In a report issued in April, the Department of Homeland Security sounded the alarm bell about the need to approach mobile cybersecurity differently than traditional IT security. The agency recently proved it is putting its money where its mouth is.
Last month, DHS awarded $8.6 million to five research and development projects designed to boost mobile application security for the government. The agency’s Science and Technology Directorate (S&T) will manage the awards under its Mobile Security R&D program.
The mobile app security project at DHS is designed to provide mobile apps with continuous validation and threat protection throughout the entire app lifecycle. DHS is also developing a security framework and integrated models that will enable the development of secure mobile apps for mission use by DHS components, other agencies and enterprise organizations.
“Adversaries can use a compromised or vulnerable mobile app as an avenue to target and gain a foothold on a user’s device,” William Bryan, DHS’s acting under secretary for science and technology, says in a statement. “The Mobile Application Security project will deliver innovative security solutions that will ensure apps used by government personnel and the public are secure.”
“There could be a commercial off the shelf capability that is good, but we need it to meet a standard … [that ensures] the apps are not risky, vulnerable or include additional malware,” Sritapan says. “Having an app development platform that integrates security is the next step.”
A Wide Variety of Mobile App Security Tools
As DHS noted in its April report, “Study on Mobile Device Security,” which was mandated by Congress, there are numerous mobile threat vectors that attackers can use to target agencies.
They include the device technology stack (mobile operating systems and lower-level device components); mobile applications; mobile networks (cellular, Wi-Fi, Bluetooth) and services provided by network operators; physical access to a device; and enterprise mobile services and infrastructure (mobile device management, enterprise mobile app stores and mobile application management).
Here is a quick rundown of the companies that received DHS R&D grants and how they can help aid mobile app security:
- Red Hat and Kryptowire were jointly awarded $1.9 million to integrate security throughout the entire mobile app development lifecycle, according to DHS. The two companies will develop an extension of the Red Hat Mobile Application Platform that will enable security templates for developers and integrate automated mobile app security testing. The end goal is to “automatically enforce checks to ensure developed app code and third-party libraries comply with security standards throughout the mobile app lifecycle development process.”
- Lookout was awarded $1.8 million to add new app-threat, -risk and -vulnerability detection and protection capabilities to its cloud-based Mobile Endpoint Security platform, as well as enhance existing capabilities. DHS says these enhancements “will strengthen the government’s ability to securely enable the use of mobile technologies for mission-critical activities.” Lookout’s tech will “enhance visibility into risky applications; detection of side-loaded applications and advanced network-based threats such as man-in-the-middle attacks; mobile device and application vulnerability detection and management; and its platform’s Certificate Authority reputation system.”
- Qualcomm Technologies, the chipset giant, was awarded $1.84 million to use and integrate its commercial technology into a platform that can anchor mobile application security in the hardware of a device. The effort will include a “Mission-Critical-Grade Security Layer,” which will extend continuous observations from the mobile device through application programming interfaces to third-party apps and services.
- United Technologies Researcher Center was awarded $1.45 million to develop and implement a mobile app security system that will be run on a hybrid mobile-device-cloud environment called COMBAT (Continuous Monitoring of Behavior to protect devices from evolving mobile Application Threats). COMBAT will process diverse sources of information and use artificial intelligence to accurately and efficiently detect malicious and vulnerable apps of varying risk severity levels, DHS says.
- Apcerto was awarded $1.64 million to research and develop solutions for normalizing and rating mobile apps based on predefined standards, as well as a framework for orchestrating the entire mobile app security process. Apcerto’s first solution will provide a test bed for mobile app security orchestration and the normalization of results to standards, including the National Information Assurance Partnership, Open Web Application Security Project, HIPAA and the Sarbanes-Oxley Act.