Skip to main content
        • Products

          Q-Scout

          Leading edge mobile device security delivering dynamic, actionable intelligence for fleet-wide protection applications

          Q-MAST

          Comprehensive testing for developers who build, use, and manage mobile applications

          Q-Vet

          Mobile app vetting for curated and enterprise managed app stores

        • Solutions by Want

          Mobile Application Security Testing

          Advanced analysis utilizing static, dynamic & interactive analysis of Android and iOS mobile applications

          BYOD

          Secure devices connecting to the enterprise network in the work and live anywhere world

          App Vetting

          Transparent and high-confidence results using pass/fail security evidence

          End Users

          Airtight digital security that empowers you to make informed decisions on what apps you do and do not give access to

          Regulatory Compliance

          Automated compliance testing for the latest privacy and security standards

        • Untitled Document

          All Resources

          Blogs

          The latest industry news in cybersecurity’s ever-evolving landscape

          Newsroom

          Press releases, news stories and media highlights from Quokka

          Webinars

          Videos and content where you can learn about the latest threats, trends and issues in cybersecurity

          Whitepapers

          Insights and helpful assets for exploring cybersecurity and digital security

        • Datasheets

          An in-depth description of Quokka solutions

          Technical Papers

          Deep dive into cybersecurity topics and technical papers discovered by Quokka

          Use Cases

          Detailed overview of how Quokka solutions solve real-world pain points

          Partners

          Learn more about Quokka’s technology partners

        • Company

          Careers

          There are jobs - and then there is a career at Quokka

          Industries

          Solutions designed for security needs of your organization

          Leadership

          Quokka’s global management team comprised of security experts and industry leaders

  • Support

Is It Time to Audit Your Mobile Application’s Code?

Chris Gogoel | November 16, 2022

Chris Gogoel

November 16, 2022

Mobile application development can be costly, and as a result, companies often use off-the-shelf code from third parties to save money and deliver features quickly. Although it provides time and cost benefits, in the long run it can be very risky to your company’s security and even National Security per the recent news of Pushwoosh’s origin if proper security reviews are not implemented.

This latest news highlights the importance of the industry wide push for improved security in the Mobile App Supply Chain. When you are building or using an app you should understand what the app is made of. What code is in the app? Where does it come from? Does it have any known vulnerabilities?

These questions are commonly answered in the Software Bill of Materials (SBOM). The SBOM provides the applications developers or consumers with an understanding of what is included in the application and if there are any “bad ingredients” inside. Being able to generate and consume a SBOM for your apps is a great first step towards securing your Mobile App Supply Chain but, as we see in the Pushwoosh story, there is still room for improvement.

The limitation for most SBOM is the intelligence to determine which ingredients are “bad”. The most common approach is to identify the third party code and then search for published vulnerabilities associated with that code in places like the NIST Vulnerability Database. In the case of Pushwoosh there are no known vulnerabilities published and the searches come up clean. So what can you do?

The industry can improve on the standard SBOM approach by introducing active testing of the third-party code through platforms like Q-MAST. This type of testing goes beyond a public vulnerability search and runs the third-party code through a full suite of static, dynamic, interactive and behavioral analysis to identify the “unpublished” weaknesses and traits which can improve the intelligence of your SBOM. Want to know if that weird Pushwoosh library connects to Russia even if they say they are registered in Maryland? Take a page from the Army and test the code yourself to be alerted of the “unpublished” issues before they become public vulnerabilities.

Interested in learning more about securing your mobile app supply chain? You can hear how to get started and what to look for by watching our recent webinar.

Leave a Reply

Close Menu