- April 14, 2022: Updated with more details on observation methods and frequently asked questions.
- May 27, 2021: Linked to analysis.
- March 28, 2019: Published.
To collect the information relevant to the Mobile Application Security risk vector, we use tools and proprietary observation methods that enable us to observe mobile application actions and tasks during runtime. Our analysis methods consist of static and dynamic analysis at the application level. We focus on mobile applications that run on devices, not the devices themselves; typically, we do not include device-level checks such as root access.
What information is produced in each test?
Following the OWASP guidelines for mobile application security, BitSight performs a set of tests organized into 6 different categories. For each test, we determine if your application successfully passed and provide information such as detailed information about the assessment, the associated CVSS score, and possible remediation strategies.
While we can provide information about detected issues, we can only provide detailed insights in specific cases. This is because our analysis is based on application behavior, not a line-by-line reading of the source code. In most cases, we are able to provide remediation information in the issue description. Since each implementation varies between software development teams, remediation is application-specific. Remediation will need to be assessed by the organization based on the detected issues.
How are applications identified for testing?
We use a combination of automated discovery mechanisms and user-provided feedback to identify relevant mobile applications for each of our customers. Alongside customer-submitted applications and an application mapping process, we monitor the top 1000 applications in each category of each application store.
See details for:
Troubleshooting and FAQ
My application is not appearing in the platform. What can I do?
While we strive to have the best coverage possible, not all applications are captured by our discovery process. Currently, we only support applications listed in US app stores. Applications published in other markets are not included for assessment.
Additionally, only applications that are able to complete the full battery of tests applicable to them will be included. If your application is not able to complete one or more tests due to some incompatibility with the test setup, it will also not be included in the platform since we are not able to provide a consistent and comparable assessment to it.
If you do not see your application in the portal, please contact BitSight customer support to learn why.
I removed my application from the store but it is still affecting my grade. Why?
While the application may have been removed from stores, we can’t ensure that it has been removed from all mobile devices. Once an application is no longer available, it continues to impact your grade for 1 year with no decay period.
What happens when a new version is released?
The BitSight platform regularly checks for new versions of applications on available app stores. These checks are performed on a 60-day cadence. When a new version is identified, a new set of tests is executed on that version. All associated findings are immediately replaced by these new ones.
For the Mobile Application Security risk vector, tests are executed on a 60-day cadence. BitSight findings are updated as these observations change, e.g., new Diligence findings are observed or an existing finding is remediated.
I remediated a finding. When will it be updated in the platform?
Once you remediate a finding and upload a corrected version of your application to the store, our automated process will pick up that correction during the next automated scan cycle. If you require a quicker evaluation, you can initiate a user-requested refresh.
I updated the metadata for my application. When will it be updated in the platform?
Similarly to remediated findings, your updates will appear in the platform after the next automated scan cycle. You can initiate a user-requested refresh to accelerate this process.