Automating mobile app security certification
A partnership between federal agencies has devised a way to speed the expensive and time-consuming security compliance checks required for mobile apps developed or used by federal agencies.
Under a joint pilot program, the Department of Homeland Security’s Science and Technology Directorate and the National Information Assurance Partnership, which is managed by the National Security Agency, demonstrated that the app security certification process can be automated. This can give agencies a way to quickly, affordably and reliably determine if apps meet NIAP’s security standards, or protection profiles (PP), according to a June 29 DHS S&T report on automating NIAP requirements testing for mobile apps.
The pilot set out to determine whether an automated compliance tool could deliver results comparable with the rigorous NIAP-certified testing. Kryptowire LLC, a mobile app security provider, performed an automated analysis of Android and Apple iOS versions of the Intelligent Waves’ Hypori virtual smartphone technology. DHS S&T awarded Hypori a Small Business Innovation Research contract to build prototypes of its virtual mobile infrastructure for government customers evaluating using Hypori as a service.
The results were analyzed by Leidos’ Common Criteria Testing Laboratory to determine if Kryptowire’s results were consistent with results expected from a conventional, manual NIAP evaluation.
The pilot was successful, demonstrating that app evaluation time can be condensed from weeks to hours, and showing “that it is indeed possible to automate significant portions of the app software evaluation process, thereby increasing efficiencies, shortening approval times, and reducing costs,” the report said.
“The pilot’s success is significant in that automating these evaluations to deliver accurate and trustworthy results will lower the barrier to entry by reducing the burden needed for NIAP PP Mobile App Vetting certifications,” Mobile Security Program Manager Vincent Sritapan said in a DHS statement. “This increased testing will raise the security posture of the government’s mobile app ecosystem and at the same time raise confidence among app end-users, primarily the tax-paying public.”
Besides improving the NIAP certification process, the pilot demonstrated other potential benefits to automated app vetting:
- Automated vetting will allow for faster testing and fielding of app updates.
- Apps can be assessed for basic compliance before a formal NIAP evaluation, reducing risk for agencies, software vendors and end-users.
- Apps can be accurately vetted without access to source code.
- Apps can be vetted against updated requirements without undergoing a full recertification.
- Agencies will be able to reduce risks from commercial software by being able to identify NIAP compliant apps.
DHS S&T has been partnering with Kryptowire on automated app security for several years, earning a nomination for a GCN innovation award in 2016 for its work on a cloud-based research and development system for assessing risk, analyzing vulnerabilities and archiving mobile applications.
Connect with the GCN staff on Twitter @GCNtech.