> Side Channel Analysis
Ready-to-use side channel tools to assess cryptography algorithms.
> Fault Injection: Laser, EM & Glitching
Make sure your chip withstands different techniques of physical fault injections.
> Firmware Security Analysis
Qualify embedded code binaries without physical devices and benches.
> Security Failure Analysis
Photoemission analysis to explore internal information in a chip.
> Vulnerability Research
Dynamic analyses at a system level for investigating potential vulnerabilities.
> esDynamic for EDU SCA and FI
A learning center for academics to teach and perform side-channel analysis and fault injection
> Data Science Platform
esDynamic is a complete data focused platform to leverage the know-how of your team for complex analyses.
> esFirmware Engine
Assess the security of the firmware of IoT devices against logical and physical attacks.
> esReven Engine
Record and replay vulnerability researches within reverse engineering processes and tools.
> Cybersecurity Training
Grow your expertise with training modules driven by a coach.
> Hardware Evaluation Lab
High-end laboratory capabilities specialized in hardware security evaluations.
> Mobile App Security
Onboard your Team into your Security Challenges.
Integrate the security protections verification in your CI/CD pipeline.
> PCI MPoC
Prepare your product to meet this new mobile payment standard.
> Mobile App Security Testing (MAST)
esChecker SaaS: automating the security testing of your mobile app binary.
> Mobile App Penetration Testing
Testing the resiliency of your Mobile App, SDK or RASP tool.
> Backend Penetration Testing
Testing the resiliency of your Web App, API or Backend Systems.
> Coaching for Mobile App Developers
Providing insights into the mobile app threats and how attackers work by a learning-by-doing approach.
Go to our German website
When it comes to creating a product, it is as important to identify the pain points you want to solve than to size their intensity: the number of people suffering from it.
In the life of a product creation, everything starts with a first use case: One of your customers knocks on your door and asks you for expertise: this is the beginning of a project.
Once the project is mature enough as an entrepreneur, you often wonder if you could replicate it and make it a product you can sell to a market. One customer is a customer, two customers are a market. However, the worth of your investment into converting a single project in a scalable product will depend on the size of your market.
In the context of esChecker, thanks to a project with a payment scheme, we knew that we could create a solution to test the security countermeasure of mobile applications using app shielding technologies. But was it worth investing in converting that project into a product to test any mobile application using app shielding technology?
Looking at Gartner report about App Shielding, it is a growing market, as usual with this kind of report, with a CAGR of 20%. That is cool, better than nothing but it does not give me any clue about the market size. What we wanted to know was: how many mobile apps use app shielding technology and so must be tested with an ad-hoc solution?
That is why we decided to launch our own naïve market intelligence study.
Second, we had to list the security tool, we would look for. To do so, our team of experts wrote rules to identify the artefacts belonging to well-known security tools available in the market.
In a first iteration, they created rules to spot 34 security tools from different vendors:
As a example, for Rootbeer, “A tasty root checker library “, to know if the app uses Rootbeer, we simply check that the app contains:
For some other product, the rules were more complex. Of course, we are totally aware of the scope in time of such an empirical approach. If some artefacts are removed from the product they belong to, then we will have false negative. On the contrary, if some artefacts are not uniquely correlated with one product, we will have false negative. Nevertheless, as a first approximation, we decided it was good enough for an estimation of the market size.
The first result, we got, was the number of applications using one of the protection tools from our sample list: out of the 1400+ apps we examined on Google Play Store, at least 565 use one or more shielding product.
Figure 1: Percentage of applications using app shielding technology The second result we got was related to the geographical discrepancies of the app shielding use:
Figure 2 Percentage of application using app shielding technology per country
So, even if as Gartner says, the CACGR of App Shielding is 20%, we know now that the use of App Shielding technologies is not the same everywhere. It is more interesting to focus on Korea or Switzerland when you want to sell testing solution to app shielding customer than to prospect in the US or UK.
Finally, as with esChecker, the support of VISA NFC payment gives us a competitive advantage to test mobile app using HCE technology, we decided to sort our data according to that criteria. We categorized them between those used for physical payment and those exclusively used for mobile operation. To know if the app was meant to perform physical payment, we look at the description of the app manifest file and we examined three sections of it: the permissions ask by the app, the feature and the services declared:
<uses-feature android:name="android.hardware.nfc.hce" android:required="true"/>
<service android:enabled="true" android:exported="true" android:name="com.myapp" android:permission="android.permission.BIND_NFC_SERVICE"> <intent-filter> <action android:name="android.nfc.cardemulation.action.HOST_APDU_SERVICE"/> </intent-filter> <meta-data android:name="android.nfc.cardemulation.host_apdu_service" android:resource="@xml/apduservice"/> </service>
Based on this categorization we got the following results:
Figure 3 Repartition of Mobile Banking vs Payment Apps in Google Play Store Finance Category for 14 countries
Figure 4 Number of HCE Payment Apps in each of the 14 considered countries When we consider the HCE payment market, we see that the number of applications is significantly lower.
With very few resources but a strong expertise, we were able to collect facts related to the status of the deployment of app shielding technologies into the field. These facts will be monitored closely and our methodology improved as we move forward but it is easy now to set up an efficient mobile application shielding testing strategy with a deeper knowledge of the market. Thanks to this market intelligence, we can now prioritize the testing of the app shielding vendors with the higher market share for a maximum benefit to the eShard’s customer.