FAQ
Does MATRIX test every possible security issue in my app?
No. Our MATRIX solution is designed to identify as many security issues in your mobile app as possible given the constraints of the testing environment and the data generated by your UI interactions or user actions script. While it is not currently possible to test for every possible security issue in your app, we are constantly working to improve our testing capabilities and adding new checks to our MATRIX solution.
Our goal for the MATRIX solution is to provide a comprehensive and reliable security testing solution for the more common security issues in mobile apps. This frees up your security team to focus on more complex and nuanced security issues, while still providing a high level of security coverage for your mobile app.
Does this cover the entire Mobile OWASP checklist?
Not yet, however we're adding new checks all the time. If you have a specific check you'd like to see added, please let us know.
Can I bring my own security checks?
Not yet, but we're looking into this! We'd love to hear more about your use case and what you'd like to bring to our MATRIX solution. Please contact us to discuss.
Can I run this on my own devices?
No — these security tests are designed to be run in our secure testing environment. This allows us to provide a consistent testing environment and ensure that the tests are run in a secure manner. Additionally, the checks themselves rely on comprehensive security tooling only available in Corellium.
What surfaces are you inspecting?
We inspect the entire app, including the app's binary, the app's data, and the app's network traffic. We also inspect the app's interactions with the device, including the app's interactions with the device's hardware and software.
How do you determine severity levels?
We use a combination of factors to determine the severity of a security issue, including the potential impact of the issue, the likelihood of the issue being exploited, and the difficulty of exploiting the issue. We also take into account the context of the issue, including the app's intended use and the app's target audience.
Can we add our own severity?
Not yet, but we're looking into this! We'd love to hear more about your use case and what you'd like to bring to our MATRIX solution. Please contact us to discuss.
Does this work on obfuscated binaries?
Yes! Our MATRIX solution is designed to work on obfuscated binaries. We use a combination of static and dynamic analysis to identify security issues in your app, regardless of whether the app's binary is obfuscated.
Can we run on an air-gapped instance?
Yes, however you won't benefit from any network-related tests as they require an internet connection. Additionally, you may miss out on some runtime vulnerabilities that require network traffic to be detected.
Can I run this without interactions?
Yes, however you won't benefit from any runtime tests as they require local data to be generated via interaction. In this sense, it will operate similarly to a static analysis tool like MobSF.
Can I test third-party apps without downloading them?
No, you will need to provide the app's binary to run security checks on it. This is because our MATRIX solution requires the app's binary to perform static analysis and generate data for runtime tests.
What's next?
This is just the beginning — we have a lot of exciting plans for our MATRIX solution but we'd love to hear from you. If you have any feedback or suggestions, please contact us.