While a mobile workforce may help make government more agile, efficient, and productive, the mobile devices federal employees carry represent another headache for agency security managers. Mobile applications, to cite one major area of concern, can introduce vulnerabilities that can put sensitive data and network resources at risk. For example, when an employee shares a photograph via a mobile application, the app may be granted access to the employee's contact list -- which could hold personally identifiable information that should remain private and secure.
To tackle this problem, computer security specialists at the National Institute for Standards and Technology have drafted guidelines for vetting third-party mobile applications. The document, "Technical Considerations for Vetting 3rd Party Mobile Applications," contains recommendations intended to help agencies leverage the benefits of mobile apps while managing their risks, NIST officials said. NIST is accepting comments on the 43-page document through September 18.
The draft publication describes tests that let software security analysts detect and understand vulnerabilities before the application is approved for use.
[Lack of a comprehensive mobile strategy is holding back device adoption by government workers. Read Why Federal Agencies Lag Behind On Mobile Tech.]
"Agencies need to know what a mobile app really does and to be aware of its potential privacy and security impact so they can mitigate any potential risks," said Tony Karygiannis, a computer scientist in NIST's Computer Security Division. "Many apps may access more data than expected and mobile devices have many physical data sensors continuous gathering and sharing information."
Karygiannis suggested that individuals could be tracked without their knowledge via a calendar app, social media app, a Wi-Fi sensor, or other utilities connected to a global positioning system. "Apps with malware can even make a phone call recording and forward conversations without its owner knowing it," he said.
Not all mobile applications issues are related to security and privacy, NIST researchers said. For instance, poorly designed apps that quickly drain battery life may not meet the requirements of employees working in the field with access to a source of power.
NIST's guidelines are a response to the rapidly evolving mobile application marketplace and economic model, which presents a challenge to traditional software-assurance techniques in mobile computing, according to NIST scientists. Developers, eager to quickly reach a huge market, don't always conduct extensive testing on their code before making an app available to the public. In addition, they often have little experience in building quality software that is reliable and secure.
As more government enterprises take advantage of inexpensive third-party mobile applications to improve productivity, they are also finding that more government business is being conducted on mobile devices. This trend reflects a departure from the traditional information infrastructure, where enterprises support approved desktop applications and the average employee uses only a handful of apps to do most of their work, according to NIST.
As a result, NIST researchers are urging agencies to adopt requirements for applications they use on their mobile platforms and develop an app vetting system comprising tools and methodologies that identify security, privacy, reliability, functionality, accessibility, and performance issues.
Among other key recommendations, researchers say security administrators and software analysts should take the following precautions:
- Understand the security and privacy risks mobile apps present and have a strategy for mitigating them.
- Provide mobile app security and privacy training for employees.
- Put all software updates through the vetting process, treating new versions of mobile apps simply as new mobile apps.
- Establish a process for quickly vetting security-related application updates.
- Make users and other stakeholders aware of the mobile app vetting process does and does not provide in terms of secure behavior of app.
- Review mobile app testing results in the context of their agencies' mission objectives, security posture and risk tolerance as mobile apps are part of a larger system.
If the world wasn't changing, we might continue to view IT purely as a service organization, and ITSM might be the most important focus for IT leaders. But it's not, it isn't and it won't be -- at least not in its present form. Get the Research: Beyond IT Service Management report today. (Free registration required.)