Apps not safe for work? NIST guide to vetting third-party apps

Apps not safe for work? NIST drafts guide for checking

The National Institute of Standards and Technology is readying guidance to help agencies evaluate commercial mobile applications that agency workers might use on government-issued devices or personal apps that access government networks.

The guidelines, Technical Considerations for Vetting 3rd Party Mobile Applications, currently in draft form, aim to help agencies assess a mobile app’s security, behavior and reliability (including performance) so that they can determine if the app is acceptable for their environments.

The idea is that rather than being prescriptive, the guide is instructive, letting government officials choose what risks and tests apply to their agencies, said Tom Karygiannis, a NIST computer scientist. “There needs to be more awareness of what the apps actually do, what information they’re collecting and how you may put your network at risk,” Karygiannis said.

The guide is not a technical manifesto. “It’s more of an education for end users who’re not part of the IT department,” Karygiannis added. “They need to have an awareness of how their security and privacy might be compromised as they use these devices.”

And then for the IT technical staff, “there are new technologies in there so they need new tools and new security technologies to help secure both the device itself and the network it connects to.”

At the bare minimum, according to the draft, vetting requires having access to an app’s binary code and its most basic metadata, such as a primary point of contact who can answer questions regarding the app’s intended use within the organization. Better still is access to source code.

To prepare for testing, agencies must also identify the developer and know its reputation, the intended hardware platform and configuration and any digital signatures that apply.

Primary examples of things to test, according to the draft, include whether the app protects sensitive data and privacy, is reliable and available and performs as promised.

In an appendix, the authors define the vulnerabilities specific to applications running on devices using Android and iOS operating systems.

The guidance isn’t intended to be universal. What’s a big deal at one agency might not be at another, Karygiannis said. For instance, a public relations officer at a law enforcement branch might want to access social media, while first responders collecting medical or other personal data have an obligation to avoid exposing private information.

What’s more, agencies have different levels of risk tolerance. “We just want to make them aware what the risks are, provide some guidance on what they could do about it, but ultimately they’re responsible for accepting the risks,” he said.

Preparing for new apps will a financial impact. So it’s up to agencies to budget for new app-vetting strategies and tools. For example they will need in-house software assurance experts to make evaluations and work with vendors. Karygiannis said discussions among government officials are ongoing as to how to approach this economically.

App vetting is important because apps represent a new business model for government .

“On your desktop environment, maybe you were familiar with three or four major vendors,” Karygiannis said. “Now there’s hundreds of thousands out there that you’re not really sure how mature their software development process is or you’re not really sure what the apps do.”

A recent Campus Technology article cited a Gartner report that said through the end of 2015, more than three-quarters of mobile apps will fail basic security tests. Most app developers don’t pay much heed to security, which is contributing to the problem and adding to the need for agencies to run their own tests.

NIST’s forthcoming document could help that a bit, too, though. It will let vendors that make software development tools or testing tools see what tests they need to be able to perform and what mistakes to avoid in making apps.

The app-vetting guidance draft should not be confused with AppVet, open source software that NIST developed as part of a program with DARPA that lets users submit an app for testing using commercially available tools.

About the Author

Stephanie Kanowitz is a freelance writer based in northern Virginia.

inside gcn

  • analytics (Wright Studio/Shutterstock.com)

    3 data strategies to help crackdown on internal corruption

Reader Comments

Fri, Nov 14, 2014 mike moxcey Colorado

I can't see where the majority of civilian-oriented Agencies would have enough expertise to examine and test binary code fully. A much cheaper solution for BYOD today is to remove the need to connect to an Agency _network_ completely. You can have email and web pages that don't require a vpn connection. And you can monitor the emails and web connections for data leakage if needed. I think the idea of having your own Agency network was necessary in 1999 but now it is just an unnecessarily dangerous habit.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group