Mobility

What NIST Says About Vetting Mobile Apps

The National Institute of Standards and Technology released draft recommendations for weeding out malicious and faulty apps before they are approved.

Nicole Blake Johnson

Twitter

Nicole is a social media journalist for the CDW family of technology magazines.

The seemingly harmless third-party apps that mobile users rely on to share photos and track daily schedules could cause agencies more harm than good if not properly vetted.

Employees may unknowingly grant apps access to personally identifiable information on their mobile devices, and apps with malware can surreptitiously record phone calls and forward those conversations, according to Tom Karygiannis, a computer scientist with the National Institute of Standards and Technology.

“Agencies and organizations need to know what a mobile app really does and to be aware of its potential privacy and security impact so they can mitigate any potential risks,” says Karygiannis, commenting after NIST’s release of draft recommendations for vetting mobile apps this month.

The draft publication will be open for public comment through Sept. 18. Software security analysts can use these recommendations to better understand vulnerabilities and performance of an app before it’s approved for agency use, Karygiannis notes.

Malicious apps aren’t the only type agencies should be concerned about. Poorly designed apps can quickly drain a device’s battery and hamper mission critical work in the field if the user doesn’t have access to a power supply.

NIST's Publication: What It’s Not and What It Is

NIST makes it clear in the draft publication itself that the document is not a “step-by-step guide.” Each agency will have to consider “the environment in which the app is employed, organization-specific security requirements, the context in which it will be used and the underlying security technologies supporting the use of mobile apps,” according to the NIST publication.

NIST’s suggestions use public affairs departments as an example. While workers may be granted access to social media apps to do their jobs, employees outside that office who use the same applications may have to restrict what data the app can access, ensure sensitive data is encrypted or change certain settings on their mobile devices.

The publication’s appendix identifies the types of vulnerabilities specific to apps running on Android and iOS devices. For example, it states, “internal communications protocols [on an iOS device] allow applications to process information and communicate with other apps.” However, “exposed internal communications allow applications to gather unintended information and inject new information.”

What to Consider When Approving Mobile Apps

NIST identified information that is most often considered when approving mobile apps and how to gather that data:

Requirements: Collect all the pertinent requirements, security policies, privacy policies, acceptable use policies and social media guidelines that are applicable to your organization.

Provenance: Consider the identity of the developer, developer’s organization, developer’s reputation, date received, marketplace/app store consumer reviews, etc.

Target Hardware: Take into account the intended hardware platform and configuration on which the app will be deployed.

Target Environment: Look at the intended operational environment of the app (e.g., general public use vs. sensitive military environment).

Digital Signature: Note digital signatures applied to the app binaries or packages.

Code Components: Access to the source code provides the ability to conduct additional review not possible with app binaries. Software libraries, scripts, images, debugging information, configuration files and compilation instructions will allow more in-depth testing than simply collecting binary code.

Comomolas/thinkstock