- October 31, 2023: Supported apps not restricted to US app stores; Linked to refresh resource.
- April 14, 2022: Updated with more details on observation methods and frequently asked questions.
To collect the information relevant to the Mobile Application Security risk vector, we use tools and proprietary observation methods that enable us to observe mobile application actions and tasks during runtime. Our analysis methods consist of static and dynamic analysis at the application level. We focus on mobile applications that run on devices, not the devices themselves; typically, we do not include device-level checks such as root access.
What information is produced in each test?
Following the OWASP guidelines for mobile application security, we conduct a set of tests organized into several categories. For each test, we determine if your application successfully passed and provide information such as detailed information about the assessment, the associated CVSS score, and possible remediation strategies.
While we can provide information about detected issues, we can only provide detailed insights in specific cases. This is because our analysis is based on application behavior, not a line-by-line reading of the source code. In most cases, we are able to provide remediation information in the issue description. Since each implementation varies between software development teams, remediation is application-specific. Remediation needs to be assessed by the organization based on the detected issues.
How are applications identified for testing?
We use a combination of automated discovery mechanisms and user-provided feedback to identify relevant mobile applications for each of our customers. Alongside customer-submitted applications and an application mapping process, we monitor the top 1000 applications in each category of each application store.
See details for:
Troubleshooting and FAQ
- What can I do if my application is not appearing as an asset?
- How come my grade is still affected after I removed my application from the store?
- What happens when a new version is released?
- How long does a remediated finding take to be refreshed?
- How long does it take for my app’s updated metadata to be refreshed?
What can I do if my application is not appearing as an asset?
While we strive to have the best coverage possible, not all applications are captured by our discovery process.
Additionally, only applications that are able to complete the full battery of tests applicable to them are included. If your application is not able to complete one or more tests due to some incompatibility with the test setup, it is not included since we are not able to provide a consistent and comparable assessment to it.
If you do not see your application, contact Bitsight Customer Support to learn why.
How come my grade is still affected after I removed my application from the store?
While the application may have been removed from stores, we can’t ensure that it has been removed from all mobile devices. Once an application is no longer available, it continues to impact your grade for 1 year with no decay period.
What happens when a new version is released?
We regularly check for new versions of applications on available app stores. These checks are performed on a 60-day cadence. When a new version is identified, a new set of tests is executed on that version. All associated findings are immediately replaced by these new ones.
For the Mobile Application Security risk vector, tests are executed on a 60-day cadence. Findings are updated as these observations change, e.g., new Diligence findings are observed or an existing finding is remediated.
How long does a remediated finding take to be refreshed?
Once you remediate a finding and upload a corrected version of your application to the store, our automated process picks up that correction during the next automated scan cycle. If you require a quicker evaluation, you can initiate a user-requested refresh.
How long does it take for my app’s updated metadata to be refreshed?
Similarly to remediated findings, your updates are reflected in the data after the next automated scan cycle. You can initiate a user-requested refresh to accelerate this process.