Proactively remediating mobile zero-day exploits protects citizens and national security
Trust Contextual Mobile Security Intelligence from the first and longest-standing mobile app security for the US Federal Government
Trusted by the US Federal Government since 2011
Quokka powers the CISA MAV shared services for mobile app vetting.
Learn more about mobile security
From the resource center
The Quokka Advantage
Mobile security benefits that make you smile
Peace of mind
Know your app security intelligence solution delivers the industry’s most comprehensive insights, even for the latest OS versions, in minutes
Informed decisions
Make risk-based decisions during software development or deployment of 3rd party apps based on real-world mobile app intelligence
National security
Scan all mobile apps to remediate malicious code in order to prevent supply chain attacks and breaches that undermine national security
Quokka technology powers CVE discovery
Quokka solutions help agencies meet mobile cybersecurity requirements
BOD 23-01: Improving Asset Visibility and Vulnerability Detection on Federal Networks
- Requirements – all Federal civilian (FCEB) agencies must report detailed data about vulnerabilities, including on mobile devices, to CISA at timed intervals using automated tools
- Quokka solution – in preparation for the BOD, CISA prepared the CISA MAV shared services (powered by Quokka) to automate the vulnerability identification in mobile assets to meet the mobile-specific requirements.
Secure by Design
- Requirements – reasonable protection against malicious cyber actors successfully gaining access to devices, data, and connected infrastructure, and software manufacturers should perform a risk assessment to identify and enumerate prevalent cyber threats to critical systems
- Quokka solution – Q-mast automated mobile app security testing supports manufacturers and developers efforts to adopt not only secure-by-design principles but also secure-by-default standards.
Quokka’s app scanning technology identifies backdoors in mobile apps and devices – and where data will be sent.
“Of the 33 mobile apps evaluated by Quokka (formerly Kryptowire), 32 had security or privacy concerns (access to camera, contacts, or SMS messages); 18 of the apps contained critical flaws (hardcoded credentials stored in the app, app accepts all SSL certificates, and is susceptible to man-in-the-middle attacks).”
Department of Homeland Security Science and Technology Directorate
Quokka discovers and delivers unsurpassed mobile security intelligence
Automate mobile app vetting (MAV)
Automate app scanning (MAST)
App intelligence for MDM
DHS Automated Vetting Process for Mobile Apps Could Cut Costs
The Science & Technology Directorate sees improvements for quickly approving mobile apps for government use
Meet mobile app security security standards
BYOD Guidelines – Quokka (then Kryptowire) participated in creating the NIST Special Publication 1800-22 and its insights and technologies were part of the example solutions used in the guide under the Cooperative Research and Development Agreement
Quokka (then Kryptowire) contributed automated analysis using proprietary mobile app vetting infrastructure
Protection Profile for App Vetting – Quokka has worked with federal agencies to meet both the functional and assurance requirements outlined in this profile
“The Quokka platform is the only platform validated to support NIAP mobile application security standards on the market and power[s] the industry’s first FedRAMP-certified CISA Mobile App Vetting program available to the Federal Civilian Executive Branch Agencies.”
Josh Slattery, VP of Technology Sales, Vertosoft
Federal Partners
Quokka Government Procurement Contracts
CDM
GSA
ITES-SW2
NASA SEWP V
Learn more about becoming a Quokka Federal Partner.
Achieving mobile zero trust requires visibility into mobile assets and insights on threats – as they emerge
Rely on the industry’s only proprietary, defense-grade app scanning engines that uncover more security, privacy, and malicious behavior findings than any other app testing tool
Quokka Core
External code fetches, websites visits, network traffic
Hard coded keys, Weak hash, Insecure web-views, permission usage analysis
Capabilities of other app testing tools
Capabilities of other app testing tools
RASP & TLS friendly dynamic analysis
Covers crypto best practices, dynamic code, inter-component and inter-app communication, tapjacking, PII leaks, input validation, tracking, webview weaknesses, and many more.
Quokka Advanced
Code/Data Sharing Detection (App Collusion)
In-app purchase vulnerability, unprotected permission exploit
Exploitable inter-app communication vulnerabilities:
- Message to app to crash or brick the device
- Message to app to leak recording of device screen
Advanced SBOM:
- Transitively identifies common libraries used by an app, their version, and their public CVEs
- Novel ways to handle obfuscations and code shrinkage
Quokka NextGen
Malicious code that runs only after app runs for a long time
Remote Command & Control to give access to app, device or files
Read sensitive PIl data like device location and send over network
Static App Analysis Comparison
1 = Not Competitive
4 = Industry Leading
4
—
3
—
2
—
1
—
Flow-Based Vulnerability Scanning
Software Bill Of Materials Analysis
Code/Data Sharing Detection
Misconfiguration Detection
IOS Pattern-Based Weaknesses Scanning
Android Pattern-Based Weaknesses
App Permission Usage Analysis
Quokka
Competitive Average
Dynamic App Analysis Comparison
4
—
3
—
2
—
1
—
Forced-Path Execution Analysis
(dynamic analysis and behavioral profiling without input)
Zero-day Denial-of-Service Scanning
Dynamic Analysis and Behavioral Profiling
(runtime with known input)
Static App Analysis Comparison
1 = Not Competitive
4 = Industry Leading
Quokka
Competitive Average
4
—
3
—
2
—
1
—
Flow-Based Vulnerability Scanning
4
—
3
—
2
—
1
—
Software Bill Of Materials Analysis
4
—
3
—
2
—
1
—
Code/Data Sharing Detection
4
—
3
—
2
—
1
—
Misconfiguration Detection
4
—
3
—
2
—
1
—
IOS Pattern-Based Weaknesses Scanning
4
—
3
—
2
—
1
—
Android Pattern-Based Weaknesses
4
—
3
—
2
—
1
—
App Permission Usage Analysis
Dynamic App Analysis Comparison
Quokka
Competitive Average
4
—
3
—
2
—
1
—
Forced-Path Execution Analysis
(dynamic analysis and behavioral profiling without input)
4
—
3
—
2
—
1
—
Zero-day Denial-of-Service Scanning
4
—
3
—
2
—
1
—
Dynamic Analysis and Behavioral Profiling
(runtime with known input)
Mobile security that makes you smile.
Sign up for our newsletter, The Quokka Intel Briefing
Copyright © 2024, Quokka. All rights reserved.
Solutions
Products
