Distributed development and supply chains expose your apps to zero-day exploits

Rely on Q-mast Automated Mobile Application Security Testing (MAST) for Android and iOS apps

Secure by Design

Shift security left in the SDLC to save development costs and avoid releasing app code – especially 3rd party code libraries – that can be exploited

Visibility into mobile apps

Zero Trust Architecture (ZTA) requires visibility into all assets – and the ability to test apps extensively for zero-day vulnerabilities and threats.

Trusted by the US Federal Government since 2011

“Quokka’s step-by-step approach has notably improved how we handle mobile application vulnerabilities. It’s made managing security assessments across our mobile app ecosystem much smoother and more effective and brought consistency to our security standards. Quokka stands out as a collaborative partner, providing proactive support that truly enhances our experience.”

Security Leader, Fortune 100 CPG Company

Q-mast automated mobile app security testing

Comprehensive static (SAST), dynamic (DAST), interactive (IAST) and forced-path execution app analysis

Automated scanning in minutes, no source code needed, even for latest OS versions

Analysis of compiled app binary, regardless of in-app or run-time obfuscations

Malicious behavior profiling, including app collusion

Checks against privacy & security standards: NIAP, NIST, MASVS

Precise SBOM generation and analysis for vulnerability reporting to specific library version, including embedded libraries

Cloud-based platform to avoid drag on hardware or bandwidth

Fewer false negatives with fewer false positives

Supports Mobile Application Security Testing (MAST) standards

OWASP logo
NAIP logo
NLST logo
CVE logo
Sarif logo

Quokka (then Kryptowire) contributed automated analysis using proprietary mobile app vetting infrastructure

The Quokka Advantage

Benefits of mobile security that make you smile

Peace of mind

Know your app security intelligence solution delivers the industry’s most comprehensive insights, even for the latest OS versions, in minutes

Informed decisions

Make risk-based business decisions throughout the SDLC to balance speed of app deployment with security measures

ROI of prevention

Scan 100% of compiled app binary – including 3rd party code libraries – to prevent supply chain attacks that harm your brand

Protecting the mobile ecosystem

Mobile security has historically been underfunded – Quokka can cost-effectively reduce mobile risks.

Security teams

Get visibility into all mobile apps and enable DevSecOps practices in order to protect your organization from mobile zero-day attacks

~50% of organizations experience mobile compromises[1]

App developers

Ship high-quality, secure apps faster to keep up with the pace and complexity of development while protecting your organization from fraud and breaches

Run automated tests 90% faster than manual testing[3]

Achieving mobile zero trust requires visibility into mobile assets and insights on threats – as they emerge

Rely on the industry’s only proprietary, defense-grade app scanning engines that uncover more security, privacy, and malicious behavior findings than any other app testing tool

Quokka Core

External code fetches, websites visits, network traffic

Hard coded keys, Weak hash, Insecure web-views, permission usage analysis

Capabilities of other app testing tools

Capabilities of other app testing tools

RASP & TLS friendly dynamic analysis

Covers crypto best practices, dynamic code, inter-component and inter-app communication, tapjacking, PII leaks, input validation, tracking, webview weaknesses, and many more.

Quokka Advanced

Code/Data Sharing Detection (App Collusion)

In-app purchase vulnerability, unprotected permission exploit

Exploitable inter-app communication vulnerabilities:

  • Message to app to crash or brick the device
  • Message to app to leak recording of device screen

Advanced SBOM:

  • Transitively identifies common libraries used by an app, their version, and their public CVEs
  • Novel ways to handle obfuscations and code shrinkage

Quokka NextGen

Malicious code that runs only after app runs for a long time

Remote Command & Control to give access to app, device or files

Read sensitive PIl data like device location and send over network

Static App Analysis Comparison

1 = Not Competitive

4 = Industry Leading

4

—

3

—

2

—

1

—

Flow-Based Vulnerability Scanning

Software Bill Of Materials Analysis

Code/Data Sharing Detection

Misconfiguration Detection

IOS Pattern-Based Weaknesses Scanning

Android Pattern-Based Weaknesses

App Permission Usage Analysis

Quokka

Competitive Average

Dynamic App Analysis Comparison

4

—

3

—

2

—

1

—

Forced-Path Execution Analysis

(dynamic analysis and behavioral profiling without input)

Zero-day Denial-of-Service Scanning

Dynamic Analysis and Behavioral Profiling

(runtime with known input)

Static App Analysis Comparison

1 = Not Competitive

4 = Industry Leading

Quokka

Competitive Average

4

—

3

—

2

—

1

—

Flow-Based Vulnerability Scanning

4

—

3

—

2

—

1

—

Software Bill Of Materials Analysis

4

—

3

—

2

—

1

—

Code/Data Sharing Detection

4

—

3

—

2

—

1

—

Misconfiguration Detection

4

—

3

—

2

—

1

—

IOS Pattern-Based Weaknesses Scanning

4

—

3

—

2

—

1

—

Android Pattern-Based Weaknesses

4

—

3

—

2

—

1

—

App Permission Usage Analysis

Dynamic App Analysis Comparison

Quokka

Competitive Average

4

—

3

—

2

—

1

—

Forced-Path Execution Analysis

(dynamic analysis and behavioral profiling without input)

4

—

3

—

2

—

1

—

Zero-day Denial-of-Service Scanning

4

—

3

—

2

—

1

—

Dynamic Analysis and Behavioral Profiling

(runtime with known input)

Quokka technology powers  CVE discovery

Backed by original mobile security research research

MAST + Pen Testing = Better together

Defense in depth to identify with high confidence exploitable security vulnerabilities, privacy risks, and malicious behavior

Threat detection and response process

(Rollover a number to learn more.)

Threat detection and response process
MAST before pen testing
World class people and process
In depth threat detection
Thorough Investigation
Organization informed decisions
Rapid response recommendations
Continuous improvement and transparency

Learn more about mobile security

From the resource center

Upcoming Events

Register or book a meeting with us

Quokka Intel

The mobile security intelligence blog

See Q-mast in action

Explore how Quokka delivers actionable mobile security intelligence

PRIVACY-FIRST MOBILE ENDPOINT PROTECTION

Respect the privacy of workers, manage mobile access & secure corporate resources.

APP VETTING FOR 3RD PARTY APPS

Scan and vet apps from public or private app stores without the need for source code.