search cancel

App Collection and Analysis FAQs

book

Article ID: 173315

calendar_today

Updated On:

Products

Endpoint Protection Mobile

Issue/Introduction

App Collection and Analysis FAQs

Resolution

What app stores are supported by Appthority?

Appthority MTP supports app collection from official U.S. based Apple and Google app stores covering iOS and Android apps. In addition, Appthority supports some international app stores provided by Apple and Google. Appthority is continuously adding new international app stores to support our customers. For a current list, in the Help see System Requirements.

What do each of the App Status icons mean?

Analysis completed, processing, or failed. In the Help see Manage Apps and About App Analysis Status.

Are there any app types that can’t be analyzed?

If an app is only available from an Apple or Google store outside of the U.S., Appthority may not be able to collect it. Appthority can collect apps in certain countries, based on customer demand, but if an app is only available in a store outside the US, Appthority cannot collect it.

If an app is only available from a third party store not operated by Apple or Google, Appthority cannot collect it.

Appthority collects paid apps on your behalf, if those apps are on the U.S. App Store or Google Play. Appthority does not collect paid apps from stores outside of the U.S. Appthority does not automatically collect apps that cost $60 or more. Appthority only collects paid apps for our customers, not for Proof of Concept (POC) or test accounts.

Appthority is not able to collect an app on your behalf if it is an app version prior to the current version, because only the current version is available from app stores. In Appthority MTP these are called "stale" apps.

Appthority is not able to collect an app on your behalf if it is no longer available on the app store where it was originally downloaded from. In Appthority MTP these are called "dead" apps. It’s important to note that if an app is removed from an app store the users who downloaded it are not notified, even if the app was removed due to malware or other detected malicious behavior. Because many apps are removed due to failure to conform to app store policies, discovered after the app was made available on the store, Appthority’s advice is to consider them as potentially unwanted apps.

Appthority may not be able to collect an app on your behalf if requires an OS version that Appthority MTP does not yet support. Most apps are designed to be backwards compatible with prior OS versions, but a small percentage of apps require a specific OS version that Appthority MTP may not support.

Appthority may not be able to analyze an app that requires an account to run and where the app or service takes significant steps to prevent automated account creation. For example, elaborate CAPTCHA, requiring valid phone numbers tied to SIM cards/carriers, or other forms of authentication/verification that require human intervention to circumvent.

How does Appthority MTP static and dynamic analysis work?

The following steps summarize static and dynamic app analysis:

  1. A new app is detected in a customer environment.*
  2. Appthority collects the app from the Apple App Store (iOS) or Google Play (Android).*
  3. Static analysis extracts meaningful data (app requested permissions, signatures, metadata, strings, URLs, etc.) from the app binary, performs code analysis, and stores it all in the database as app evidence.
  4. Dynamic analysis then processes the app for meaningful information: 
    1. App is installed on a device
    2. The app is executed:
      1. The UI is decomposed
      2. Third-party logins to services are entered to expand app functionality as allowed.
      3. Honey Tokens (known values that can be traced later in analysis) are leveraged in place of what would typically be users’ PII.
      4. The UI is exercised to simulate real user access.
    3. Data is extracted and stored in the database as app evidence:
      1. File and network activity
      2. Method tracer
      3. Classdumps
  5. Analysis occurs to assess evidence data collected during static and dynamic analysis against known Threat Indicators, and score the apps according to their risk profile.

* Steps 1 & 2 are by-passed when a user manually submits an app to the system for analysis. All other steps in the process remain the same in this case. 

What is the difference between an App Policy and a Threat List?

Threat Lists were a feature of Appthority preceding the MTP release. Threat Lists are special lists of apps using threat related intelligent filters managed by Appthority. With the release of Appthority MTP, MTT-Managed Policies replaced Threat Lists.

An App Policy is a compliance tool that specifies one or more Threat Indicators (mobile threats) to monitor.  Appthority MTP evaluates Mobile apps in the customer’s Organization against App Policies to determine if an app violates any active App Policy.