresh Duration||The duration of a user-requested refresh, which initiates a refresh of eligible findings upon request. This is recommended when a change in the finding is expected, such as when a finding has been remediated.||10 Days|
Only developer organizations that have mobile applications published in the US Android and iOS markets are evaluated for this risk vector. Therefore, apps published in other country marketplaces are not included for evaluation, i.e., Portugal, UK, Singapore, etc.
Mobile apps are not assigned finding grades (GOOD, FAIR, WARN, BAD, etc.). The numerical app grade is indicative of the app’s overall vulnerability to security issues. Although it’s derived directly from the CVSS values of vulnerabilities found in an app and evaluated on a scale from 0.0 to 10.0, the app grade is not a CVSS value.
Assets are subjected to static and dynamic analysis to evaluate specific types of problems, like how the application handles sensitive data, interaction vulnerabilities, and API security and determine the severity of security vulnerabilities (presented as the findings).
The evaluation method for tested security vulnerabilities is based on the Common Vulnerability Scoring System (CVSS). The assigned value (of 0.1 to 10.0) is indicative of the severity of each vulnerability.
A number of informational vulnerabilities are also tested. However, these informational vulnerabilities do not negatively impact the rating.
|CVSS||Passed Test Finding Severity||Failed Test Finding Severity|
|0.1 - 3.9||Minor||Minor|
|4.0 - 6.9||Minor||Moderate|
|7.0 - 8.9||Minor||Material|
|9.0 - 10.0||Minor||Severe|
App Grade Calculation Based on Security Tests
Each individual finding in a mobile app is quantified using the Common Vulnerability Scoring System (CVSS). CVSS is a ten-point scale, spanning 0.0 to 10.0 in increments of 0.1. A CVSS value of 0.0 indicates findings that are informational in nature.
The active sum contribution of individual apps is calculated as an app score (α) based on the failure of security tests (τ):
The app grade (γ) is calculated as:
Risk Vector Grade Calculation Based on the Individual App Grade
To calculate the risk vector grade, first, calculate the mean AppGrade (ᾱ) based on the individual AppGrades.
The second step is to calculate a pre risk vector score 𝑥 based on ᾱ using the following formula:
Lastly, the risk vector grade is determined mapping 𝑥 to the grade using the following table:
|Range of App Grades Average||Risk Vector Grade|
|0 ≤ 𝑥 < 2.4||A|
|2.4 ≤ 𝑥 < 4.0||B|
|4.0 ≤ 𝑥 < 5.7||C|
|5.7 ≤ 𝑥 < 7.0||D|
|7.0 ≤ 𝑥 < 10||F|