Methodology

Our unparalleled mobile application security solutions are developed with cutting-edge technologies that have been proven to outperform the competition. With threat models based on over ten years of experience, our comprehensive analysis covers common vulnerabilities as well as previously unknown zero-day threats across various execution paths and automated techniques like fuzzing, taint tracking, forced path execution and flow based vulnerability scanning. We utilize both static traces together with dynamic and interactive tracing for a thorough assessment.

Our suite of analysis engines provides a holistic approach to mobile security, incorporating various analysis techniques. Our proprietary SAST, DAST, and IAST solutions are designed to provide comprehensive protection for your mobile device. Our SAST solution utilizes a threat model that covers pre-installed apps, in addition to third-party apps present in any Android environment, varying among vendors. These techniques are fused together to provide an enhanced approach which further reduces false positives and improves reporting accuracy.

Unlike some vendors, we do not rely on open-source software for our analysis. Instead, our proprietary solutions are developed and designed by our leading R&D team with the techniques validated through peer-reviewed publications presented at the top computer security conferences. Our analysis engines offer a comprehensive coverage of the mobile environment, making sure that no potential threats are missed. Our proprietary SAST, DAST, and IAST solutions are designed to be fast, efficient, and reliable, covering both pre-installed and third-party apps, making sure that your device is completely secure from any malicious apps or code.

Quokka’s Q-MAST solution goes beyond the capabilities of a traditional Software Composition Analysis (SCA) for Android & iOS applications. We analyze how libraries operate within a given context and identify potential encryption or privacy issues. Our static and dynamic analysis tests go beyond industry standard OWASP CycloneDX reports, uncovering weaknesses and vulnerabilities not yet known to the public. We ensure your app is up to standard when it comes to security protocols like encryption standards and information sharing locations – ensuring you stay in line with your own privacy policy.

Our innovative approach to analyzing apps yields unparalleled insights into the security of an app. With our detailed information, we can detect a wide array of potential threats and trace back their origins with definitive accuracy – even in cases where running an application is impossible. We take pride in both developing tech that has been independently tested and publicly validated as well as going through rigorous peer-reviewing processes for each product’s effectiveness.

Permission Usage Analysis: Our comprehensive analysis of app permission usage utilizes a systematic, rigorous approach to ensure accuracy. We identify each and every single permission utilized by apps – from API calls to content providers – then determine if it is properly declared and used or not; uncovering any missing permissions or those that are not needed for the app to properly function. Every detail you could imagine about an application’s security measures can be revealed with our advanced tests,

Comprehensive Manifest Analysis: Our security analysis uncovers hidden and potentially dangerous issues in app metadata files. We detect structural missteps as well as incorrect data usage to identify threats that can compromise confidentiality or integrity of an application. Offensive capabilities such as these require reasoning beyond the surface details, so our advanced algorithms delve deeper into context allowing us to spot even subtle signs of insecurity.

Common Weaknesses Identification Analysis: Our sophisticated security scans are designed to detect and identify any potential vulnerabilities that may be present in your code. We make use of cutting edge analysis tools, done both statically, dynamically, and via forced-path execution to identify patterns that could expose your system to harm – such as crypto misuse, TLS/SSL vulnerabilities or webview weaknesses – and provide concrete evidence on how they can be addressed. With our proprietary rules carefully crafted for maximum coverage while avoiding unnecessary alarms, you’ll have total confidence knowing we are safeguarding your digital assets from any potential threats.

Vulnerability Detection Analysis: We not only specialize in finding weaknesses, we go a step further than other vendors and find zero-day vulnerabilities. The difference is immense; a weakness indicates potential for an exploit while a zero-day vulnerability means an exploit path has been identified. To give our clients peace of mind, we apply strict rules and threat models to identify destructive privilege escalation exploits that could lurk inside mobile applications. Advanced technology – like proprietary taint tracking and innovative fuzzing methods – helps us pinpoint these risks before they become big problems for your business.

Our Q-MAST technology enables organizations to effectively measure the security and privacy preparedness of their applications. We’ve assigned “threat scores” to applications, a higher score on our threat scale means your system may be less equipped for protection, while a lower rating indicates more readiness against threats.