What NIST Says About Vetting Mobile Apps
The seemingly harmless third-party apps that mobile users rely on to share photos and track daily schedules could cause agencies more harm than good if not properly vetted.
Employees may unknowingly grant apps access to personally identifiable information on their mobile devices, and apps with malware can surreptitiously record phone calls and forward those conversations, according to Tom Karygiannis, a computer scientist with the National Institute of Standards and Technology.
“Agencies and organizations need to know what a mobile app really does and to be aware of its potential privacy and security impact so they can mitigate any potential risks,” says Karygiannis, commenting after NIST’s release of draft recommendations for vetting mobile apps this month.
The draft publication will be open for public comment through Sept. 18. Software security analysts can use these recommendations to better understand vulnerabilities and performance of an app before it’s approved for agency use, Karygiannis notes.
Malicious apps aren’t the only type agencies should be concerned about. Poorly designed apps can quickly drain a device’s battery and hamper mission critical work in the field if the user doesn’t have access to a power supply.
NIST's Publication: What It’s Not and What It Is
NIST makes it clear in the draft publication itself that the document is not a “step-by-step guide.” Each agency will have to consider “the environment in which the app is employed, organization-specific security requirements, the context in which it will be used and the underlying security technologies supporting the use of mobile apps,” according to the NIST publication.
NIST’s suggestions use public affairs departments as an example. While workers may be granted access to social media apps to do their jobs, employees outside that office who use the same applications may have to restrict what data the app can access, ensure sensitive data is encrypted or change certain settings on their mobile devices.
The publication’s appendix identifies the types of vulnerabilities specific to apps running on Android and iOS devices. For example, it states, “internal communications protocols [on an iOS device] allow applications to process information and communicate with other apps.” However, “exposed internal communications allow applications to gather unintended information and inject new information.”