NIST Vetting Guide Helps in Testing Mobile Apps to Learn What They Really Do
From NIST Tech Beat: August 20, 2014
While many mobile device apps such as a calendar or collaboration tools are very handy and can improve productivity, they can also introduce vulnerabilities that can put sensitive data and network resources at risk. The National Institute for Standards and Technology (NIST) is preparing recommendations for organizations to help them leverage the benefits of mobile apps while managing their risks. The authors are asking for public comments on a draft of Technical Considerations for Vetting 3rd Party Mobile Applications* by September 18, 2014.
The draft publication “describes tests that allow software security analysts to discover and understand vulnerabilities and behaviors before the app is approved for use,” says NIST computer scientist Tom Karygiannis.
“Agencies and organizations need to know what a mobile app really does and to be aware of its potential privacy and security impact so they can mitigate any potential risks,” explains Karygiannis. Many apps may access more data than expected and mobile devices have many physical data sensors continuously gathering and sharing information.
For example, when an employee shares a photograph through a mobile application, the mobile app may be granted access to the employee’s contact list that may hold personally identifiable information that should remain private. Or individuals might be tracked without their knowledge by way of a calendar app, social media app, Wi-Fi sensor, or other utilities that access a global positioning system (GPS).
“Apps with malware can even make a phone call recording and forward conversations without its owner knowing it,” Karygiannis says. Not all issues are as sinister. Certain poorly designed apps may drain batteries rapidly and may not meet the requirements of people working in the field without access to a power source. Employees should weigh any productivity gains offered by a mobile app, with the potential security and privacy risks they introduce.
The draft publication provides information for vetting mobile apps including: common mobile app testing requirements, such as security, functionality, performance and reliability; and mobile app vetting tools and techniques.
The mobile apps vetting guidance also provides an overview of software assurance issues, describes undesirable characteristics that vetting may reveal, provides examples of security weakness issues affecting apps, and discusses app power consumption.
Technical Considerations for Vetting 3rd Party Mobile Applications is not a step-by-step guide. It highlights the tests that should be considered when vetting a mobile app before it is approved for use. Each organization needs to consider the environment in which the app is employed, organization-specific security requirements, the context in which it will be used and the underlying security technologies supporting the use of mobile apps. For example, an organization may approve the use of a social media app for their public affairs office in order to meet its mission, but other staff members may need to restrict the permissions an app is granted, encrypt sensitive data, or change other configurations on the mobile device.
In an appendix, the authors identify and define the types of vulnerabilities specific to applications running on devices using Android and iOS operating systems.
Additional recommendations include:
Comments on the draft of Technical Considerations for Vetting 3rd Party Mobile Applications should be sent to firstname.lastname@example.org by September 18, 2014. The draft and a template for submitting comments are available at http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-163.
*J. Voas, S. Quirolgico, C. Michael and K Scarfone. Technical Considerations for Vetting 3rd Party Mobile Applications (NIST Special Publication 800-163 Draft). August, 2014. Available at: http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-163.