Kryptowire

Automated Mobile Application Security Testing

Kryptowire analyzes Android and iOS mobile applications for compliance with internationally-recognized security and privacy standards such as the National Information Assurance Partnership (NIAP) Protection Profile for Application Software and the General Data Protection Regulation ( GDPR).

Features

  • Automated analysis of Android and iOS mobile apps
  • Automated analysis does not require source code
  • Privacy and GDPR Compliance Testing
  • Integration with Mobile Device Management (MDM) technologies
  • Provides pass/fail evidence down to the line of code
  • National Information Assurance Partnership (NIAP) compliance testing
  • Automated testing of 3rd-party libraries
  • Data accessible via REST API
  • Custom Risk Scoring to match enterprise security and privacy policies
  • Cloud-based solution does not access any end-user data

Benefits

  • Fully automated mobile app analysis
  • No lab or network setup required
  • Standards-based compliance testing
  • Integration with software development cycle through REST API
  • Reduces time and cost of security analysis
  • Automated tools make technology accessible by non-experts
  • Web-based solution requires no on-site software or hardware installation
  • Automatic updates to cloud service, no maintenance required
  • Remediate non-compliant mobile applications
  • Compliance with industry standards and regulations

Pricing

£50000 per unit

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 11

934115200736104

Kryptowire

Tom Karygiannis

+12025316420

tom@kryptowire.com

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Kryptowire mobile app security testing can be an add-on to Mobile Device Management technologies, such as VMWare Airwatch, Mobile Iron, Blackberry, Citrix, and Microsoft Intune. Kryptowire can be integrated with other 3rd party technologies through the Kryptowire REST API.
Cloud deployment model
  • Private cloud
  • Hybrid cloud
Service constraints Telephone support is available from 1:00 PM through 6:00 PM (GMT+1).
System requirements Latest version of Chrome, Firefox, Safari,or Internet Explorer web browser.

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Kryptowire responds within 1 business day to all email requests.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.1 AA or EN 301 549
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Kryptowire provides 3 support levels. Level 1 support includes all maintenance, software updates, telephone, and email support. Level 2 support includes professional services to help software developers remediate any security problems discovered in in-house developed applications during the automated analysis. Level 3 support includes professional services to help remediate any security problems discovered during the automated security analysis of 3rd party mobile apps. Level 1 and Level 2 professional services are billed at £200/hour. Kryptowire provides both an account manager and a technical cloud support engineer.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started The Kryptowire automatically tests mobile application binaries without requiring access to source code and without the user being required to set up any lab test environment. The user can upload a mobile app binary to the cloud service or select an app from an official app store for analysis. Kryptowire provides tutorials, documentation, online live training, email, and telephone support to help users with any questions.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction The customers' mobile app security analysis reports can be downloaded in a Portable Document Format (PDF) or a JavaScript Object Notation (JSON) format. All the reports and data are accessible via a REST API throughout the duration of the contract.
End-of-contract process The customer has an option to renew the contract. If this option is not exercised, the customer can securely download all their data and store their data locally in accordance with their own security policies. Kryptowire notifies and obtains permission from the customer to permanently delete all customer data in accordance with the U.S. National Institute of Standards and Technology (NIST) Special Publication 800-88 Revision 1 Guidelines for Media Sanitization. These close-out activities are performed at no additional cost.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices No
API Yes
What users can and can't do using the API Authorised users can access Kryptowire's automated mobile app security testing results through a REST API. The Kryptowire REST API allows for integration into the user's workflow, custom reporting, and analytics support.
API documentation Yes
API documentation formats
  • HTML
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Customers can access all the Kryptowire mobile application test results through a REST API to customise their internal workflow, integrate with 3rd-party technologies, and customise reports. The user can perform the customisation or request Kryptowire professional services to perform the customisation.

Scaling

Scaling
Independence of resources The offering is a cloud-based Software-as-a-Service that dynamically scales on demand. The hardware, software, and networking infrastructure scales to ensure consistent quality of service for all customers.

Analytics

Analytics
Service usage metrics Yes
Metrics types Kryptowire provides service metrics on the number of mobile Android applications tested, the number and types of security vulnerabilities detected, and mobile application risk scores.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations EU-US Privacy Shield agreement locations
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Users can download Portable Document Format (PDF) reports, access their data through a REST API, or export data in a JavaScript Object Notation (JSON) format. Users have direct access to the PDF and JSON reports through the analyst portal, and direct access to the API with a license key.
Data export formats
  • CSV
  • Other
Other data export formats JavaScript Object Notation (JSON)
Data import formats Other
Other data import formats
  • Android .apk file
  • IOS .ipa file

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability Kryptowire's cloud service provides 24/7 service with an annual availability rate of 99.00%. The availability rate does not include feature upgrades scheduled by the end user or force majeure events.
Approach to resilience Kryptowire follows the guidelines outlined by the National Institute of Standards and Technology Special Publication (NIST) SP 500-299 Cloud Computing Security Reference Architecture and Contingency Planning Guide for Federal Information Systems (SP 800-34 Revision 1).
Outage reporting Licensed users receive email alerts in the event of a service outage and advanced notice of any scheduled maintenance that may result in a service outage.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels Kryptowire's accounts do not have administrative access or privileges for management interfaces or support channels.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications U.S. Department of Homeland Security’s Cyber Security Assessment and Evaluation

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach Kryptowire follows the National Institute of Standards and Technology (NIST) Cybersecurity Framework Version 1.1 for security governance.
Information security policies and processes Kryptowire follows information security policies and processes outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 5 Security and Privacy Controls for. Federal Information Systems and Organizations.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Kryptowire follows the National Institute of Standards and Technology (NIST) Guide for Security-Focused Configuration Management of Information Systems (SP 800-128) see URL: https://csrc.nist.gov/publications/detail/sp/800-128/final
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Kryptowire follows the National Institute of Standards and Technology Special Publication SP 800-40 Rev. 3 Guide to Enterprise Patch Management Technologies see URL: https://csrc.nist.gov/publications/detail/sp/800-40/rev-3/final
Protective monitoring type Supplier-defined controls
Protective monitoring approach Kryptowire follows the guidance outlined in the National Institute of Standards and Technology (NIST) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations See URL: https://csrc.nist.gov/publications/detail/sp/800-137/final and NIST Special Publication 800-115 Technical Guide to Information Security Testing and Assessment URL: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Kryptowire complies with the National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide (SP 800-61 Revision 2). Kryptowire follows these guidelines to establish internal incident response processes detecting, analyzing, prioritising, and handling incidents, including coordination and information sharing. Kryptowire also follows the NIST Guide to Integrating Forensic Techniques into Incident Response (SP 800-86)

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £50000 per unit
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Access to demo portal, sample reports, and the ability to test 1 sample Android and 1 sample iOS mobile app. The demo account is available for a 30-day trial evaluation period.

Service documents

pdf document: Pricing document pdf document: Terms and conditions
Service documents
Return to top ↑