Recognizing the increased use of mobile apps at businesses, the National Institute of Standards and Technology (NIST), a U.S. government agency, has come forward with recommendations on vetting security of these applications with steps ranging from risk management to testing.
In the January report, NIST notes how mobile apps can provide "unprecedented" connectivity between employees, customers, and vendors. The apps also offer unrestricted mobility, as well as improved functionality and real-time information sharing.
At the same time, NIST points out concerns. "Despite the benefits of mobile apps, however, the use of apps can potentially lead to serious security issues. This is so because, like traditional enterprise applications, apps may contain software vulnerabilities that are susceptible to attack," the report says. "Such vulnerabilities may be exploited by an attacker to gain unauthorized access to an organization's information technology resources or the user's personal data."
NIST advises development of security requirements on issues such as securing of data and acceptable levels of risk. Specific recommendations are offered for the planning, app testing, and app approval/rejection processes. For planning, key recommendations include:
- Performing a risk analysis to understand the potential security impact of mobile apps on computing, networking and data resources
- Documenting mobile device hardware and operating system security controls and identifying which security and privacy requirements can be addressed by the device itself
- Documenting mobile enterprise security technologies, such as mobile device management, and identifying security and privacy requirements that can be addressed by these technologies
- Reviewing the organization's mobile security architecture
- Developing application security requirements by noting general and context-sensitive requirements
- Procuring an adequate budget for vetting of applications
In the testing realm, NIST advises:
- Identifying general app security requirements
- Selection of testing tools and methodologies for determining the satisfaction or violation of general app security requirements
- Reviewing licensing agreements associated with analyzers and understanding security implications and licensing issues
- Ensuring that apps transmitted over the network use an encrypted channel and that apps are stored on a secure machine at the analyzer's location. Only give authorized users access to that machine
For app approval/rejection, recommendations include:
- Identifying criteria for vetting context-sensitive app security requirements
- Monitoring public databases, mailing lists, and other publicly available security vulnerability reporting repositories
- Training auditors on security requirements and interpretation of analyzer reports and risk assessments
The report also covers Android and iOS vulnerability types, as well as testing approaches and understanding the limitations of vetting. NIST touches on traditional vs. mobile security issues too. "Mobile devices provide access to potentially millions of apps for a user to choose from. This trend challenges the traditional mechanisms of enterprise IT security software where software exists within a tightly controlled environment and is uniform throughout the organization."