Government // Mobile & Wireless
News
8/28/2014
03:30 PM
Connect Directly
RSS
E-Mail
100%
0%

NIST Drafts Mobile App Security Guidelines

National Institute for Standards and Technology issues first draft of guidelines intended to help federal agencies balance benefits and risks of third-party mobile apps.

 Government Data + Maps: 10 Great Examples
Government Data + Maps: 10 Great Examples
(Click image for larger view and slideshow.)

While a mobile workforce may help make government more agile, efficient, and productive, the mobile devices federal employees carry represent another headache for agency security managers. Mobile applications, to cite one major area of concern, can introduce vulnerabilities that can put sensitive data and network resources at risk. For example, when an employee shares a photograph via a mobile application, the app may be granted access to the employee's contact list -- which could hold personally identifiable information that should remain private and secure.

To tackle this problem, computer security specialists at the National Institute for Standards and Technology have drafted guidelines for vetting third-party mobile applications. The document, "Technical Considerations for Vetting 3rd Party Mobile Applications," contains recommendations intended to help agencies leverage the benefits of mobile apps while managing their risks, NIST officials said. NIST is accepting comments on the 43-page document through September 18.

The draft publication describes tests that let software security analysts detect and understand vulnerabilities before the application is approved for use.

[Lack of a comprehensive mobile strategy is holding back device adoption by government workers. Read Why Federal Agencies Lag Behind On Mobile Tech.]

"Agencies need to know what a mobile app really does and to be aware of its potential privacy and security impact so they can mitigate any potential risks," said Tony Karygiannis, a computer scientist in NIST's Computer Security Division. "Many apps may access more data than expected and mobile devices have many physical data sensors continuous gathering and sharing information."

Karygiannis suggested that individuals could be tracked without their knowledge via a calendar app, social media app, a Wi-Fi sensor, or other utilities connected to a global positioning system. "Apps with malware can even make a phone call recording and forward conversations without its owner knowing it," he said.

Not all mobile applications issues are related to security and privacy, NIST researchers said. For instance, poorly designed apps that quickly drain battery life may not meet the requirements of employees working in the field with access to a source of power.

NIST's guidelines are a response to the rapidly evolving mobile application marketplace and economic model, which presents a challenge to traditional software-assurance techniques in mobile computing, according to NIST scientists. Developers, eager to quickly reach a huge market, don't always conduct extensive testing on their code before making an app available to the public. In addition, they often have little experience in building quality software that is reliable and secure.

As more government enterprises take advantage of inexpensive third-party mobile applications to improve productivity, they are also finding that more government business is being conducted on mobile devices. This trend reflects a departure from the traditional information infrastructure, where enterprises support approved desktop applications and the average employee uses only a handful of apps to do most of their work, according to NIST.

As a result, NIST researchers are urging agencies to adopt requirements for applications they use on their mobile platforms and develop an app vetting system comprising tools and methodologies that identify security, privacy, reliability, functionality, accessibility, and performance issues.

Among other key recommendations, researchers say security administrators and software analysts should take the following precautions:

  • Understand the security and privacy risks mobile apps present and have a strategy for mitigating them.
  • Provide mobile app security and privacy training for employees.
  • Put all software updates through the vetting process, treating new versions of mobile apps simply as new mobile apps.
  • Establish a process for quickly vetting security-related application updates.
  • Make users and other stakeholders aware of the mobile app vetting process does and does not provide in terms of secure behavior of app.
  • Review mobile app testing results in the context of their agencies' mission objectives, security posture and risk tolerance as mobile apps are part of a larger system.

If the world wasn't changing, we might continue to view IT purely as a service organization, and ITSM might be the most important focus for IT leaders. But it's not, it isn't and it won't be -- at least not in its present form. Get the Research: Beyond IT Service Management report today. (Free registration required.)

Richard W. Walker is a freelance writer based in the Washington, D.C., area who has been covering issues and trends in government technology for more than 15 years. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
8/30/2014 | 6:22:43 PM
Why no Guidelines for Windows or Blackberry Apps?
I was very surprised that NIST did'nt take the time and effort to also come up with Effective Guidelines List for Windows and RIM.

Sure,I am not disputing that Android and iOS are easily the dominant Mobile OSes(who control more than 70% of the smartphone market between themselves currently) but the other Two OSes are not something which can and should be neglected going ahead.

Windows in particular is finally gaining traction(especially at the Low-End) and I won't be surprised if they do go head to head with Android in the next 2 years or so.

The Lumia range is definitely turning heads currently and the HTC One Windows Phone is very catchy too.

What happens then?

Why not more coverage?

Lets also not forget the massive weakness in Smartphone Memory which was recently exploited at Defcon to show easy it is to break into Gmail App and many other such similar apps.

The Other apps hacked included H&R Block, Newegg, WebMD, Chase Bank, Hotels.com and Amazon.

I am hoping NIST does'nt take this issue lightly.

After all,the pace at which Android Malware is exploding(almost in tandem with increased Android Adoption) knows no bounds currently.

Alternative Mobile OSes need to see much coverage primarily because Privacy Conscious Consumers will look for them.

Even Samsung recently decided to push TIZEN in tandem with Intel .

We definitely do need more App Stores and OSes covered than just the Big Two.

Regards

Ashish.
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
8/30/2014 | 6:01:40 PM
Re: Mobile app security can't just be a government problem
David,

I have a strong feeling that you are quite right and accurate here.

Most Organizations don't have the time and inclination to go through all the Apps Permissions Jargon and what not for most Employees.

They would rather just hand them the Phones and ask them to get on with the Job.

The end result can end up being very scary and disastrous for all concerned.

Sad but true.

Regards

Ashish.
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
8/30/2014 | 5:32:11 PM
Re: NIST Guidelines Not Very Realistic
Asksqn,

Actually if One looks at these Guidelines(Given that they are almost exclusively aimed at Public Sector Enterprises),its a good list.

It forces not just in-house App Developers (at Public Sector Companies)but also anyone targetting Public Sector Companies to develop less Privacy Intrusive Apps if they want to gain such traction there.

I think its a really-really great list and should be enforced strongly by Individual IT Departments.

Regards

Ashish.
asksqn
50%
50%
asksqn,
User Rank: Ninja
8/28/2014 | 5:01:16 PM
NIST Guidelines Not Very Realistic
The problem with the NIST guidelines is that every single app demands access to contacts, among other intrusive rights demanded.  Of course, the user has the option of not granting that particular privilege, in which case, the app just won't install/work correctly.  
David F. Carr
100%
0%
David F. Carr,
User Rank: Author
8/28/2014 | 4:32:37 PM
Mobile app security can't just be a government problem
I suspect to a large extent enterprises outside of the public sector are in no better shape for assessing the security of mobile apps.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.