Marketplace Discovery
In cybersecurity, "Marketplace Discovery" refers to the process of systematically searching and identifying mobile applications within various online app stores or marketplaces. This process is crucial for security because it enables the detection of apps that may be relevant to an organization or pose a risk to its users or assets.
Here's a more detailed breakdown:
Systematic Search: Marketplace discovery involves automated or semi-automated techniques to scan app stores. This is a casual search and a structured and comprehensive exploration of the available apps.
Identification of Mobile Applications: The primary goal is pinpointing specific mobile applications. This can be based on various criteria, including:
Organization Name
Developer Name
App Category
Keywords
Various Online App Stores: Marketplace discovery covers a range of platforms where mobile apps are distributed. This includes:
Official App Stores: The Apple App Store and Google Play Store.
Unofficial App Stores: Alternative or third-party app stores that may host apps not found in the official stores.
Security Purpose: The information gathered through marketplace discovery is used for several security-related reasons:
Identifying potentially rogue or unauthorized apps associated with an organization.
Analyzing apps for vulnerabilities or malicious code.
Monitoring for changes or updates to apps that could introduce new security risks.
Assessing the overall security posture of an organization's mobile app ecosystem.
Here’s how ThreatNG addresses "Marketplace Discovery" in detail. Let's explore its capabilities:
ThreatNG uses external unauthenticated discovery to find mobile apps in marketplaces without needing any connectors.
This capability allows ThreatNG to identify all mobile apps associated with an organization, regardless of whether they are published in official or unofficial app stores.
ThreatNG discovers mobile apps in various marketplaces, including Amazon Appstore, APKCombo, APKPure, AppBrain, appdb, Apple App Store, Aptoide, AppCake, Google Play, LG Content Store, TutuApp, and uptodown.
ThreatNG assesses the discovered mobile apps for various security risks:
Mobile App Exposure: ThreatNG specifically evaluates how exposed an organization’s mobile apps are by discovering their contents.
ThreatNG's assessment involves looking for various credentials and identifiers within the mobile apps:
Access Credentials: ThreatNG checks for the presence of sensitive access credentials, such as API keys, authentication tokens, and passwords.
For example, ThreatNG can detect if a mobile app contains an exposed AWS API Key, which could allow an attacker to access the organization's cloud resources.
Security Credentials: The solution also searches for security credentials like private keys. Exposed private keys can lead to severe security breaches, as they can be used to decrypt sensitive communications or sign malicious code.
For instance, ThreatNG can identify an app with an embedded RSA private key, which, if compromised, could allow attackers to impersonate the application.
Platform-Specific Identifiers: ThreatNG identifies platform-specific identifiers that could be misused, such as admin directories, cloud storage buckets, and various flags or identifiers.
ThreatNG's ability to detect an exposed Amazon AWS S3 Bucket name within a mobile app could indicate a potential data leak if the bucket is not correctly secured.
3. Reporting
ThreatNG provides various reporting formats, including executive, technical, and prioritized reports.
These reports can highlight the risks associated with discovered mobile apps, helping organizations understand the potential impact and prioritize remediation efforts.
For example, a report could detail all instances of exposed API keys found in discovered mobile apps, ranked by severity.
ThreatNG continuously monitors the external attack surface, digital risk, and security ratings.
This continuous monitoring is essential for detecting new mobile apps or changes in existing apps that could introduce new risks.
If a developer releases an updated version of an app with new vulnerabilities or exposed credentials, ThreatNG's continuous monitoring would detect these changes.
ThreatNG's investigation modules provide detailed intelligence that aids in understanding and addressing the risks associated with mobile apps:
Mobile Application Discovery: This module focuses explicitly on discovering mobile apps in marketplaces and analyzing their contents for sensitive information.
This module provides an in-depth analysis of the apps themselves, which is critical for identifying risks associated with mobile apps.
The Mobile Application Discovery module discovers mobile apps related to the organization under investigation within marketplaces (Amazon Appstore, APKCombo, APKPure, AppBrain, appdb, Apple App Store, Aptoide, AppCake, Google Play, LG Content Store, TutuApp, and uptodown). It analyzes the contents of the Mobile Apps.
It also identifies the presence of Access Credentials, Security Credentials, and Platform Specific Identifiers within the apps.
Examples of Access Credentials include Amazon AWS Access Key ID, APIs, Artifactory API Token, Artifactory Password, Authorization Bearer, AWS API Key, Basic Auth Credentials, Cloudinary Basic Auth, Discord BOT Token, Facebook Access Token, Facebook ClientID, Facebook OAuth, Facebook Secret Key, GitHub Access Token, Google API Key, Google Cloud Platform OAuth, Google OAuth Access Token, Heroku API Key, MailChimp API Key, Mailgun API Key, Password in URL, PayPal Braintree Access Token, Picatic API Key, Slack Token, Square Access Token, Square OAuth Secret, Stripe API Key, Stripe Restricted API Key, Twilio API Key, Twitter Access Token, Twitter1 ClientID, Twitter OAuth, Twitter Secret Key, User or Account.
Security Credentials include a PGP private key block, an RSA Private Key, an SSH DSA Private Key, and an SSH EC Private Key.
Platform-specific identifiers include Admin Directories, Amazon AWS S3 Bucket, DEFCON CTF Flag, External Sites, Firebase, GitHub, Google Cloud Platform Service Account, HackTheBox CTF Flag, Mac Address, Mailto, Slack Webhook, and TryHackMe CTF Flag.
ThreatNG uses intelligence repositories, including data on compromised credentials, known vulnerabilities, and other relevant information.
These repositories enhance ThreatNG's ability to identify and assess the risks associated with mobile apps.
For example, the compromised credentials repository can help identify if credentials found in a mobile app have already been exposed in a data breach.
7. Working with Complementary Solutions
ThreatNG is designed to complement other security solutions by providing an external perspective.
While internal security tools focus on what's inside the network, ThreatNG focuses on what's visible from the outside. This is crucial for detecting risks associated with mobile apps that may bypass internal controls.
Examples of ThreatNG helping:
ThreatNG can identify a mobile app that employees use to access corporate resources, even if that app was downloaded from an unofficial store and missed by the company's mobile device management (MDM) solution.
ThreatNG can detect exposed credentials in a mobile app, alerting the security team to a potential breach even if the internal systems haven't yet detected unauthorized access.
Examples of ThreatNG working with complementary solutions:
ThreatNG can integrate with a Security Information and Event Management (SIEM) system to provide external threat intelligence related to mobile apps, enriching the SIEM's analysis and alerting capabilities.
ThreatNG's findings can be fed into a vulnerability management system to prioritize remediation efforts for mobile app-related vulnerabilities based on their external exposure and potential impact.
