G-Cloud 11 services are suspended on Digital Marketplace

If you have an ongoing procurement on G-Cloud 11, you must complete it by 18 December 2020. Existing contracts with Kryptowire are still valid.
Kryptowire

Automated Mobile Application Security Testing

Kryptowire analyzes Android and iOS mobile applications for compliance with internationally-recognized security and privacy standards such as the National Information Assurance Partnership (NIAP) Protection Profile for Application Software and the General Data Protection Regulation ( GDPR).

Features

  • Automated analysis of Android and iOS mobile apps
  • Automated analysis does not require source code
  • Privacy and GDPR Compliance Testing
  • Integration with Mobile Device Management (MDM) technologies
  • Provides pass/fail evidence down to the line of code
  • National Information Assurance Partnership (NIAP) compliance testing
  • Automated testing of 3rd-party libraries
  • Data accessible via REST API
  • Custom Risk Scoring to match enterprise security and privacy policies
  • Cloud-based solution does not access any end-user data

Benefits

  • Fully automated mobile app analysis
  • No lab or network setup required
  • Standards-based compliance testing
  • Integration with software development cycle through REST API
  • Reduces time and cost of security analysis
  • Automated tools make technology accessible by non-experts
  • Web-based solution requires no on-site software or hardware installation
  • Automatic updates to cloud service, no maintenance required
  • Remediate non-compliant mobile applications
  • Compliance with industry standards and regulations

Pricing

£50,000 a unit

  • Education pricing available
  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gcloud@kryptowire.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 11

Service ID

9 3 4 1 1 5 2 0 0 7 3 6 1 0 4

Contact

Kryptowire Chris Gogoel
Telephone: +1-571-282-6724
Email: gcloud@kryptowire.com

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Kryptowire mobile app security testing can be an add-on to Mobile Device Management technologies, such as VMWare Airwatch, Mobile Iron, Blackberry, Citrix, and Microsoft Intune. Kryptowire can be integrated with other 3rd party technologies through the Kryptowire REST API.
Cloud deployment model
  • Private cloud
  • Hybrid cloud
Service constraints
Telephone support is available from 1:00 PM through 6:00 PM (GMT+1).
System requirements
Latest version of Chrome, Firefox, Safari,or Internet Explorer web browser.

User support

Email or online ticketing support
Email or online ticketing
Support response times
Kryptowire responds within 1 business day to all email requests.
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Kryptowire provides 3 support levels. Level 1 support includes all maintenance, software updates, telephone, and email support. Level 2 support includes professional services to help software developers remediate any security problems discovered in in-house developed applications during the automated analysis. Level 3 support includes professional services to help remediate any security problems discovered during the automated security analysis of 3rd party mobile apps. Level 1 and Level 2 professional services are billed at £200/hour. Kryptowire provides both an account manager and a technical cloud support engineer.
Support available to third parties
Yes

Onboarding and offboarding

Getting started
The Kryptowire automatically tests mobile application binaries without requiring access to source code and without the user being required to set up any lab test environment. The user can upload a mobile app binary to the cloud service or select an app from an official app store for analysis. Kryptowire provides tutorials, documentation, online live training, email, and telephone support to help users with any questions.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
The customers' mobile app security analysis reports can be downloaded in a Portable Document Format (PDF) or a JavaScript Object Notation (JSON) format. All the reports and data are accessible via a REST API throughout the duration of the contract.
End-of-contract process
The customer has an option to renew the contract. If this option is not exercised, the customer can securely download all their data and store their data locally in accordance with their own security policies. Kryptowire notifies and obtains permission from the customer to permanently delete all customer data in accordance with the U.S. National Institute of Standards and Technology (NIST) Special Publication 800-88 Revision 1 Guidelines for Media Sanitization. These close-out activities are performed at no additional cost.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
No
Designed for use on mobile devices
No
Service interface
No
API
Yes
What users can and can't do using the API
Authorised users can access Kryptowire's automated mobile app security testing results through a REST API. The Kryptowire REST API allows for integration into the user's workflow, custom reporting, and analytics support.
API documentation
Yes
API documentation formats
  • HTML
  • PDF
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
Customers can access all the Kryptowire mobile application test results through a REST API to customise their internal workflow, integrate with 3rd-party technologies, and customise reports. The user can perform the customisation or request Kryptowire professional services to perform the customisation.

Scaling

Independence of resources
The offering is a cloud-based Software-as-a-Service that dynamically scales on demand. The hardware, software, and networking infrastructure scales to ensure consistent quality of service for all customers.

Analytics

Service usage metrics
Yes
Metrics types
Kryptowire provides service metrics on the number of mobile Android applications tested, the number and types of security vulnerabilities detected, and mobile application risk scores.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
EU-US Privacy Shield agreement locations
User control over data storage and processing locations
No
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
In-house
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Users can download Portable Document Format (PDF) reports, access their data through a REST API, or export data in a JavaScript Object Notation (JSON) format. Users have direct access to the PDF and JSON reports through the analyst portal, and direct access to the API with a license key.
Data export formats
  • CSV
  • Other
Other data export formats
JavaScript Object Notation (JSON)
Data import formats
Other
Other data import formats
  • Android .apk file
  • IOS .ipa file

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Kryptowire's cloud service provides 24/7 service with an annual availability rate of 99.00%. The availability rate does not include feature upgrades scheduled by the end user or force majeure events.
Approach to resilience
Kryptowire follows the guidelines outlined by the National Institute of Standards and Technology Special Publication (NIST) SP 500-299 Cloud Computing Security Reference Architecture and Contingency Planning Guide for Federal Information Systems (SP 800-34 Revision 1).
Outage reporting
Licensed users receive email alerts in the event of a service outage and advanced notice of any scheduled maintenance that may result in a service outage.

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
Kryptowire's accounts do not have administrative access or privileges for management interfaces or support channels.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
U.S. Department of Homeland Security’s Cyber Security Assessment and Evaluation

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
No
Security governance approach
Kryptowire follows the National Institute of Standards and Technology (NIST) Cybersecurity Framework Version 1.1 for security governance.
Information security policies and processes
Kryptowire follows information security policies and processes outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 5 Security and Privacy Controls for. Federal Information Systems and Organizations.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Kryptowire follows the National Institute of Standards and Technology (NIST) Guide for Security-Focused Configuration Management of Information Systems (SP 800-128) see URL: https://csrc.nist.gov/publications/detail/sp/800-128/final
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Kryptowire follows the National Institute of Standards and Technology Special Publication SP 800-40 Rev. 3 Guide to Enterprise Patch Management Technologies see URL: https://csrc.nist.gov/publications/detail/sp/800-40/rev-3/final
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Kryptowire follows the guidance outlined in the National Institute of Standards and Technology (NIST) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations See URL: https://csrc.nist.gov/publications/detail/sp/800-137/final and NIST Special Publication 800-115 Technical Guide to Information Security Testing and Assessment URL: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Kryptowire complies with the National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide (SP 800-61 Revision 2). Kryptowire follows these guidelines to establish internal incident response processes detecting, analyzing, prioritising, and handling incidents, including coordination and information sharing. Kryptowire also follows the NIST Guide to Integrating Forensic Techniques into Incident Response (SP 800-86)

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
No

Pricing

Price
£50,000 a unit
Discount for educational organisations
Yes
Free trial available
Yes
Description of free trial
Access to demo portal, sample reports, and the ability to test 1 sample Android and 1 sample iOS mobile app. The demo account is available for a 30-day trial evaluation period.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gcloud@kryptowire.com. Tell them what format you need. It will help if you say what assistive technology you use.