NIST's AppVet makes sure apps are ready for government work
- By Stephanie Kanowitz
- Apr 21, 2014
The proliferation of mobile apps knows no bounds, but there are restrictions on which are safe or secure for workers to access while using government networks. To help agencies test the options, the National Institute of Standards and Technology created AppVet, a free, open-source tool that IT administrators can use to test mobile apps.
“AppVet improves the app-vetting process by providing a framework for managing the app-vetting workflow, which involves uploading apps, forwarding apps to tools, receiving reports and risk assessments from tools and generating an overall risk assessment,” said Steve Quirolgico, computer scientist at NIST.
“AppVet also defines APIs, specifications and other requirements that facilitate the integration of tools with AppVet. AppVet, however, does not come with any integrated tools,” he added.
AppVet works with third-party tools supplied by vendors, developers or users. They range from static and dynamic analyzers, anti-virus scanners and vulnerability repositories through simple APIs and requirements. Tools must also be made available as online services, which involves setting up a representational state transfer (REST) API for submitting apps to the service and getting reports back.
AppVet integrates with app stores and continuous integration environments. It also supports apps from different development platforms as long as there are tools to analyze them, according to “AppVet 1.0,” a report released this month that outlines the tool, how to use it and technical requirements for it.
The vetting process starts when a client submits an app to an AppVet system, which comprises an AppVet web app and related tools. AppVet registers the app and pre-processes it, extracting meta-data and ensuring that it conforms to the requesting agency’s requirements. Next, AppVet sends the app to one or more tools, which handle testing and evaluation.
Assessments are typically tagged as pass, warning and fail for low, moderate and high risk, respectively.
“AppVet facilitates the speed of approving or rejecting by providing decision makers with reports and risk analyses from tools as well as automatically generating an overall risk assessment,” Quirolgico said.
“Note that AppVet does not automatically approve or reject an app, but only provides information to the decision maker. Often, the approval or rejection of an app will be based on the organization's policies and security requirements,” he explained.
Users can access AppVet through the AppVet app management interface using a Web browser. Hardware requirements include 32- or 64-bit Microsoft Windows or Linux operating systems, 512 megabytes of RAM, 1 gigabyte of free hard disk space and network access with a static IP address. Hosts, or the agencies requesting the assessment, must have Java JDK 7 for Java AppVet to work and Android APKTool 2.0 for Android app analysis.
When IT managers log in to AppVet, they see two panels. The first is an apps list, which shows what’s been uploaded and its status in the review process. The other panel shows details about the selected app.
App management wasn’t always this complex, but the opening of the Apple app store in July 2008 and growth in smart phones usage have changed the game. That’s reflected in the government’s bring-your-own-device policies and the General Services Administration’s Managed Mobility Program, both launched in 2012. The latter provides a set of mobile device and application management requirements and potential solutions that can be procured through existing governmentwide contracts.
But policies on how to actually vet apps are scarce, Quirolgico said.
“It is my understanding that most government agencies do not have a framework or set of requirements for vetting apps, and that app vetting is done in an ad hoc fashion,” he said. “The only other vetting system that I am aware of is the ’car wash,’used by Department of Homeland Security.”
Car wash is platform-agnostic analysis and vetting software hosted in DHS’s public cloud that automates the testing of mobile apps against security guidelines, according to a February article in Signal magazine. It also looks for accessibility flaws and app updates.
AppVet gives agencies little to lose. The only cost risk lies in the tools’ price tags. “Here, the [return on investment] depends on the ability of the tools to perform as required by the organization,” Quirolgico added.
The AppVet source code distribution can be downloaded from GitHub.