$8.6M Awarded For Government Mobile App Security Research

Contributor: Jason Koestenblatt
Posted: 09/07/2017
Image: 
Mobile App Security

It’s no secret the public sector is often targeted by hackers for various reasons – data collection, ransoms, or even just to get a glimpse at confidential intelligence being protected from other countries.

The Department of Homeland Security is looking to change that and enhance its mobile application security, announcing the award of $8.6 million in contracts to five different solution providers in a wide-ranging research and development project to bolster cybersecurity.

DHS launched the Mobile Application Security (MAS) project to focus on continuous validation and threat protection for mobile apps and integrating security throughout the mobile app lifecycle. According to DHS, it’s also developing a security framework and integrated models that will enable the development of secure mobile apps for mission use by the DHS components, other government agencies and enterprise organizations.

“Adversaries can use a compromised or vulnerable mobile app as an avenue to target and gain a foothold a user’s device,” said Acting Under Secretary for Science and Technology William N. Bryan in a statement. “The Mobile Application Security project will deliver innovative security solutions that will ensure apps used by government personnel and the public are secure.”

The awards, companies, and project scope according to the Department of Homeland Security include:

·         Qualcomm Technologies, Inc. of San Diego, California, was awarded $1,842,739 to utilize and integrate its commercial technology to demonstrate a platform on which mobile application security can be anchored in the hardware of a device. The effort will include the demonstration of a Mission-Critical-Grade Security Layer (MCGSL). The MCGSL will extend continuous observations from the mobile device through Application Programming Interfaces to third-party applications and services across the commercial mobile ecosystem. The MCGSL framework will be engineered to continuously validate and secure third-party apps and services, helping to protect their integrity on the mobile device. This approach is designed to offer broad coverage against a wide-range of threats due to device utilization context, application and user behavioral profile information that can be utilized to reduce false-positive identification of security incidents, and uncover previously unseen advanced persistent threats. The project is intended to demonstrate the potential for broad use across devices with Qualcomm® Snapdragon™ platforms.

·         Lookout, based in San Francisco, California, was awarded $1,800,000 to add new app-threat, -risk and -vulnerability detection and protection capabilities and enhance existing capabilities in its cloud-based Mobile Endpoint Security platform. These enhancements will strengthen the government’s ability to securely enable the use of mobile technologies for mission-critical activities. The work will enhance visibility into risky applications; detection of side-loaded applications and advanced network-based threats such as man-in-the-middle attacks; mobile device and application vulnerability detection and management; and its platform’s Certificate Authority reputation system. The enhanced platform will be applicable to iOS and Android operating systems.

·         United Technologies Researcher Center (UTRC), located in East Hartford, Connecticut, was awarded $1,453,655 to develop and implement a mobile app security system that will be run on a hybrid mobile-device-cloud environment called COMBAT (COntinuous Monitoring of Behavior to protect devices from evolving mobile Application Threats). COMBAT will process diverse sources of information along with artificial intelligence to accurately and efficiently detect malicious and vulnerable apps of varying risk severity levels. COMBAT also will evaluate the risk of an app for a given operational environment and produce a detailed risk-assessment report that includes an explanation of why an app is considered malicious. UTRC will build an in-device-based behavior monitoring service to dynamically track the behavior of vetted apps in real time to enforce desirable policies (e.g., provide protection from app masquerading and other obfuscation attacks). COMBAT will be demonstrated on Android devices.

·         Apcerto, Inc. of Ashburn, Virginia, was awarded $1,643,419 to research and develop solutions for normalizing and rating mobile apps based on predefined standards as well as a framework for orchestrating the entire mobile app security process. The first solution will provide a testbed for mobile app security orchestration and the normalization of results to standards, including the National Information Assurance Partnership, Open Web Application Security Project, Health Insurance Portability and Accountability Act, and Sarbanes-Oxley Act. Apcerto’s platform will integrate with security tool vendors and translate their respective outputs to a scoring system. The platform will provide a sustainable model of “security analysis as a service” that enables the public and private sectors to vet mobile apps and create secure mobile solutions.

·         Red Hat, Inc., of Raleigh, North Carolina and Kryptowire, LLC of Fairfax, Virginia jointly were awarded $1,902,750 to integrate security throughout the entire mobile app development lifecycle. They will develop an extension of the Red Hat Mobile Application Platform (RHMAP) that will enable security templates for developers and integrate automated mobile app security testing. This effort will adhere to appropriate U.S. government mobile security standards (e.g., National Information Assurance Partnership—Software Protection Profile). The goal is to automatically enforce checks to ensure developed app code and third-party libraries comply with security standards throughout the mobile app lifecycle development process. The mobile security technology will be optimized for iOS and Android apps.

As previously reported by Enterprise Mobility Exchange, security-focused companies are jumping into the GovTech fray to provide new solutions in the public sector, including a collaboration from Cog Systems and Silent Circle to provide defense through combined encryption technology on D4 Security architecture for mobile to protect voice and video call data on cellular and Wi-Fi networks from interception and eavesdropping.

Cybersecurity has become a sticking point for the current White House administration. In June, President Trump held the first-ever American Technology Council, featuring top executives from Amazon, Microsoft, Apple, and Google.

“Our goal is to lead sweeping transformation of the federal government’s technology that will deliver dramatically better services for citizens, stronger protection from cyber attacks,” Trump said at the time.

“Each group has proposed and will develop innovative secure solutions that will greatly improve the enterprise security of mobile devices and apps connected to backend systems,” said Mobile Security Program Manager Vincent Sritapan regarding the research and development projects. “Through these and future projects, the Mobile Application Security R&D project will ensure mobile apps are secure no matter whether they are developed by the enterprise or acquired from third-party app markets."

Jason Koestenblatt
Contributor: Jason Koestenblatt