NIST issues first draft of guidelines for third-party mobile app security
The National Institute for Standards and Technology (NIST) announced it has issued the first draft of guidelines designed to provide federal agencies with an unbiased overview of the pros and cons of using third-party mobile apps.
On one hand, a mobile workforce can boost the government’s efficiency and productivity; but on the other hand, federal employees’ use of mobile devices can lead to stressful situations for agency security managers, such as putting sensitive data and network resources at risk.
Computer security specialists at NIST are hoping to resolve these issues by drafting new guidelines for vetting third-party mobile applications.
Entitled “Technical Considerations for Vetting 3rd Party Mobile Applications“, the 43-page document offers recommendations on helping agencies optimize their mobile apps while managing their risks, NIST officials said, adding that it is now accepting comments on the document until September 18.
One particularly important part of the draft publication details the types of tests that allow software security analysts identify and understand vulnerabilities before the application is green-lighted for employee use.
“Agencies need to know what a mobile app really does and to be aware of its potential privacy and security impact so they can mitigate any potential risks,” said Tony Karygiannis, a computer scientist in NIST’s computer security division. “Many apps may access more data than expected and mobile devices have many physical data sensors continuous gathering and sharing information.”
One potential risk is that individuals could be unknowingly tracked via a calendar app, social media app, a Wi-Fi sensor, or other utilities connected to a GPS, said Karygiannis.
In addition to security and privacy risks, NIST researchers said that many poorly designed apps are likely to rapidly drain battery life and may not be ideal for those employees working in the field with limited access to a power source.
NIST’s guidelines are intended to maintain accountability among developers, who sometimes rush an app to market without thoroughly testing their code and ensuring the quality of the app.
The increasing use of inexpensive third-party mobile applications by agencies to boost their overall productivity has led to employees doing more government business on mobile devices.
On top of that, employees are typically only using a handful of apps to conduct the majority of their work, according to NIST.
As a result of this trend, NIST researchers are calling on agencies to adopt a range of requirements for applications they use on their mobile platforms. Agencies ought to develop an app vetting system that consists of various tools and methodologies that identify security, privacy, reliability, functionality, accessibility, and performance issues.
In addition to these recommendations, researchers suggest that security administrators and software analysts follow added precautions, including having a firm grasp of the security and privacy risks involving mobile apps, along with having a strategy in place for mitigating them; providing mobile app security and privacy training for employees; and placing all software updates through the vetting process.
Other precautions include establishing a process for rapidly vetting security-related application updates; informing users and other stakeholders of what the mobile app vetting process does and does not provide in terms of secure behavior of app; and reviewing mobile app testing results in the context of their agencies’ mission objectives, security posture and risk tolerance as mobile apps are part of a larger system.