Security Research

Sumo Solutions runs an independent mobile-application security research line, focused on Android applications shipped through the Google Play Store. The work is review-driven, coordinated with vendors, and never published without prior notice.

What we look at

We review consumer Android applications for issues that affect user safety, account integrity, and credential exposure. Typical findings include:

Hardcoded API keys, service credentials, or third-party tokens shipped inside the application bundle.
Missing or weak authorization controls on backend endpoints.
Cryptographic missteps — fixed keys, ECB-mode usage, broken transport security.
Configuration errors that expose development resources in production builds.
WebView and JavaScript-bridge configurations that weaken app boundaries.

How we work

The default methodology is static: APK extraction, decompilation, manual code review, and limited verification against publicly accessible endpoints using standard request patterns. When a finding requires runtime confirmation, we extend to controlled dynamic testing on test accounts we create ourselves — never against real users or real user data.

What we do not do:

Access real user accounts or real user data.
Run automated or repeated attacks against production systems.
Publish findings without coordinating with the vendor first.
Sell findings, broker exploits, or feed threat-intelligence pipelines based on this work.

The research line is independent. It is self-directed, conducted on our own initiative, and is not operated on behalf of, or in affiliation with, any bug bounty platform (HackerOne, Bugcrowd, Intigriti, or similar).

Disclosure process

We follow a coordinated disclosure process. Initial contact with a vendor is intentionally high-level; technical detail is shared only after a vendor confirms a point of contact. We do not impose disclosure deadlines and will not publish details without giving vendors reasonable time to remediate.

Reach the research team: research@sumosols.com
Please include the application name and package identifier in the subject line where possible.

Publications

We are in active disclosure cycles with several vendors. To honour our coordinated-disclosure commitment, we do not publish technical details — even anonymised — while a finding is unresolved.

Sanitised post-mortems will appear here as coordinated disclosure cycles complete. The earliest publications are expected later in 2026, subject to vendor remediation timelines.

Engagements

If you would like a paid security review of an application you own — or want a deeper review of a finding we have already disclosed to your team — we accept a small number of engagements per quarter. Use research@sumosols.com for inquiries; we will respond with a scope and timeline outline within two business days.

Receiving a disclosure email from us

If you have received a "Responsible Disclosure" email that appears to be from research@sumosols.com about an application your team publishes, you can verify its origin by replying directly to that address. We will share the technical detail securely once we have a confirmed contact. The full process is described on the Responsible Disclosure page.