Automated Mobile Application Security Testing
Kryptowire analyzes Android and iOS mobile applications for compliance with internationally-recognized security and privacy standards such as the National Information Assurance Partnership (NIAP) Protection Profile for Application Software and the General Data Protection Regulation ( GDPR).
Features
- Automated analysis of Android and iOS mobile apps
- Automated analysis does not require source code
- Privacy and GDPR Compliance Testing
- Integration with Mobile Device Management (MDM) technologies
- Provides pass/fail evidence down to the line of code
- National Information Assurance Partnership (NIAP) compliance testing
- Automated testing of 3rd-party libraries
- Data accessible via REST API
- Custom Risk Scoring to match enterprise security and privacy policies
- Cloud-based solution does not access any end-user data
Benefits
- Fully automated mobile app analysis
- No lab or network setup required
- Standards-based compliance testing
- Integration with software development cycle through REST API
- Reduces time and cost of security analysis
- Automated tools make technology accessible by non-experts
- Web-based solution requires no on-site software or hardware installation
- Automatic updates to cloud service, no maintenance required
- Remediate non-compliant mobile applications
- Compliance with industry standards and regulations
Pricing
£50,000 a unit
- Education pricing available
- Free trial available
Service documents
Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format,
email the supplier at gcloud@kryptowire.com.
Tell them what format you need. It will help if you say what assistive technology you use.
Framework
G-Cloud 11
Service ID
9 3 4 1 1 5 2 0 0 7 3 6 1 0 4
Contact
Kryptowire
Chris Gogoel
Telephone: +1-571-282-6724
Email: gcloud@kryptowire.com
Service scope
- Software add-on or extension
- Yes, but can also be used as a standalone service
- What software services is the service an extension to
- Kryptowire mobile app security testing can be an add-on to Mobile Device Management technologies, such as VMWare Airwatch, Mobile Iron, Blackberry, Citrix, and Microsoft Intune. Kryptowire can be integrated with other 3rd party technologies through the Kryptowire REST API.
- Cloud deployment model
-
- Private cloud
- Hybrid cloud
- Service constraints
- Telephone support is available from 1:00 PM through 6:00 PM (GMT+1).
- System requirements
- Latest version of Chrome, Firefox, Safari,or Internet Explorer web browser.
User support
- Email or online ticketing support
- Email or online ticketing
- Support response times
- Kryptowire responds within 1 business day to all email requests.
- User can manage status and priority of support tickets
- Yes
- Online ticketing support accessibility
- WCAG 2.1 AA or EN 301 549
- Phone support
- Yes
- Phone support availability
- 9 to 5 (UK time), Monday to Friday
- Web chat support
- No
- Onsite support
- Yes, at extra cost
- Support levels
- Kryptowire provides 3 support levels. Level 1 support includes all maintenance, software updates, telephone, and email support. Level 2 support includes professional services to help software developers remediate any security problems discovered in in-house developed applications during the automated analysis. Level 3 support includes professional services to help remediate any security problems discovered during the automated security analysis of 3rd party mobile apps. Level 1 and Level 2 professional services are billed at £200/hour. Kryptowire provides both an account manager and a technical cloud support engineer.
- Support available to third parties
- Yes
Onboarding and offboarding
- Getting started
- The Kryptowire automatically tests mobile application binaries without requiring access to source code and without the user being required to set up any lab test environment. The user can upload a mobile app binary to the cloud service or select an app from an official app store for analysis. Kryptowire provides tutorials, documentation, online live training, email, and telephone support to help users with any questions.
- Service documentation
- Yes
- Documentation formats
-
- HTML
- End-of-contract data extraction
- The customers' mobile app security analysis reports can be downloaded in a Portable Document Format (PDF) or a JavaScript Object Notation (JSON) format. All the reports and data are accessible via a REST API throughout the duration of the contract.
- End-of-contract process
- The customer has an option to renew the contract. If this option is not exercised, the customer can securely download all their data and store their data locally in accordance with their own security policies. Kryptowire notifies and obtains permission from the customer to permanently delete all customer data in accordance with the U.S. National Institute of Standards and Technology (NIST) Special Publication 800-88 Revision 1 Guidelines for Media Sanitization. These close-out activities are performed at no additional cost.
Using the service
- Web browser interface
- Yes
- Supported browsers
-
- Internet Explorer 11
- Firefox
- Chrome
- Safari 9+
- Opera
- Application to install
- No
- Designed for use on mobile devices
- No
- Service interface
- No
- API
- Yes
- What users can and can't do using the API
- Authorised users can access Kryptowire's automated mobile app security testing results through a REST API. The Kryptowire REST API allows for integration into the user's workflow, custom reporting, and analytics support.
- API documentation
- Yes
- API documentation formats
-
- HTML
- API sandbox or test environment
- Yes
- Customisation available
- Yes
- Description of customisation
- Customers can access all the Kryptowire mobile application test results through a REST API to customise their internal workflow, integrate with 3rd-party technologies, and customise reports. The user can perform the customisation or request Kryptowire professional services to perform the customisation.
Scaling
- Independence of resources
- The offering is a cloud-based Software-as-a-Service that dynamically scales on demand. The hardware, software, and networking infrastructure scales to ensure consistent quality of service for all customers.
Analytics
- Service usage metrics
- Yes
- Metrics types
- Kryptowire provides service metrics on the number of mobile Android applications tested, the number and types of security vulnerabilities detected, and mobile application risk scores.
- Reporting types
-
- API access
- Real-time dashboards
- Regular reports
Resellers
- Supplier type
- Not a reseller
Staff security
- Staff security clearance
- Other security clearance
- Government security clearance
- Up to Security Clearance (SC)
Asset protection
- Knowledge of data storage and processing locations
- Yes
- Data storage and processing locations
- EU-US Privacy Shield agreement locations
- User control over data storage and processing locations
- No
- Datacentre security standards
- Complies with a recognised standard (for example CSA CCM version 3.0)
- Penetration testing frequency
- At least every 6 months
- Penetration testing approach
- In-house
- Protecting data at rest
-
- Physical access control, complying with another standard
- Encryption of all physical media
- Data sanitisation process
- Yes
- Data sanitisation type
-
- Explicit overwriting of storage before reallocation
- Deleted data can’t be directly accessed
- Equipment disposal approach
- Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001
Data importing and exporting
- Data export approach
- Users can download Portable Document Format (PDF) reports, access their data through a REST API, or export data in a JavaScript Object Notation (JSON) format. Users have direct access to the PDF and JSON reports through the analyst portal, and direct access to the API with a license key.
- Data export formats
-
- CSV
- Other
- Other data export formats
- JavaScript Object Notation (JSON)
- Data import formats
- Other
- Other data import formats
-
- Android .apk file
- IOS .ipa file
Data-in-transit protection
- Data protection between buyer and supplier networks
-
- TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
- Data protection within supplier network
-
- TLS (version 1.2 or above)
- IPsec or TLS VPN gateway
Availability and resilience
- Guaranteed availability
- Kryptowire's cloud service provides 24/7 service with an annual availability rate of 99.00%. The availability rate does not include feature upgrades scheduled by the end user or force majeure events.
- Approach to resilience
- Kryptowire follows the guidelines outlined by the National Institute of Standards and Technology Special Publication (NIST) SP 500-299 Cloud Computing Security Reference Architecture and Contingency Planning Guide for Federal Information Systems (SP 800-34 Revision 1).
- Outage reporting
- Licensed users receive email alerts in the event of a service outage and advanced notice of any scheduled maintenance that may result in a service outage.
Identity and authentication
- User authentication needed
- Yes
- User authentication
-
- 2-factor authentication
- Dedicated link (for example VPN)
- Username or password
- Access restrictions in management interfaces and support channels
- Kryptowire's accounts do not have administrative access or privileges for management interfaces or support channels.
- Access restriction testing frequency
- At least every 6 months
- Management access authentication
-
- 2-factor authentication
- Dedicated link (for example VPN)
- Username or password
Audit information for users
- Access to user activity audit information
- Users contact the support team to get audit information
- How long user audit data is stored for
- User-defined
- Access to supplier activity audit information
- Users contact the support team to get audit information
- How long supplier audit data is stored for
- At least 12 months
- How long system logs are stored for
- At least 12 months
Standards and certifications
- ISO/IEC 27001 certification
- No
- ISO 28000:2007 certification
- No
- CSA STAR certification
- No
- PCI certification
- No
- Other security certifications
- Yes
- Any other security certifications
- U.S. Department of Homeland Security’s Cyber Security Assessment and Evaluation
Security governance
- Named board-level person responsible for service security
- Yes
- Security governance certified
- No
- Security governance approach
- Kryptowire follows the National Institute of Standards and Technology (NIST) Cybersecurity Framework Version 1.1 for security governance.
- Information security policies and processes
- Kryptowire follows information security policies and processes outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 5 Security and Privacy Controls for. Federal Information Systems and Organizations.
Operational security
- Configuration and change management standard
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Configuration and change management approach
- Kryptowire follows the National Institute of Standards and Technology (NIST) Guide for Security-Focused Configuration Management of Information Systems (SP 800-128) see URL: https://csrc.nist.gov/publications/detail/sp/800-128/final
- Vulnerability management type
- Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
- Vulnerability management approach
- Kryptowire follows the National Institute of Standards and Technology Special Publication SP 800-40 Rev. 3 Guide to Enterprise Patch Management Technologies see URL: https://csrc.nist.gov/publications/detail/sp/800-40/rev-3/final
- Protective monitoring type
- Supplier-defined controls
- Protective monitoring approach
- Kryptowire follows the guidance outlined in the National Institute of Standards and Technology (NIST) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations See URL: https://csrc.nist.gov/publications/detail/sp/800-137/final and NIST Special Publication 800-115 Technical Guide to Information Security Testing and Assessment URL: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf
- Incident management type
- Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
- Incident management approach
- Kryptowire complies with the National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide (SP 800-61 Revision 2). Kryptowire follows these guidelines to establish internal incident response processes detecting, analyzing, prioritising, and handling incidents, including coordination and information sharing. Kryptowire also follows the NIST Guide to Integrating Forensic Techniques into Incident Response (SP 800-86)
Secure development
- Approach to secure software development best practice
- Conforms to a recognised standard, but self-assessed
Public sector networks
- Connection to public sector networks
- No
Pricing
- Price
- £50,000 a unit
- Discount for educational organisations
- Yes
- Free trial available
- Yes
- Description of free trial
- Access to demo portal, sample reports, and the ability to test 1 sample Android and 1 sample iOS mobile app. The demo account is available for a 30-day trial evaluation period.
Service documents
Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format,
email the supplier at gcloud@kryptowire.com.
Tell them what format you need. It will help if you say what assistive technology you use.