By Tom Karygiannis, Computer Security Researcher at the National Institute of Standards and Technology
Understanding what mobile apps do and how they have been implemented is the first step toward understanding their security and privacy impact on an agency’s data and IT infrastructure.
Just as consumers are enjoying productivity gains from the use of smart phones and the myriad of mobile apps available today, so are government employees enjoying the convenience of being able to use apps to check weather, increase office productivity, update social media and more while on the go and outside the confines of their office. These technologies introduce new capabilities and even new ways of conducting business, but they also may introduce new risks that must be carefully assessed by security and privacy professionals.
Today NIST published guidance to help government agencies perform security and privacy assessments on mobile apps. Special Publication 800-163 - Vetting the Security of Mobile Applications, while intended for a government audience, can also benefit private industry app developers and enterprise security professionals.
The document is designed to help organizations understand the process for vetting the security of mobile applications, plan for the implementation of an app vetting process, develop app security requirements, understand the types of app vulnerabilities and the testing methods used to detect them, and determine if an app is acceptable for deployment on the organization's mobile devices.
The guidelines describe vulnerabilities and poor programming practices for both Android and iOS devices. Many of these vulnerabilities can be addressed through other security technologies, but each agency may have a different risk tolerance level depending on its mission. Ultimately, each must establish its own mobile app security and privacy policies. The decision on whether an app is suitable for an organization’s employees begins by understanding the app—for example, what personal information it collects and with whom it is shared, or if the app can access the microphone, track the user’s location or access the user’s contact list. Once this is understood, security and privacy officers can take steps to mitigate these risks, educate their employees and make informed decisions.
The guidance was developed with input from government agencies, software assurance tool vendors, original equipment manufacturers, telecommunication carriers, universities and security practitioners. Not every agency or organization may have the in-house expertise to evaluate the security of each mobile app, which is why collaboration is so important and why guidance such as this is valuable.
Having guidelines on how to test mobile apps helps software assurance analysts avoid ad hoc manual testing, helps industry respond to government requirements, and helps the people responsible for keeping data safe understand the risks of using mobile apps.
When users download apps to their personal devices, they are usually willing to accept some risk, rarely read the app privacy policies and certainly cannot be expected to be software assurance experts. But government employees who are trusted with sensitive data must make sure that data they collect, share and store is protected against unauthorized disclosure. NIST SP-800-163 provides the guidelines that can help an agency make informed decisions to strike a balance between potential productivity gains and any new privacy or security risks that may result from the installation and use of the mobile app.