mobile security startup oversecured launches after self-funding $1 million, thanks to bug bounty payouts

Sergey Toshin may be a name you haven’t encountered, but his contributions to the field of security are noteworthy.

Toshin, a 24-year-old security researcher based in Moscow, primarily concentrates on the security of mobile applications. Leveraging his understanding of various mobile security weaknesses, Toshin created a specialized Android application vulnerability scanner designed to efficiently and automatically identify vulnerabilities within an app’s code, as he explained to TechCrunch.

This scanner functions by deconstructing the Android app and systematically examining the source code, much like a human reviewer would, to pinpoint potential flaws where vulnerabilities might exist. It utilizes a defined set of rules – essentially descriptions of different vulnerability types – to search for code that matches those criteria, according to Toshin.

Upon completion of the scan, the tool generates a report detailing the locations of any identified vulnerabilities within the code.

He developed this scanner over a two-year period, and it significantly accelerated his bug-finding process.

“To participate in a bug bounty program, I would simply download the application and submit the vulnerabilities detailed in the scanner’s report,” he stated.

In August, he disclosed information regarding an Android vulnerability that could have enabled malicious applications to access sensitive user data from other apps on the same device. Shortly after, he revealed a flaw within TikTok’s Android app that potentially could have resulted in user account compromises.

These represent just a couple of the numerous security issues he has reported to companies through their bug bounty programs, a system that allows researchers to alert organizations to potential problems while receiving compensation for their discoveries.

“It led me to consider launching a company focused on assisting other organizations in identifying vulnerabilities in their mobile applications,” Toshin shared with TechCrunch.

This realization led to the creation of Oversecured. However, the method by which Toshin financed his startup was rather unique.

The distinctive aspect of Oversecured isn’t its self-funding, but rather that it originated from a product that essentially funded its own development. Toshin earned over $1 million in bug bounties within a year using his scanner, largely due to Google’s security rewards program, which offers substantial rewards to security researchers for vulnerabilities found in Android apps with a large user base – exceeding 100 million installs.

While Oversecured is not currently generating a profit, Toshin has not yet accepted any venture capital funding. The company currently employs approximately five developers, along with designers and translators, all dedicated to enhancing and refining the scanner.

Currently, the scanner supports only Android app analysis. Toshin indicated that the scanner is available to bug hunters and security researchers, who can purchase scans, with a complimentary allowance of five scans.

Toshin anticipates significant demand from enterprise clients seeking to purchase access to the scanner and integrate it into their development workflows. Oversecured launched its business-to-business (B2B) offering last week, enabling app developers to incorporate the scanner directly into their development processes for proactive bug detection.

Toshin mentioned that enterprise customers will soon have the capability to scan Swift source code for iOS applications.

Oversecured enters a competitive market with several established app security companies. Nevertheless, Toshin is confident in the strength of his technology.

“Comprehensive detection is paramount,” he emphasized.

Read more:

• TikTok resolves Android vulnerabilities that could have enabled account takeovers
• Android security flaw allowed malicious apps to extract private user data
• This Week in Apps: The impact of elections on the app store, new app privacy requirements, and the arrival of iOS 14.2
• True, the social networking app promising to ‘protect your privacy,’ exposed private messages and user locations