You might not have heard of Sergei Toshin, but you should know his work.
Toshin is a 23-year-old security researcher in Moscow who focuses largely on mobile app security. With his knowledge of what different mobile security flaws looked like, Toshin built a custom Android mobile app vulnerability scanner to quickly and automatically find vulnerabilities in an app’s code, he told TechCrunch.
The scanner works by decompiling the Android app and running through the source code line-by-line — just as a human would — and detecting possible flaws in code where a vulnerability could be triggered. It takes a set of rules, which effectively describes different kinds of vulnerabilities, and searches for vulnerable code that meets those conditions, Toshin said.
Once the scanner finishes, it spits out a report describing where the vulnerabilities are in the code.
It was using this scanner, which he developed over the course of the last two years, that he was able to speed up the process of finding bugs.
“To participate in a bug bounty, I would just download the app and copy the vulnerabilities identified in the vulnerability report,” he said.
In August, he revealed details of an Android vulnerability that allowed malicious apps to steal sensitive user data from other apps on the same device. Two weeks later, he dropped details of a bug in TikTok’s Android app that could have led to hijacking of user accounts.
These are just two out of hundreds of security bugs he has reported to companies through their bug bounty programs, a way for researchers to warn companies of potential issues while getting paid for their findings.
“It occurred to me to launch a startup and begin helping other companies find vulnerabilities in their mobile apps,” Toshin told TechCrunch.
And that’s how Oversecured was founded. But how Toshin funded his startup was somewhat unconventional.
What’s unusual about Oversecured is not that it’s self-funded, but it launched out of a product that effectively paid for itself. Toshin netted more than $1 million in bug bounties in a year using his scanner, in large part thanks to Google’s security rewards program, which pays security researchers far more for security bugs found in Android apps with over 100 million installs.
Oversecured is not yet profitable, but Toshin has also not taken any venture-backed funding to date. The company now has about five developers, as well as designers and translators as all efforts focus on building and improving the scanner.
The startup so far only supports scanning Android apps. Toshin said the scanner is open to bug hunters and security researchers, who can pay to scan each app — with five scans tossed in for free.
But Toshin is betting big on allowing enterprise customers to buy access to the scanner and integrate it with their development tools. Oversecured launched its B2B offering last week, allowing app makers to integrate the scanner directly into their existing app development processes to find bugs during coding.
Toshin said that enterprise customers will soon get support for scanning Swift source code for iOS apps.
Oversecured joins a number of other established app security companies in the space. But Toshin is confident that his technology stands among the crowd.
“It’s important to find everything,” he said.
- TikTok fixes Android bugs that could have led to account hijacks
- Android security bug let malicious apps siphon off private user data
- This Week in Apps: Elections’ impact on the app store, new app privacy requirements, iOS 14.2 arrives
- True, the social networking app that promises to ‘protect your privacy,’ exposed private messages and user locations
This post first appeared here: https://techcrunch.com/2020/11/12/oversecured-mobile-app-security-bug-bounty/