Quokka: A Game-Changing Ally for US Government Data Security Solutions
Quokka: A Game-Changing Ally for US Government Data Security Solutions
Secure by Design:
AppSec Solutions Working in Partnership with Development
Secure by Design: AppSec Solutions Working in Partnership with Development

Schedule a Q-MAST Demo
Schedule a
Q-MAST Demo
Automated testing with Q-MAST means your Engineering, Security and DevOps teams spend less time and fewer resources on mitigating security, privacy and compliance risks and more time developing your apps.
Quokka Solutions give Agencies
the Key to Meet and Exceed
CISA Requirements
BOD 23-01
BOD-2301 - Recently released, Binding Operational Directive 2301 states, “Continuous and comprehensive asset visibility is a basic precondition for any organization to effectively manage cybersecurity risk. Accurate and up-to-date accounting of assets residing on federal networks is also critical for CISA to effectively manage cybersecurity for the Federal Civilian Executive Branch (FCEB) enterprise.”
While BOD 23-01 addresses more of the attack surface and outlines new requirements for cloud assets, operational technology and more in order to reduce cyber risk. The directive requires all Federal civilian agencies to report detailed data about vulnerabilities to CISA at timed intervals using automated tools.
Read the BlogQuokka Solutions give Agencies the Key to Meet and Exceed CISA Requirements
BOD 23-01
BOD-2301 - Recently released, Binding Operational Directive 2301 states, “Continuous and comprehensive asset visibility is a basic precondition for any organization to effectively manage cybersecurity risk. Accurate and up-to-date accounting of assets residing on federal networks is also critical for CISA to effectively manage cybersecurity for the Federal Civilian Executive Branch (FCEB) enterprise.”
While BOD 23-01 addresses more of the attack surface and outlines new requirements for cloud assets, operational technology and more in order to reduce cyber risk. The directive requires all Federal civilian agencies to report detailed data about vulnerabilities to CISA at timed intervals using automated tools.
Read the BlogHow Quokka Can Help Agencies meet BOD 23-01
CISA MAV or Mobile App Vetting (powered by Quokka), can perform the needed vulnerability identification in mobile assets automatically, helping Federal Civilian Executive Branch (FCEB) agencies meet the mobile specific requirements in the BOD. Our comprehensive reporting and analysis engine pinpoints potential risks down to the exact line of code with an application, giving developers actionable steps to address and patch their code before it can be used against them.
With Quokka Mobile Application Vetting, CISA Agencies can:
- Easily assess mobile apps against outlined CISA and NIAP security standards
- Identify and remove risky apps from app stores or flag these applications for careful consideration
- Create a watchlist for scanned apps and their future updates, monitoring for security and privacy flaws in each version release
How Quokka Can Help Agencies meet BOD 23-01
CISA MAV or Mobile App Vetting (powered by Quokka), can perform the needed vulnerability identification in mobile assets automatically, helping Federal Civilian Executive Branch (FCEB) agencies meet the mobile specific requirements in the BOD. Our comprehensive reporting and analysis engine pinpoints potential risks down to the exact line of code with an application, giving developers actionable steps to address and patch their code before it can be used against them.
With Quokka Mobile Application Vetting, CISA Agencies can:
- Easily assess mobile apps against outlined CISA and NIAP security standards
- Identify and remove risky apps from app stores or flag these applications for careful consideration
- Create a watchlist for scanned apps and their future updates, monitoring for security and privacy flaws in each version release
Trust, but Verify: Quokka Solutions Help
Agencies meet Zero Trust Security Policies
”As new mobile threats continue to emerge, businesses are constantly looking for ways to safeguard their data and mobile infrastructures. This NCCoE guide can help businesses feel more confident about securing their mobility programs while continuing to provide their employees with the flexibility of mobile device use.
GEMA HOWELLNIST Computer Scientist
Meet NIST 1800-22 Specifications
Quokka, formerly Kryptowire, is working with the NCCoE in the Mobile Device Security: Bring Your Own Device NIST SP 1800-22 Practice Guide Second Draft (released November 29, 2022) Use Case/Building Block to develop practical, interoperable cybersecurity approaches that address the real-world needs of complex Information Technology (IT) systems. By accelerating dissemination and use of these integrated tools and technologies for protecting IT assets, the NCCoE will enhance trust in U.S. IT communications, data, and storage systems; reduce risk for agencies and civilians using IT systems; and encourage development of innovative, job-creating cybersecurity products and services.
NIST 1800-21 Specifications: Mobile Device Security: Corporate-Owned Personally-Enabled (COPE)
Securing mobile devices is critical as agencies and businesses extend from office environments to connecting and working from anywhere in the world. Quokka, then Kryptowire, worked closely with NIST as they developed detailed guidelines to address the challenges of securing corporate-owned personally – enabled devices.
NIST does not evaluate commercial products under this Consortium and does not endorse any product or service used.
NIST 800-163 Special Publication: Vetting the Security of Mobile Applications
NIST Special Publication 800-53 [5] provides an extensive catalog of security and privacy controls designed for federal information systems. In addition, the document clearly outlines the process agencies and organizations can take for selecting controls to defend IT systems, individuals and other organizational assets from a variety of exploitable threats, such as hostile cyber-attacks, natural disasters, structural failures and human errors.
Trust, but Verify: Quokka Solutions Help Agencies meet Zero Trust Security Policies
”As new mobile threats continue to emerge, businesses are constantly looking for ways to safeguard their data and mobile infrastructures. This NCCoE guide can help businesses feel more confident about securing their mobility programs while continuing to provide their employees with the flexibility of mobile device use.
GEMA HOWELLNIST Computer Scientist
Meet NIST 1800-22 Specifications
Quokka, formerly Kryptowire, is working with the NCCoE in the Mobile Device Security: Bring Your Own Device NIST SP 1800-22 Practice Guide Second Draft (released November 29, 2022) Use Case/Building Block to develop practical, interoperable cybersecurity approaches that address the real-world needs of complex Information Technology (IT) systems. By accelerating dissemination and use of these integrated tools and technologies for protecting IT assets, the NCCoE will enhance trust in U.S. IT communications, data, and storage systems; reduce risk for agencies and civilians using IT systems; and encourage development of innovative, job-creating cybersecurity products and services.
NIST 1800-21 Specifications: Mobile Device Security: Corporate-Owned Personally-Enabled (COPE)
Securing mobile devices is critical as agencies and businesses extend from office environments to connecting and working from anywhere in the world. Quokka, then Kryptowire, worked closely with NIST as they developed detailed guidelines to address the challenges of securing corporate-owned personally – enabled devices.
NIST does not evaluate commercial products under this Consortium and does not endorse any product or service used.
NIST 800-163 Special Publication: Vetting the Security of Mobile Applications
NIST Special Publication 800-53 [5] provides an extensive catalog of security and privacy controls designed for federal information systems. In addition, the document clearly outlines the process agencies and organizations can take for selecting controls to defend IT systems, individuals and other organizational assets from a variety of exploitable threats, such as hostile cyber-attacks, natural disasters, structural failures and human errors.

NIAP v1.4 Mobile App Vetting
In recent years, cybercriminals are adding more attack surfaces to their arsenal of threats, including targeting privileged and third-party apps used on mobile devices. As a result of the National Information Assurance Partnership’s published (NIAP) Protection Profile, Quokka has worked with federal agencies to meet both the functional and assurance requirements outlined in this profile.
Read the Full NIAP Protection Profile
NIAP v1.4
Mobile App Vetting
In recent years, cybercriminals are adding more attack surfaces to their arsenal of threats, including targeting privileged and third-party apps used on mobile devices. As a result of the National Information Assurance Partnership’s published (NIAP) Protection Profile, Quokka has worked with federal agencies to meet both the functional and assurance requirements outlined in this profile.
Read the Full NIAP Protection ProfileKnowledge Sharing increases Cyber Awareness:
Timeline of Research and Threats Discovered by Quokka Experts
October 2021
BLU G90 – Arbitrary Code and Command Execution as Root User
CVE-2021-41848: Due to multiple flaws in Simo’s software update process, a third-party app that the user downloads and grants write access to external storage, can provide fake Simo software update files that will be treated as authentic to achieve persistent command and code execution as the root user.
Read MoreNovember 2021
All Android v10 & v11 Devices - Disable Arbitrary App Components
CVE-2021-0706: All Android devices running Android versions 10 and 11 allowed third-party apps to disable arbitrary app components, allowing third-party apps to cause the device to persistently crash at startup (requiring the user to wipe the device), create ransomware, bypass third-party lock screens, and weaken platform security. This vulnerability resided in the core Android code (known as Android Open Source Project or AOSP).
Read MoreFebruary 2022
Samsung Devices - Intent Injection as System User
CVE-2022-22292: Affecting all Samsung Android devices running versions 9 through 12, third-party apps co-located on the device could programmatically install apps, uninstall apps, wipe the device, make phone calls, and install certificate authorities due to a vulnerable pre-installed app.
March 2022
UNISOC SoC Devices – Arbitrary Command Execution as System User
CVE-2022-27250: Various Android devices with UNISOC chipsets SC9863A, SC9832E, and SC7731E contain a pre-installed app that allows third-party apps to execute arbitrary commands as the system user, obtain the unique device identifiers, leak GPS coordinates, leak various Personally Identifiable Information (PII) such as text messages and call log, wipe the device, record audio, read arbitrary files, and more.
Knowledge Sharing increases Cyber Awareness:
Timeline of Research and Threats Discovered by Quokka Experts
October 2021
BLU G90 – Arbitrary Code and Command Execution as Root User
CVE-2021-41848: Due to multiple flaws in Simo’s software update process, a third-party app that the user downloads and grants write access to external storage, can provide fake Simo software update files that will be treated as authentic to achieve persistent command and code execution as the root user.
Read MoreNovember 2021
All Android v10 & v11 Devices - Disable Arbitrary App Components
CVE-2021-0706: All Android devices running Android versions 10 and 11 allowed third-party apps to disable arbitrary app components, allowing third-party apps to cause the device to persistently crash at startup (requiring the user to wipe the device), create ransomware, bypass third-party lock screens, and weaken platform security. This vulnerability resided in the core Android code (known as Android Open Source Project or AOSP).
Read MoreFebruary 2022
Samsung Devices - Intent Injection as System User
CVE-2022-22292: Affecting all Samsung Android devices running versions 9 through 12, third-party apps co-located on the device could programmatically install apps, uninstall apps, wipe the device, make phone calls, and install certificate authorities due to a vulnerable pre-installed app.
March 2022
UNISOC SoC Devices – Arbitrary Command Execution as System User
CVE-2022-27250: Various Android devices with UNISOC chipsets SC9863A, SC9832E, and SC7731E contain a pre-installed app that allows third-party apps to execute arbitrary commands as the system user, obtain the unique device identifiers, leak GPS coordinates, leak various Personally Identifiable Information (PII) such as text messages and call log, wipe the device, record audio, read arbitrary files, and more.
Featured Resources
Resources Landing PageInformation Security for Federal Government Agencies
The Federal Government is facing increasing challenges in terms of cybersecurity. To address this, they must modernize and strengthen its infrastructure to protect against cyberthreats and share information between agencies.
Read MoreZero Trust Architecture: Mobile App and Device Security for Federal Agencies
Federal agencies are being mandated to deploy a Zero Trust model by 2024 however many overlook the importance of mobile application security. This whitepaper outlines how to avoid this pitfall and exponentially reduce your threat landscape.
Read MoreQ-MAST Solution Spotlight:
Federal Agency
Q-MAST Solution Spotlight: Federal Agency
When security, privacy, and discretion are key, federal agencies lean on Q-MAST to establish trust.
Read MoreNewsletter
Subscribe today for news, updates, and insights for your work and live anywhere world.