Rapid7 Acquires Mobilisafe To Assess Mobile Device Risks

Rapid7 has acquired Mobilisafe, a fledgling Seattle-based mobile security firm that assesses smartphones and tablets for known platform vulnerabilities. Terms of the deal were not disclosed.

Boston-based Rapid7 sells the Nexpose vulnerability management software and maintains the Metasploit pentesting platform. Mike Tuchen, CEO of Boston-based Rapid7 said the firm saw Mobilisafe as an opportunity to expand its reach into assessing the risks posed by mobile devices.

"Now customers can get a unified view of the rest of their network vulnerabilities with their mobile device vulnerabilities," Tuchen said.

The Mobilisafe software is capable of being deployed in 15 minutes across the entire organization without requiring agents on devices. Mobilisafe integrates with Microsoft Exchange and Active Directory servers, collecting incoming traffic from devices when they attempt to connect to receive email, contacts and calendar items. The software determines whether device firmware needs updating and then assigns a risk score based on the known platform vulnerabilities.

Dirk Sigurdson, CTO and co-founder of Mobilisafe said the firm maintains a database tracking the availability of firmware updates for over 650 devices. Mobilisafe is focused on device firmware and carrier customizations primarily in the United States, he said. The software also has the ability to tap into the basic security controls in Microsoft ActiveSync, ensuring passcode protection, remote wipe and encryption capabilities. 

"You can tell if a device is out of date and inform employees to get their devices updated," Sirgurdson said.

Sigurdson said the software is commonly used by exchange administrators. A centralized console shows the devices connected to the network, the risk status posed by devices and enables administrators to drill down to assess the risk posed by single device owner. Policies can be set to block access to Exchange or simply send an email encouraging users to upgrade the device firmware.

The software doesn't assess the risk posed by a poorly written mobile app and cannot detect a malicious or Trojanized mobile application. Rapid7's Tuchen said the firmware is a great place to start because malicious applications would typically attempt to exploit vulnerabilities in the firmware, using platform resources to steal malicious data.

Other security firms focus on mobile application security
Security giant Symantec announced integration plans this week for its acquisition of Nukona. The mobile device management vendor focuses on application control, enabling enterprises to sandbox some third-party mobile apps and set security controls on them. Symantec said this week it is reaching out to other third-party vendors in an effort to expand the functionality to wider variety of apps. The Nukona name is being phased out with the unveiling of Symantec Mobile Management Suite, which contains device and asset management functionality.

Application security testing firm Veracode Inc. extended its mobile capabilities this week, acquiring Marvin Mobile Security. Burlington, Mass.-based Veracode said itwould integrate Marvin's mobile app analysis service for enterprises and mobile carriers. Marvin provides a web-based service that tests mobile apps and provides data on the app’s capabilities and behavior, including malware detection, the potential for data leakage and privacy loss.