RiskFinder is a web service for diagnosing vulnerabilities in Android mobile apps.
No knowledge of development is required.
The diagnosis results are obtained instantly using only the application file and a browser.
This is a valuable service for assisting in the prevention of security incidents.
The rapid spread of Android mobile devices has led to the release of a large number of Android applications today. However, this sudden growth in the Android market has caused a shortage of technicians who are proficient in the Android platform. In many cases, technicians with insufficient experience are involved in development, mobile applications are developed in a shorter timeframe than conventional applications, and upgrades are released on a short cycle so that development tends to be focused on continually moving ahead. As a result, many apps have been released with security holes (vulnerabilities) and have components that make them easily mistaken for malware. Releasing applications with these problems can harm the corporate image and incite problems, and in the worst case, can even lead to security incidents.
Despite these types of problems, there are still few experienced developers, and so orders must sometimes be placed with developers having insufficient technical ability. However, an in-depth knowledge of security is required to find security holes and quality issues during the acceptance test conducted by customers, and as a result, it is typically extremely difficult for customers to find all possible issues.
At Taosoftware, we have built a vast technological knowledge base while conducting R&D since the Android OS was launched. At the same time, and we have been committed to expanding awareness of security issues among developers by providing information through our blog, lectures, and other communication platforms.
In January 2012, Impress Japan published our book for programmers, Android Security: Developing Secure Applications (in Japanese).
In the course of delivering lectures and holding consultations about security,
we often heard that it was difficult for everyone from developers to outsourcers to be fully aware of the technical information about security,
and tracking the security items that are constantly added and modified by Android updates was an arduous task. We were often asked if a system was available enabling easy diagnosis of application security.
In response to these requests, we developed RiskFinder based on the concept of enabling easy accessibility by automating valuable security checks.
RiskFinder can be used to enable easy diagnosis of vulnerabilities for ensuring that applications maintain stable quality.
A report is created by simply uploading the APK file using a browser.
Diagnosis of vulnerabilities using source code requires a compiler and other development environments and tools, and users must have some knowledge of development. With RiskFinder, there is no need to obtain any tools beforehand, and anyone can immediately run a diagnosis for vulnerabilities.
With RiskFinder, diagnosis can be performed even when you cannot obtain the source code or the source code for the specific application version is unknown. Diagnosis is also conducted simultaneously for the libraries (such as advertising modules) that the application is using.
The Android OS is updated frequently. RiskFinder is also constantly updated to keep pace with the latest information for the Android. Because RiskFinder is a web service, the latest version is always available to the customer. (For inquiries about installing this service on company networks, please contact us.)
We often see cases where incorrect code on the Internet was simply copied and used. Because developers do not have enough knowledge of the Android platform, they often assign unnecessary permissions or include unnecessary functions so that the application is mistaken for malware. RiskFinder also conducts these types of quality checks on the application.
Information is provided for creating an application compliant with the MIC's "Smartphone Privacy Initiative" so that users can use it with peace of mind. This supports developers in creating applications that take into account the privacy policy protection of users.
Taosoftware Co., Ltd. is an established Android application development company in Japan that has been conducting R&D on the Android since its initial launch by Google. Our operations are currently devoted exclusively to Android, and we conduct both contracted development and R&D by tapping into our extensive tried-and-tested knowledge base. We constantly keep up to date on the latest Android information, and we also incorporate the latest OS information in RiskFinder.
When application development is subcontracted outside the company, the customer placing the order is responsible for testing of the delivered application. When the customer placing the order does not have development expertise, the customer can test application operations from the user standpoint but cannot easily test for vulnerabilities, user privacy protection, and other issues. This type of testing requires an in-depth knowledge of the Android platform. The diagnostic report provided by RiskFinder can be used to enable precise communication between the developing company about vulnerabilities and privacy protection for allowing release of an application that can be used with peace of mind by users.
In many cases, requirements for security and user privacy protection are not clearly defined in the requirements specification. In these types of situations, security and privacy protection may or may not be implemented depending on the knowledge and experience of the people involved in development. RiskFinder can be used to diagnose vulnerabilities during development or before delivery for enabling the creation of applications with stable quality regardless of the level of the developers. The RiskFinder report can also be used in the delivery package as a testing record for vulnerabilities and privacy protection.
If an application is used within the company for mobile device management (MDM), verification that the selected application is not malware is required. Testing using virus check software detects applications that are clearly malware, but it does not detect applications that fall into the gray zone (software that uses the private information of users, but it is unclear if it is being used for legitimate purposes). These tests also do not warn that the application is in the gray zone. RiskFinder can be used to diagnose applications for enabling detection of gray-zone applications and providing helpful information in determining whether an application should be used.
Published content in application websites and books can be tremendously influential to users. When an application is introduced on a website or publication, it is assumed to be a safe application and is adopted by many users. However, there have been cases where websites and publications have inadvertently introduced malware. Recently, attention has been focused on the problem of gray-zone applications, and even the Ministry of Internal Affairs and Communications (MIC) has expressed concern about the use of smartphone user information. For people who operate these websites or edit publications, it is essential to verify that the posted applications are safe and secure. RiskFinder can be used to diagnose applications for finding out what type of application it is and preventing the inadvertent introduction of malware and gray-zone applications.
Static analysis is conducted on the application, and the results are output in report form. The detection results are displayed on a list on the summary page.
The information is categorized by detection type into Manifest Risk, Permission, File Access, String Resources, Logs, Network, Module, Cryptography, Secure Logic, Privacy Policy, and more, for displaying detailed results.
The risk level of the detection results is classified as ERROR, WARNING, CONFIRM, or INFO.
Detection results messages are provided in three blocks: Detection details, detection reason, and remedy. The report includes the specific remedy procedure for providing an easy-to-understand way of resolving the problem.
Detailed explanations about the detection results are included in the Analysis Results Manual
In addition to application vulnerabilities, a check is also conducted for items that can be easily mistaken for malware and for bugs and other deficiencies that harm quality. Testing is available for more than 500 diagnostic items. Some of the diagnostic items are shown below.
RiskFinder can be installed under a server license, on Amazon Web Services, or on an in-house server.
Actual prices vary depending on customer's specific usage, including the number of users, number of analyzed applications (including unlimited), license period, and supported items, and so please inquire for details.
About the details, please check the RiskFinder site .