Understanding ThreatScope Mobile XDR

Intro

ThreatScope Mobile XDR offers insight into the actual attacks and threats faced by Appdome-protected apps once they’re released into production. The dashboard’s data refreshes every 24 hours, allowing security teams to monitor evolving attacks and swiftly respond to emerging trends in real time. To ensure that threats faced by a protected app are displayed on the dashboard, there’s no need for prerequisites, API integrations by the Operations teams, or code changes by the mobile development teams.

Setting up Access to ThreatScope Dashboard

Access to a protected app’s threat data on the ThreatScope Dashboard is gated only to viewer accounts that meet the following conditions:

• The viewer account is licensed to access the ThreatScope Dashboard
  Submit a request to Appdome support to activate the license for the accounts that should have access to threat data.
• Threat data originates from teams of which the viewer is a member.
  The team leader of each production team should configure the viewer account. For details, see the section Configuring the Viewer Account.
• The viewer has the View ThreatScope entitlement in the team.
  For more details, see the section Add View ThreatScope Entitlement to Members Account below.

Configuring the Viewer Account

To configure the viewer account, the team leader needs to:

1. Open the User Menu.
2. Click on Team Management.
   
3. Expand each production team by clicking the button.
4. Review the team member list.
   If the requested viewer’s account does not appear, invite the viewer by clicking the Invite Others button.
5. Type the viewer account’s name and hit enter. When done, click Invite.
   
6. After the viewer accepts the invitation, proceed to the next step of adding the required entitlements to the team.

Add View ThreatScope Entitlement to Members Account

In order to add the View ThreatScope entitlement to a member’s account of a production team, the team leader should follow these steps:

1. Click on Team Management account in the user menu and click the button to add entitlements.
   A list of the entitlements available for the account will be displayed.
2. Click the View ThreatScope entitlement.
   

Reviewing the Dashboard Structure

The dashboard allows you to perform the following tasks:

• Select the viewing scope
• Select the date range
• Review the geographical source of threats
• View all attacks
• Use the Threat Stream widget
• Display top 10 defense breakdown
• View Attacks Breakdown
• Filter Missing Intelligence
• Review threat streams

Selecting the Viewing Scope

The dashboard viewer allows defining the scope of data items (threats) to be displayed from the following options:

• A specific team
  View only threats associated with apps built by the selected team
  
• All my teams
  View threats associated with apps built by all teams that the ThreatScope viewer is entitled to access
  
• Personal workspace
  

Selecting the Date Range

The Set Date Range section defines the date range of data items (threats) to be displayed. By default, the date range is set to the last 30 days, but this range can be extended in accordance with the ThreatScope dashboard license.

Reviewing the geographical source of threats

The GeoSource section displays a map that allows viewing the country from which the attacks originate.
Countries are colored based on the volume of threats detected in the region. For clarification, see the legend on the right.

Hover over the requested country to see a breakdown of the information by the following items:

• Country name
• Date Range
  Only threats from the listed date range are aggregated.
• Total attacks
  The sum represents all attacks originating from the country over which the mouse hovers.
  
  

To select one or more countries:

• To select a single country, click the requested country on the map or choose its corresponding checkbox. To deselect a country, click the checkbox of the already selected country.
• To select multiple countries, check the boxes next to each requested country.
  
  

Types of Geography-based data input

The following types of geography-based data input exist:

• Non-specific
  The default data input on Appdome relies on the public IP address captured from its analytics server to map the threat’s location. Given that attackers can mask their public IP using tools such as VPNs and proxies, this data is labeled as “non-specific,” namely because we cannot always pinpoint the precise source of an attack.

• Specific
  In this case, the data input is the device’s location data (GPS). However, since accessing location data requires declaring specific permission in the app and user consent, this type of threat geo-source is not the default option and requires opting in when building the app on Appdome.

What can be inferred from the data

• Ability to create a focus list of countries that generate the most attacks
  Customers that have a web application firewall (WAF) in place can use this data stream to apply different security policies based on the threat landscape of the app and the app’s user base.
• Visibility of how the threat types are distributed within a given country
  This can enable tracking which vectors are used by different local and global actors.
• You can use the Snapshots feature to download the current view of the selected GeoSource.
  

Reviewing Unique Devices ID Report

After applying the selected filters, the displayed sum of Threat Events and Attacks represents the accumulation of all events that occurred on a large number of devices. 

Each device may experience multiple events, and the distribution of events between devices can result in different insights. For example, if there are 1000 events, but 990 of them occurred on one device, the situation would differ significantly compared to if those 1000 events were spread across 1000 individual devices.

To gain more insights into the distribution of events, Appdome allows users to generate a report that describes how many devices were involved in each of the chosen event types.

1. Apply selected ThreatScope filters.
   Note: The user must choose at least one specific Event Type or Reason Code in order to produce the report.
2. Click on the download drop-down button on the top right
3. Select Download Unique Device ID report
4. The report is downloaded and lists the number of unique devices per event according to the selected filters.

The report will return in JSON format; each object includes the name of the attack and the number of involved devices:

{
    "<FAC Event Name #1>": {
	"eventType": "< Event externalID>",
	"impactedDevices": "< # of unique device IDs for externalID in selected filters>"
    },
    "<FAC Event Name #2>": {
	"eventType": "< Event externalID>",
	"impactedDevices": "< # of unique device IDs for externalID in selected filters>”
    }
}

Viewing All Attacks

The Viewing Trend: All Attacks section displays all attacks per threat stream, with each line representing a time interval based on the selected period (date range): days, weeks, or months.

This section contains the following components:

• Date range selector
  Use the date range buttons (Days/Weeks/Months) to control the period represented by each dot on the trend.
  Note: The Months view selector is only available when the ThreatScope dashboard date range is three months or longer.
• Daily Impacted Devices Average
  It is calculated by dividing the total number of attacks and threats by the number of days in the ThreatScope dashboard date range.
• Threat Stream Graph Legends
  Enables filtering out Threat Streams by clicking on the matching legend in the Viewing Trend: All Attacks.
  All changes made only affect the Viewing Trend: All Attacks tile. For example, the screenshot below demonstrates how the Intelligence Missed threat stream can be filtered out.

Hover a dot somewhere over the trend line to see the following data items:

• Date
  Displays the date range represented by each dot on the trend line: day, week, or month.
• Total Detected/Protected
  The value in this field represents the number of attacks and threats associated with the threat stream being hovered over, corresponding to the date range listed in the Date field.
  This field name is Total Protected when the trend line relates to threat streams in which Appdome blocked the attack; otherwise, the name is Total Detected.
• Total Per Day/Week/Month
  Sums the total number of attacks and threats from all threat streams for the date range listed in the Date field.
• Defense Mode
  This value specifies the enforcement mode for the given threat stream, which is labeled with one of the following values:

• Intel
  Indicates that intelligence was collected without any enforcement (ThreatScope Only Configuration).
  
• App
  Indicates that the App is responsible for enforcing against attacks.
  
• Appdome
  This indicates that Appdome is responsible for enforcing laws against attacks.
  

Using the Threat Stream widget

The Threat Stream Widget displays the distribution of attacks of the selected date range between the various threat streams.

What can be inferred from the data?

• Evaluate the risk level of released apps
  By tracking blocked and app-enforced threats.
• Compare intelligence gathered by released apps
  With the actual volume of attacks and threats.

Filtering the display

Click on any Threat Stream tile to apply the selected threat stream as a filter. You can also filter by multiple threats by clicking on more than one threat stream to add them to the filter.

Displaying Top Defenses Breakdown

The Top Defenses section displays a breakdown of the top defenses by app, OS, and manufacturer.

What can be inferred from the data?

The data displayed in this section allows for the generation of a list of the characteristics of the apps and devices that are most targeted by the attacks.

Hover over a graph line in any of the Top Defenses Breakdown tiles to display the following breakdown:

• App/OS/Device
  List the top attack’s identifier.
• Total Detected/Protected
  The value of this field represents the number of attacks and threats associated with the threat stream being hovered in the date range listed in the Date field.
  This field name is Total Protected when the trend line relates to threat streams in which Appdome blocked the attack; otherwise, the name is Total Detected.
• Defense Mode
  See description in section Viewing all attacks.
• Threat Event
  See description in section Viewing all attacks.

The Average widget

The Average widget displays the following information:

• Avg. Attacks per App
  It is calculated by dividing the total number of attacks and threats in the Top Defenses By App tile divided by the number of listed apps.
• Avg. Attacks per OS
  It is calculated by dividing the total number of attacks & threats in the Top Defenses By OS tile divided by the number of listed OS versions.
• Avg. Attacks per Device
  It is calculated by dividing the total number of attacks & threats in the Top Defenses By Device tile divided by the number of listed manufacturers.

Attacks Breakdown

The Attacks Breakdown displays the attacks divided by Threat type:

• ONEShield™ by Appdome
• Mobile App Security
• Mobile Fraud Detection
• Mobile Malware Prevention
• Mobile Cheat Prevention
• MobileBOT™ Defense – Attack Breakdown Coming Soon

The default view, as shown below, displays the group with the most events. You can change the display by clicking on any of the other doughnut graphs to display the data breakdown for that group:

Note: When hovering over each Threat Type graph, the tooltip will display the top 3 attacks for said type.

Expanding the Attacks Breakdown

To view the display for each attack, click on the desired event-type graph.

You can also click on the ‘Expand’ button at the top right corner to expand the display of all Event types.

Collapse the display back to default mode by clicking on ‘Collapse.’

Filtering Threat Intelligence

Threat-Inspect™

The Threat-Inspect™ menu on the left side panel enables easy filtering and creation of custom views for the Threat Scope data.

1. Select the Data displayed from one of the following categories

All Data – Displays all accumulated data by the number of individual events. If a specific device experiences several events of the same type, all events will be counted.

Impacted Devices – Summarizes the number of unique devices on which any event occurred. If one specific device experiences a particular event a number of times, it will still be counted as one device.

Build2Test Events—This function summarizes the Threat Events data only for apps built with the Build-to-Test feature. These apps are built specifically for testing via third-party vendors.
Learn more about Appdome’s Build-to-Test

Bot Defense Data—Access complete payload data from Appdome’s MobileBOT™ Defense (MBD) solution for insights on mobile infrastructure. Correlating and validating real attacks can detect and prevent attacks like credential stuffing and DDoS.

Unique Attacks – Displays an in-depth diagnosis of each attack, enabling precise identification of critical cyber and fraud attacks on mobile apps in production. Geo-location, source identification, attack methods, and techniques for effortless threat detection are all covered.

2. Filter the data

You can filter the data using any of the following filters and combine them to create unique views, gaining deeper insights into the events your Appdome-built apps are facing.

The filters that can be used for controlling the displayed data are:

• Threat Stream – The type of defense implemented in Threat Events.
• Event Type – The protection’s name on FAC.
• Task ID – The unique ID for a protected app on FAC.
• Bundle ID – The app’s identifier is listed in the AndroidManifest.xml or Info.plist file.
• Fusion Set Name – The name of the fusion set to which the protected app is subscribed.
• Fusion Set ID – The ID of the fusion set to which the protected app is subscribed.
• Account Name: The name of the account plus the team type.
• Manufacturer – The device manufacturer associated with the detected attack.
• OS – The platform related to the detected attack.
• OS Version – The OS Version associated with the detected attack.
• Country – For further information, see section Reviewing the geographical source of threats.
• ReasonCode – The Threat/Attack user-facing code from the mobile device. The Reason Code is used in the “ThreatScope™ User Remediation Center” to understand the specific events or metadata that triggered the threat. Customer support organizations can use this information to instruct the mobile user on how to remediate the threat and get back to using the mobile app.

3. Create View

When the data is filtered, you can save it by creating a view.

You can access your custom views via the main drop-down menu.

Learn more about Threat Inspect. 

Filtering by Specific Builds

The section View Specific Builds with Threats Only allows:

• A filter is applied to the ThreatScope by using specific builds of protected apps.
• The viewer can find a specific build using the search bar by looking for any of the attributes shown below. The tile filter is synchronized with the filter pane. For further information, see the Filter Pane section.
• Scrolling through the list of protected apps associated with the attacks & threats shown in the dashboard. The Build ID of the danger can be copied by clicking on the copy icon ;

Avg. Attack Widgets

In some cases, it is useful to get a sense of the baseline of attacks and threats to which the app is exposed. Comparing the current volume of threats to the average line to identify anomalies helps to determine when the protected app is being actively attacked as part of a focused campaign.

Reviewing Threat Streams

Attacks displayed in the dashboard are categorized by Threat Streams, which allows the security team to investigate attack trends, prioritize the effort, and set clear steps to mitigate each threat by its associated stream. A Threat Stream is defined by the enforcement and intelligence policy set for protection within a fusion set.

The Threat Streams are configured as follows:

• New Threats
  • Enforcement Policy – No enforcement.
  • Intelligence Policy – No intelligence is sent to the app. The threat event is not active.
  • Summary—The app will not receive the threat event on attacks, and because it is not aware of attacks, Appdome does not block them, and the app remains unprotected.
• Appdome Protected
  • Enforcement Policy – Appdome is blocked against attacks.
  • Intelligence Policy – No intelligence is sent to the app. The threat event is not active.
  • Summary – The app is protected because Appdome blocks the attack, but the app does not receive the threat event following the attack. The intelligence is sent to and visible on the ThreatScope dashboard.
• Defense & Intel
  • Enforcement Policy – Appdome is blocked against attacks.
  • Intelligence Policy – Threat Event was configured as In-App Defense.
  • Summary – The app is protected. Appdome blocks the attack, and the app receives the threat event, which means that analytics can be captured.
• Intel Missed
  • Enforcement Policy – Appdome is blocked against attacks.
  • Intelligence Policy—Threat Event was configured as In-App Defense; however, the Receiver | Observer is not properly implemented to consume the Threat Event.
  • Summary – The app is protected since Appdome will block the attack, however the app will not receive the threat event following the attacks which means that analytics will not be captured.
• Attacks Detected
  • Enforcement Policy – The app is responsible for enforcing against the attack.
  • Intelligence Policy – Threat Event configured as In-App Detection.
  • Summary—The app will receive the threat event on attacks; however, because the app is responsible for enforcing, the protection level depends on the app’s implementation.

The following threat streams are visualized in various areas in the dashboard:

1. Filter Pane
   Action
   Selecting or clearing the filters will determine which Threat Streams are displayed on the dashboard. Changes to the Threat Stream filter affect the entire dashboard.
   
2. Viewing Trend: All Attacks legend
   Action
   Selecting a Threat Streams legend in the Viewing Trend:
   All Attacks tile filters out the stream.
   Changes affect only the Viewing Trend: All Attacks tile.
   
3. Threat Stream Widgets
   Action

Selecting any of the following widgets—Attack Missed, Threat Intel Missed, Attacks Stopped, and Attacks Captured—applies a filter of the threat streams associated with the widget. Selecting a widget affects the entire dashboard.

For further information, see section Using the Threat Stream widget.

• Top Defense Breakdown
  Action
  Hovering over each threat stream (differentiated by color) within a graph bar displays a tooltip that summarizes the stream.
  
  
  

Lack of the View ThreatScope entitlement

Cause:

The viewer attempted to access the ThreatScope dashboard, but while the viewer’s account is a member of at least one team, that team does not have View ThreatScope entitlement permissions.

Remediation:

Add the View ThreatScope entitlement to each team to give the viewer access to threat data. For additional information, see the section on Setting up access to ThreatScope Dashboard.

Viewer is not a member of any team

Cause:

The viewer tried to access the ThreatScope dashboard by using the All My Teams workspace, but the viewer’s account is not a member of any team.

Remediation:

Request the production team leader to invite the viewer’s account to join the team and add the View ThreatScope entitlement to each team so that the viewer can access the threat data. For further information, see the section Setting up access to the ThreatScope Dashboard.

A viewer or View ThreatScope entitlement was removed

Cause:

The viewer tried to access a team in the ThreatScope dashboard; however, the viewer’s account was removed from that team, or the View ThreatScope entitlement was removed from the viewer’s account in that team.

Remediation:

Request the production team leader to invite the viewer’s account to join the team and add the View ThreatScope entitlement to each team so that the viewer can access the threat data. For further information, see the section Setting up access to ThreatScope Dashboard.

Related Articles

• Threat-Events™, In-App Threat Intelligence in Native iOS Apps
• How to Use ThreatScope™ User Remediation Center
• Understanding ThreatScope Views

If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project.