search cancel

App Report Basics

book

Article ID: 173313

calendar_today

Updated On:

Products

Endpoint Protection Mobile

Issue/Introduction

This article explains the basic features of the Appthority MTP App Report.

Resolution

How to Get an App Report

All Appthority users can get an app report in HTML, PDF, or JSON format from either:

  • The Search button on the upper right of MTP Manager. This provides access to all reports in the Appthority system. 
  • The Apps tab. This provides access to all the apps in your Org.
    AppsTab_SelectApp.png

An API user can use the Appthority API to get a report in JSON format. See https://apidoc.appthority.com.

The Top of the Report

The report is divided into sections. At the top, at a glance you can see the overall risk that the app represents to your enterprise. The Risk Score is based on the highest-risk Threat Indicator discovered during app analysis. Subsequent sections, listed by links at the top, give you more information. 

Report_top.png

Tips for Exporting

You may want to share a report with your colleagues and need a way to export it from MTP Manager. You can export the report to either HTML, PDF or JSON formats.

  • You can use the browser to save the HTML page as HTML or PDF. 
  • The PDF report from the button may be truncated due to size limitations if the report is very large, especially if evidence data is included in the report.
  • Though you can export a JSON version from this page, Appthority recommends that you use the API for JSON. See https://apidoc.appthority.com.

GENERAL INFO

The General Information section shows basic information about the app, such as its package name and developer. The Market Category is from the App or Play Store.

Report_General_Android.png

THREATS

The top of the THREATS section lists the Appthority Threat Indicators that describe behaviors of the app. Threat Indicators in Appthority may be activated by the Org Admin, or left as inactive. (Usually there are Appthority Policies associated with the Threat Indicators that are active.)

Report_Threats_top.png

Whether a Threat Indicator is active or inactive, the app analysis process tells you about the app's behaviors and associated risks. An Org Admin, for example, may want to activate an inactive Threat Indicator based on its discovery in the app analysis.

Tips about Risk

Risks are ranked from 0 to 10, and are color-coded. 

  • Risk levels 8, 9, and 10 are considered malicious and usually these apps must not be allowed on your enterprise devices.
  • Levels 4-7 are of medium risk and may be of concern to your enterprise security goals.
  • Levels 1-3 are of low risk, but given a certain context they may be of concern.
  • Level 0 risk is for informational purposes, and may even indicate a positive behavior. By default they are inactive. 

For more discussion about Threat Indicator Risk levels see Risk Scoring in the Help.

The Details: Active Threats and Inactive Threats sections provides more information about the behaviors that were detected, ranked in order of risk. Report_Threats_Details_Active.pngReport_Threats_Details_Inactive.png

Evidence Data

Evidence data provides a more detailed look into the app code to show how the analysis process discovered the behavior of a Threat Indicator.

EvData_DoesNotReqHTTPS.png

Evidence data may not be needed for every use case, and it can be a large amount of data, so by default it is not available for reports. If you would like access to evidence data, please contact your CSM.

ACCESS

The Access sections show what hostnames, IP addresses, and URLs that the app includes in its code. Many times these are related to advertisements. In addition there may be email addresses in the code. 

Report_Access_Hostnames.png

Report_Access_IP.pngReport_Access_URLs.png

Report_Access_Emails.png

CONNECTIONS

The CONNECTIONS section shows what the app actually contacts as it is running on the device. It shows the IP addresses of the source of the connection and its destination, and how many bytes of data were sent and received. It shows whether an SSL connection was used during the connection.

Report_Connections_top.png

Web connections show the URL that was accessed. Appthority compares this to an industry standard list of websites that are ranked according to a reputation score. The higher scores, on a scale of 1-100, mean that a site is considered to be more trusted. If known, the category of the site tells you its main purpose, such as Web Advertisements.

Report_Connections_body.png

MAP

The map shows the network traffic destinations geolocated from the list of connections. 

Report_map.png

Attachments