Because mobile "apps" on smart phones and tablets can be just as big a hazard to an organization's data security and information system integrity as untrusted or malicious desktop computer programs, corporations and government agencies develop lists of mobile apps that are approved for use on internal networks. But testing mobile apps is a complex task. An organization must use multiple software tools to test mobile apps for compatibility with its enterprise system because no tool can test for everything. App testing typically involves manually testing apps using multiple tools, a complex and time-consuming process, especially with a large number of tools. NIST's AppVet can help by managing the software assurance workflow process for you.
"AppVet aims to simplify the complexity of manually testing apps through multiple test tools," explains Steve Quirolgico, a computer scientist at NIST and a member of the team developing AppVet.
The application manages app vetting workflow that involves submitting apps to testing tools—for virus-detection and reliability, for example—receiving reports and risk assessments from tools, and combining risk assessments from these tools into a single risk assessment. Human analysts from the organization review the reports and risk assessments and decide whether to approve or reject the app according the organization's requirements.
AppVet does not do any testing itself, it manages third-party test programs. One advantage of AppVet is that it provides specifications, Applications Programming Interfaces, and requirements that facilitate easy integration with third-party test tools as well as clients, including app stores. For example, AppVet defines a simple API and requirements for submitting apps to, and receiving reports from, third-party test tools.
AppVet grew out of work NIST performed for the Defense Advanced Research Projects Agency (DARPA). That work used an early version of AppVet to vet apps before being deployed on mobile devices for military field use.
Although AppVet can be used by anyone for testing apps, it was designed to support organizations that test a large number of apps such as app stores. AppVet can support apps from different platforms, including Android, iOS and Windows, depending on tool availability for those platforms. NIST does not provide the testing tools, instead it provides an interface to manage the test results of multiple commercial and open source testing tools.
NIST is working with a number of government agencies, including the departments of Homeland Security and Justice, the Defense Information Systems Agency and others, to develop testing requirements and processes to help with mobile app software assurance needs.
AppVet can be downloaded at http://csrc.nist.gov/projects/appvet/.