Mobile Vulnerability Analysis

Discover zero-day vulnerabilities automatically and at scale

Automated vulnerability discovery by Kryptowire

Discovering vulnerabilities can be cumbersome, error-prone, and costly when your employees’ devices have hundreds of third-party applications, updates, and libraries that are exposed to software vulnerabilities and zero-day threats on a daily basis. A single insecure device may result in irreparable data losses, compromised networks, and millions of dollars in damages to your enterprise.

The traditional approach of using manual penetration testing is too costly and time consuming to keep up with the large number of devices and updates deployed in modern organizations. To solve this problem, Kryptowire has developed an automated vulnerability discovery and exploit generation engine that scales easily to cover every device, application, and update in your enterprise inventory. Our tool has been used to discover and document over 145+ CVEs in the last year alone  and is now available for commercial use.

More detailed view of our automation

This PDF will give you a deeper dive in to our automated system that reports vulnerabilities.

How kryptowire’s automatic scan works

1. Mobile Apps & Firmware Collection

Mobile Apps and Firmware images are collected and processed by the App analysis system using a cloud or on-premise appliance.

Image

2. Vulnerabilities Discovered

The automated system reports vulnerabilities with the type (e.g. command execution) and all necessary data to generate a proof of concept.

  • Command Execution
  • Log Leakage
  • Network Settings Modification
  • SMS Sending/Spoofing
  • Screenshot Capturing
  • System Properties Modifications
  • Factory Reset
  • App Installation
  • App Uninstallation
  • AT-Command Execution
  • Audio Recording
  • Video Recording
  • Dynamic Code Loading
  • And More…

3. Exploits Generated

An analyst leverages the output of the automated system to validate and generate Proof of Concept exploits. The POCs can be tested and validated in live environments.

Sample Results – November 2019 CVEs

Image

Automatically Scan Pre-Installed Android Apps for Security Vulnerabilities.

See our FIRMSCOPE presentation at the 29th USENIX Security Symposium. August 12–14, 2020.

For more technical details download the USENIX Security Symposium.

The EU General Data Protection Regulation (GDPR) is in effect as of May 25, 2018. Are your mobile apps GDPR complaint?