NIST Planning Update To Mobile App Testing And Vetting Guidelines

How Organizations Can Ensure The Security Of Mobile Applications

Esther Shein

With a changing mobile landscape, it’s never a bad idea to periodically review and update policies around mobile security. Although this is typically completed by a private business or a public agency, the federal government has stepped into action. In July 2018, the National Institute of Standards and Technology (NIST) announced it is in the process of updating recommendations for how organizations can ensure the security of mobile applications and make a reasonable effort to guard against vulnerabilities, as well as conform to an organization’s security requirements.

NIST has released a 50-page revision draft that will update its 2015 Vetting the Security of Mobile Applications document, especially in the area of reducing the risk from ever-growing mobile apps. It is also calling for comment on the document, known as Special Publication 800-163 through Sept. 6.

"Mobile technology changes quickly, and our publication needs to move fast to keep up," computer scientist Michael Ogata, one of the draft's co-authors, wrote in a statement. "Security specialists in both the private sector and government have been working to improve app vetting, and this update reflects their efforts."

Vetting For Malicious Apps

The document contains basic steps on how enterprises can create and implement an in-house app vetting process, develop security requirements for mobile apps an organization is planning to deploy to staff, identify the right tools for testing apps, and how to determine if an app is acceptable and should be deployed. All the requirements contained in the publication came from cybersecurity experts and are based on several standards, including from NIAP, OWASP, MITRE Corp. and earlier NIST publications.

The agency also delves into best practices, such as checking to see whether the app has any flaws that have been previously reported to the U.S. National Vulnerability Database and if so, to stop the procurement process on the app. This includes how to set up a proper app vetting process, along with some simple instructions that any enterprise can use.

“Although app vetting processes may vary among organizations, each instance of the process should be repeatable, efficient and consistent. The process should also limit errors to the extent possible (e.g., false-positive results),” NIST said.

There is no doubt there is a strong need for app security. Hundreds of apps found in the Google Play Store, and to a lesser extent in the Apple Store, have been found to be malicious.

The NIST document does not provide guidance on the use of Enterprise Mobility Management (EMM) mobile app management or mobile threat defense systems, but it does briefly look at integration with those systems.

Crafting Unique Control Overlays

The document also defines a process for selecting controls to defend IT systems, individuals, and other organizational assets from a variety of threats, such as hostile cyber-attacks, natural disasters, structural failures, and human errors. The controls can be customized to an organization-specific process to manage information security and privacy risk. Additionally, they can support a diverse set of security and privacy requirements across an organization’s required policies, standards, and/or business needs.

Going further, the publication also describes how to develop specialized sets of controls, also known as control overlays, that can be tailored for unique, or specific types of missions/business functions and technologies.

One particularly helpful area organizations may want to hone in on is the section of requirements needed to follow to protect a company’s security posture. Examples include banning social media apps from installation on the organization’s mobile devices, and apps developed by specific vendors that cannot be installed on the organization’s mobile devices.

“To help develop organization-specific security requirements, it is helpful to identify non-vulnerability-related factors that can impact the security posture of mobile apps,’’ NIST notes. Although app documentation can provide guidance on this — if it exists — “it might lack technical clarity and/or use jargon specific to the circle of users who would normally purchase the app.”

Assessing Risk Tolerance

Since the documentation for different apps will be structured in different ways, NIST notes that it may also be time-consuming to find this information for evaluation.

“Therefore, a standardized questionnaire might be appropriate for determining the software’s purpose and assessing an app developer’s efforts to address security weaknesses. Such questionnaires aim to identify software quality issues and security weaknesses by helping developers address questions from end-users/adopters about their software development processes,” NIST notes.

Since there are cases where an organization will have no defined organization-specific requirements, analysts will evaluate the security posture of the app based solely on reports and risk assessments from test tools, NIST said.

When it comes to assessing a company’s risk tolerance, the agency advises taking into account:

• Compliance with security regulations, recommendations and best practices

• Privacy risks

• Security threats

• Data and asset value

• Industry and competitive pressure

• Management preferences.