The US Federal Government has trusted Quokka since 2011 as a partner and a customer. Federal, State, and Local governments should leverage Quokka’s mobile app risk intelligence to reduce their mobile attack surface.
Vulnerable or malicious apps can expose sensitive data, enable surveillance, and create attack paths into government systems and mission operations. State-sponsored hackers exploit vulnerabilities to conduct espionage, sabotage missions, and compromise defense networks at scale.
Mobile apps used by employees across critical infrastructure agencies can introduce hidden risks, including data leakage, spyware, and supply chain vulnerabilities that threaten operational resilience and public safety.
Apps can persistently collect data and users’ private information throughout the entire device, not just within the app or while the app is active. That data can be used to build detailed profiles used for spearphishing, espionage, or even blackmail.
The Office of Inspector General (OIG) released a report showing that, despite the use of an MDM and MTD, 76% of mobile apps installed on DHS Intelligence and Analysis’ (I&A) mobile devices pose security risks, are explicitly prohibited, or allow explicitly prohibited activities.
This resulted in a higher risk of cyberattacks and unauthorized access to sensitive information. The OIG recommended that DHS implement effective mobile app vetting because their existing tools and processes were insufficient to prevent these risks.
Continuously evaluate the risks of mobile apps used by employees across agencies
Integration with MDM/ UEM platforms for automated remediation
Agentless deployment that scales across large and distributed agencies
Analyzes pre-installed, hidden, and privileged Android applications embedded in device firmware.
Automated scanning of mobile app without requiring source code
Detection of vulnerable SDKs, insecure data storage, and supply chain risks
Quokka (then Kryptowire) participated in creating the NIST Special Publication 1800-22 and its insights and technologies were part of the example solutions used in the guide under the Cooperative Research and Development Agreement.
This process can be used to ensure that mobile applications conform to an organization’s security requirements and are reasonably free from vulnerabilities. Quokka’s Q-scout automates the mobile app vetting process and enables scalability.
Q-scout’s agentless, MDM-integrated approach to mobile app vetting automates the discovery and reporting of mobile app vulnerabilities at agency scale and within the directive’s required timeframes.
Quokka’s AI-powered mobile app risk intelligence empowers informed decisions across the mobile ecosystem.
Complete visibility into app actions, data flows, and potential risks across your mobile ecosystem
Actionable insights that reduce false positives and prioritize real threats for faster response
Compliance-ready reporting that simplifies audits and demonstrates a defensible mobile security posture
Seamless integration that enhances existing mobile app security investments and streamlines development workflows
Government Partners
iOS and Android mobile apps can contain spyware, vulnerable SDKs, excessive permissions, insecure data collection practices, or hidden behaviors that expose sensitive government data and create attack paths into agency systems.
Apps can persistently collect location history, contacts, credentials, microphone and camera data, and behavioral patterns — not just within the app itself, but across the entire device, and even when the app is not actively in use. For federal employees, that data can be used by foreign adversaries to build detailed profiles for spearphishing, espionage, or blackmail targeting individuals with security clearances or access to sensitive systems.
Quokka helps agencies align with frameworks and directives including NIST SP 800-163, NIST SP 1800-21, NIAP, and CISA BOD 23-01 through automated mobile app vetting and continuous risk monitoring.
Zero Trust verifies users and devices at the network level, but it doesn’t inspect what an app does once it has legitimate access. A trusted device running a malicious or data-harvesting app can exfiltrate sensitive information through permitted channels, bypassing Zero Trust controls entirely. Mobile app vetting addresses this blind spot by analyzing app behavior, data flows, and third-party SDK activity before and during deployment.
Copyright © 2026, Quokka. All rights reserved.