When it comes to creating a product, it is as important to identify the pain points you want to solve than to size their intensity: the number of people suffering from it.
In the life of a product creation, everything starts with a first use case: One of your customers knocks on your door and asks you for expertise: this is the beginning of a project.
Once the project is mature enough as an entrepreneur, you often wonder if you could replicate it and make it a product you can sell to a market. One customer is a customer, two customers are a market. However, the worth of your investment into converting a single project in a scalable product will depend on the size of your market.
In the context of esChecker, thanks to a project with a payment scheme, we knew that we could create a solution to test the security countermeasure of mobile applications using app shielding technologies. But was it worth investing in converting that project into a product to test any mobile application using app shielding technology?
Looking at Gartner report about App Shielding, it is a growing market, as usual with this kind of report, with a CAGR of 20%. That is cool, better than nothing but it does not give me any clue about the market size. What we wanted to know was: how many mobile apps use app shielding technology and so must be tested with an ad-hoc solution?
That is why we decided to launch our own naïve market intelligence study.
Our goal with this market study was to answer two questions:
- How many mobile applications integrate security countermeasures, such as obfuscation or runtime application security control such as rooting detection, anti-debugging, anti-hooking, …
- As we have a technology dedicated to HCE technology, how many mobile applications are designed to perform physical payment (i.e., integrate HCE technology)?
To conduct that study, we designed a methodology around two axes. First, we had to identify the segment of the mobile market the most likely to secure its mobile application. Therefore, we decided to focus on the mobile apps referenced in the finance section of the Google Play Store. Because they may be some discrepancies between the countries, we decided to consider the top 100 mobile apps of the finance section of the Google Play Store of 14 countries representatives of the mobile app market worldwide:
- Honk Kong
- South Korea
Second, we had to list the security tool, we would look for. To do so, our team of experts wrote rules to identify the artefacts belonging to well-known security tools available in the market.
In a first iteration, they created rules to spot 34 security tools from different vendors:
As a example, for Rootbeer, “A tasty root checker library “, to know if the app uses Rootbeer, we simply check that the app contains:
For some other product, the rules were more complex. Of course, we are totally aware of the scope in time of such an empirical approach. If some artefacts are removed from the product they belong to, then we will have false negative. On the contrary, if some artefacts are not uniquely correlated with one product, we will have false negative. Nevertheless, as a first approximation, we decided it was good enough for an estimation of the market size.
The first result, we got, was the number of applications using one of the protection tools from our sample list: out of the 1400+ apps we examined on Google Play Store, at least 565 use one or more shielding product.
The second result we got was related to the geographical discrepancies of the app shielding use:
So, even if as Gartner says, the CACGR of App Shielding is 20%, we know now that the use of App Shielding technologies is not the same everywhere. It is more interesting to focus on Korea or Switzerland when you want to sell testing solution to app shielding customer than to prospect in the US or UK.
Finally, as with esChecker, the support of VISA NFC payment gives us a competitive advantage to test mobile app using HCE technology, we decided to sort our data according to that criteria. We categorized them between those used for physical payment and those exclusively used for mobile operation. To know if the app was meant to perform physical payment, we look at the description of the app manifest file and we examined three sections of it: the permissions ask by the app, the feature and the services declared:
<uses-feature android:name="android.hardware.nfc.hce" android:required="true"/>
<service android:enabled="true" android:exported="true" android:name="com.myapp" android:permission="android.permission.BIND_NFC_SERVICE"> <intent-filter> <action android:name="android.nfc.cardemulation.action.HOST_APDU_SERVICE"/> </intent-filter> <meta-data android:name="android.nfc.cardemulation.host_apdu_service" android:resource="@xml/apduservice"/> </service>
Based on this categorization we got the following results:
When we consider the HCE payment market, we see that the number of applications is significantly lower.
With very few resources but a strong expertise, we were able to collect facts related to the status of the deployment of app shielding technologies into the field. These facts will be monitored closely and our methodology improved as we move forward but it is easy now to set up an efficient mobile application shielding testing strategy with a deeper knowledge of the market. Thanks to this market intelligence, we can now prioritize the testing of the app shielding vendors with the higher market share for a maximum benefit to the eShard’s customer