How to Vet Third-Party Mobile AppsNIST Guide Aims to Help Establish In-House Testing
As more organizations accommodate employees' demands to use mobile devices, ensuring the security of the applications on those smart phones and tablets has become critical.
See Also: Secure Access in a Hybrid IT World
The National Institute of Standards and Technology is developing guidance for how to test third-party mobile apps. It's issued a draft of Special Publication 800-163, titled Technical Considerations for Vetting Third-Party Mobile Applications.
"People want to benefit from the productivity gains that smart phones can offer, but at the same time, you have these requirements to protect your own network resources," NIST Computer Scientist Tom Karygiannis says. "Before you install an app, one question is: Do you know what the app does? The way to find out what the app does is to actually test it."
NIST's Tony Karygiannis on mobile app risks.
The draft publication:
- Furnishes a brief overview of software assurance issues for mobile apps;
- Provides guidance for organizations planning to set up an in-house mobile app vetting process;
- Discusses common mobile app testing requirements, such as security, privacy, functionality, performance and reliability; and
- Examines mobile app vetting tools and techniques.
Mobile App Risks
Unlike applications organizations deploy on laptops and desktops, which often are licensed by known developers and go through extensive testing to assure their security, many mobile apps are created quickly by authors unknown to the end users. Users download many third-party mobile apps through online stores, such as the Apple App Store for iOS and the Play Store for Android devices, either by paying small fees or for free. To obtain apps for free, users generally agree to accept advertisements or surrender personal information, which could present security and privacy vulnerabilities. This, NIST contends, makes testing third-party mobile apps critical.
And, Karygiannis advises, mobile apps updates also must be vetted. Approving the security of version 1.0 doesn't mean revised versions are secure. NIST recommends that updates to mobile apps be tested as if the app is new. "If the code writer is malicious and he wants to introduce an app after you installed the original one, and assuming that now you've got greater privileges, then that's an opportunity to introduce some kind of malware later if that update isn't vetted, as well," he says.
Though NIST doesn't intend the new guidance to be a step-by-step guide, it should help an organization's software assurance analyst to gain the know-how to test mobile apps. "It would be helpful if you had experience programming mobile apps, whether it's Android or iOS; I think you have to have an understanding," Karygiannis says. "But you can ramp up and learn that."
The guide's appendix identifies and defines the types of vulnerabilities specific to applications running on devices using Android and iOS operating systems. The guidance also offers recommendations on mobile app security and privacy training for employees.
NIST is seeking comments from stakeholders on the draft guidance before issuing a final version of the publication. Comments should be sent by Sept. 18 to email@example.com.