NIST Publishes Guide to Mobile Apps VettingEvaluating the Risks of Using Mobile Devices on the Job
The National Institute of Standards and Technology has developed a guide that organizations can use to help them vet applications that run on mobile devices.
Published Jan. 26, NIST Special Publication 800-163, "Vetting the Security of Mobile Applications", provides federal and other government agencies and private businesses with direction on how to plan the implementation of a mobile app vetting process; develop app security requirements; understand the types of app vulnerabilities and the testing methods used to detect those vulnerabilities; and determine if an app is acceptable for deployment on the organization's mobile devices.
"Different organizations have different needs, different IT infrastructure, different data they're trying to protect and different levels of risk they're willing to accept," says NIST Computer Scientist Tom Karygiannis, one of the report's co-authors. "What the document does is let you understand what are the risks, and it allows the agencies to decide which of these risks they're willing to accept, which of the tests they think they should be performing and then ultimately decide whether [an app] is suitable for their use or not."
NIST'S Tom Karygiannis discusses the need for the new guidance.
Dangers to Mitigate in Mobile Apps
Because mobile devices contain many physical sensors that continuously gather and share information, many apps access more data than many users realize. Here are examples NIST cites: A mobile photo-sharing app could grant access to the employee's contact list that holds personally identifiable information, potentially exposing information that should remain private. Similarly, a calendar app, social media app, Wi-Fi sensor or other utility that accesses a global positioning system might track individuals without their knowledge.
In addition, poorly designed apps could drain batteries rapidly and may not meet the requirements of individuals working in the field without access to a power source.
NIST advises that individuals should weigh any productivity gains offered by a mobile app against the potential security and privacy risks they introduce. But those productivity gains mean more employees are demanding use of mobile devices on the job. "If you don't provide the solutions to have them use it securely, they'll find ways to use them on their own in an insecure manner [so] you want to help them do it the right way," Karygiannis says.
App Vetting Process and Related Actors
The new report - known as "Technical Considerations of Vetting Third Party Mobile Applications" in its draft stage - describes an app vetting process comprising two main activities: app testing and app approval/rejection.
The results of app testing are incorporated in vulnerability reports, which help organizations identify risks to assess. The app approval/rejection activity couples the evaluation of the vulnerability reports and risk assessments with additional criteria to determine if the app complies with the organization's security requirements. If the test app doesn't comply, it's rejected for deployment on the organization's mobile devices.
Organizational App Security Requirements
Why is this app vetting process important? According to NIST, many mobile apps are created quickly by authors unknown to the end users, unlike applications organizations deploy on laptops and desktops, which typically are licensed by known developers and go through extensive testing to assure their security. Users download many third-party mobile apps through online stores, such as the Apple App Store for iOS and the Play Store for Android devices, either by paying small fees or for free. To obtain apps for free, users generally agree to accept advertisements or surrender personal information, which could present security and privacy vulnerabilities. This, NIST contends, makes testing third-party mobile apps critical.
Karygiannis also advises that organizations vet updates to mobile apps as if they were entirely new applications because vulnerabilities could be introduced into the latest versions of the software.
NIST didn't intend the new guidance to be a step-by-step guide; it's aimed to help an organization's software assurance analysts gain the know-how to test mobile apps. SP 800-163's appendix identifies and defines the types of vulnerabilities specific to applications running on devices using Android and iOS operating systems. The guidance also offers recommendations on mobile app security and privacy training for employees.