If your app has security flaws, our cyber experts will find them
We carry our lives around on our phones.
You hear it all the time and it's true. But as "bring your own device" becomes the norm in private enterprise and government, we're increasingly toting more than just our own lives. Through enterprise mobility apps we're carrying around access to company networks, proprietary data, sensitive customer information, and more.
With that kind of accessibility, a single compromised device could mean severe consequences for organizations and the lives of their customers and employees. If you're charged with developing, integrating, or maintaining mobile apps, you had better be certain that they're secure.
That’s why Booz Allen created AppCritique, to make it easier to thoroughly vet Android and iOS mobile apps for security vulnerabilities.
Today’s enterprise mobile app developers have their hands full. The mobile development ecosystem evolves at a rapid pace—far faster than the PC software world. Android and iOS software application program interfaces (APIs) change on a 9-month basis. Keeping apps updated with these latest features along with security fixes from Google and Apple is beyond a full-time job. Simultaneously maintaining full awareness of known vulnerabilities and threat actor’s evolving tools, techniques, and procedures is a juggling act that’s next to impossible.
AppCritique’s free, fully-automated mobile app vulnerability analysis service puts uploaded apps through dozens of checks, including for some of the latest detectable vulnerabilities. By providing detailed security reports within hours or even minutes, it frees app developers to better concentrate on delivering in-demand features and capabilities that take full advantage of iOS and Android’s latest functionality.
Booz Allen's Corey Garst and Chris Forant lead the project team that developed AppCritique. Corey is an expert in mobile security research and analysis, while Chris is an app developer and cybersecurity expert who works with our U.S. intelligence community clients.
“Some of Booz Allen’s best app developers, malware analysts, and penetration testers created AppCritique. We designed this unique tool to generate the most comprehensive mobile app security reports possible,” says Corey. “Our engine is built for flexibility, so we often add security checks based on evolving platform documentation, emerging appsec research, and industry awareness publications like the Open Web Application Security Project Top 10.”
“Our best app developers, malware analysts, and penetration testers created AppCritique. We designed it to generate the most comprehensive mobile app security reports possible.”
The degree to which we succeeded at that goal—creating the most comprehensive mobile app security reports possible—is perhaps best demonstrated by the fact that the AppCritique team helped the National Institute of Standards and Technology (NIST) create the industry’s first unified list of the capabilities and techniques used to identify vulnerabilities in mobile applications. NIST, a physical sciences laboratory within the U.S. Department of Commerce, supplies standard reference materials for industry, government, and academia as part of its mission.
Corey is proud to bring much of AppCritique’s industry-defining core functionality to the public for free. “AppCritique’s automated assessment is in a league of its own as far as free tools go,” he says.
Automated scans and reports are the be-all and end-all for most mobile app security vetting services, but with AppCritique’s paid tier, AppCritique Pro, they’re only the starting point.
For AppCritique Pro, elite cyber practitioners like Chris and Corey deliver written reports that are in depth, customizable, and repeatable. In addition to providing straightforward risk ratings and remediation recommendations, the reports verify implementation of secure credential storage; illuminate sensitive data leakage to Wi-Fi networks, cellular networks, and other apps; list the domains, APIs, and countries that an app talks to; and more.
“The AppCritique team brings together a unique mix of experts from government, defense, and private enterprise,” says Chris. “Our clients benefit from an encompassing, cross-sectoral understanding of the threat landscape.”
For organizations, that means the ability to get proactive about securing their networks and data against the elevated risks brought by increased enterprise mobility. For app developers, it means the power to work with the confidence that their products are secured to the full extent possible.
