Mobile Application Discovery

M
Written By Threat NG Staff

Mobile Application Discovery in cybersecurity is the proactive and continuous process of identifying and inventorying all mobile applications (both sanctioned and unsanctioned) that are officially published by, or functionally associated with, an organization. It involves scanning public marketplaces and various repositories to map the organization's mobile attack surface.

The Discovery Process and Rationale

The primary goal of this discovery is to ensure that every mobile endpoint capable of interacting with corporate resources or presenting the company brand is brought under the visibility of the security team.

1. External Source Monitoring

Discovery relies on external, unauthenticated monitoring of public repositories, which include:

  • Official Marketplaces: Google Play Store and the Apple App Store.

  • Third-Party Repositories: Independent or regional app stores and various online file repositories that host application packages (APKs).

2. Identifying Mobile Assets

The process uses various identifiers to link an application back to an organization:

  • Developer Name and Package Names: Identifying apps published under the organization's official developer account.

  • Brand and Intellectual Property: Searching for apps that use the organization's logo, branding, or trademarks.

  • Code and Certificate Analysis: Analyzing the application’s signing certificates or looking for specific code strings that tie the app to the organization.

3. Comprehensive Inventory

The outcome is a comprehensive list, which includes:

  • Official Apps: The intended, managed applications.

  • Shadow Apps: Test, deprecated, or legacy versions of apps that were never removed adequately from marketplaces but are still accessible and running on user devices.

  • Impersonation/Phishing Apps: Malicious, unauthorized lookalike apps created by threat actors to steal user credentials or distribute malware under the organization's brand name.

Cybersecurity Assessment

Once a mobile application is discovered, the next step is to analyze its contents for security risks. This deep analysis focuses on:

  • Hardcoded Credentials: Scanning the compiled code for exposed secrets, such as plaintext API keys, cloud access tokens (e.g., AWS or Google API keys), or sensitive security credentials.

  • Insecure Data Storage: Checking if the application inappropriately stores sensitive user data or tokens on the device's local storage.

  • Vulnerable Dependencies: Identifying if the app relies on outdated or vulnerable third-party libraries.

By performing Mobile Application Discovery, security teams can proactively mitigate risks associated with mobile API keys, user data leakage, and damage to brand reputation caused by malicious impersonators.

ThreatNG is specifically designed to address Mobile Application Discovery as a crucial part of external attack surface management by actively scanning public marketplaces and analyzing application contents from an attacker's external perspective.

ThreatNG's Role in Mobile Application Discovery

External Discovery and Continuous Monitoring

ThreatNG performs purely external unauthenticated discovery, which is the ideal methodology for finding mobile applications, as they are published in public domains (marketplaces). The platform's Mobile Application Discovery module is dedicated to finding apps related to the organization under investigation within various marketplaces, including the Amazon Appstore, Apple App Store, Google Play, APKPure, and Aptoide. Through Continuous Monitoring, ThreatNG ensures that if a new, vulnerable, or unauthorized version of an app is published, or if an old version is not adequately removed, the security team is immediately alerted, preventing unmanaged mobile risks.

External Assessment and Examples

ThreatNG uses the discovery of mobile applications and their contents to drive a specific security rating:

  • Mobile App Exposure Security Rating: This dedicated rating evaluates how exposed an organization’s mobile apps are. It is based on the discovery of the apps in marketplaces and the subsequent analysis of the contents for exposed secrets. This rating provides a precise, objective measure (A-F scale) of the mobile attack surface risk.

    • Example: The rating is negatively affected by the presence of hardcoded secrets such as Amazon AWS Access Key ID, Stripe API Key, or Facebook Access Token. Discovering a Twilio API Key within the application content immediately degrades this score, as it confirms a critical API security flaw.

Investigation Modules and Examples

The Mobile Application Discovery module functions as the core investigation tool:

  • Mobile Application Discovery: This module not only locates the apps in marketplaces but also performs analysis on their contents for three major risk categories:

    • Access Credentials: It searches for hardcoded API keys and tokens for services, including Google API Key, GitHub Access Token, Heroku API Key, and PayPal Braintree Access Token. Example: ThreatNG identifies an organization's app and discovers a hardcoded Square OAuth Secret, a critical non-human identity credential.

    • Security Credentials: It looks for cryptographic keys such as PGP private key block, RSA Private Key, and SSH EC Private Key. Example: Finding an exposed RSA Private Key suggests a catastrophic compromise of the mobile app's security.

    • Platform Specific Identifiers: It looks for indicators like Amazon AWS S3 Bucket names and Firebase identifiers. Example: Discovering an exposed Firebase identifier could reveal the organization's backend cloud configuration to an attacker.

Intelligence Repositories and Reporting

ThreatNG uses its intelligence repositories to contextualize the severity of the mobile app findings:

  • Intelligence Repositories (DarCache):

    • Compromised Credentials (DarCache Rupture): If ThreatNG discovers a hardcoded credential (e.g., a User or Account password) within the mobile app, this repository checks if that credential is also circulating on the dark web. This validation provides high certainty to the mobile exposure risk.

  • Reporting: The output includes the Mobile App Exposure Security Rating and Prioritized reports. This structured reporting is essential for communication. The Context Engine™ helps deliver Legal-Grade Attribution for mobile app findings, giving security leaders the certainty to enforce key rotation and app removal.

Complementary Solutions

ThreatNG's external mobile discovery findings can be powerfully used by other security systems:

  • Mobile Application Security Testing (MAST) Tools: When ThreatNG discovers a specific security flaw, such as a hardcoded AWS API Key, this external finding can be shared with an internal MAST tool. The MAST tool can then use this context to perform a deeper, authenticated analysis on the entire application codebase and look for similar hardcoding patterns or vulnerabilities that the external scan might have missed, accelerating remediation.

  • Cloud Identity and Access Management (IAM) Systems: The discovery of a hardcoded Google Cloud Platform OAuth token from the mobile app is sent to the organization's IAM system. The IAM system can automatically use this external alert to immediately revoke the exposed token and issue a new one, mitigating the mobile attack vector before it can be exploited.

  • Brand Protection Services: ThreatNG’s discovery of a mobile app, especially if its rating is poor, can be shared with a brand protection service. If the app is unauthorized or malicious (an impersonator), the service can then use this evidence to initiate the official process of requesting removal from marketplaces like Google Play or the Apple App Store, safeguarding the organization's reputation.

Threat NG Staff
Previous

NHI Exposure Score
Next

Invisible Attack Surface