As more government workers use their personal phones, tablets, laptops and other devices at work, third-party mobile apps are increasingly a weak link in security. To address this growing security problem, the National Institute of Standards and Technology drafted guidelines for apps at work: Technical Considerations for Vetting 3rd Party Mobile Applications.
Currently in draft form, the document seeks to educate government agencies on how to assess the security, performance and reliability of third-party apps.
“Agencies need to know what a mobile app really does and to be aware of its potential privacy and security impact so they can mitigate any potential risks,” said Tony Karygiannis, a computer scientist in NIST’s Computer Security Division. “Many apps may access more data than expected and mobile devices have many physical data sensors continuous gathering and sharing information.”
Applications are accessing personal information more than ever. Some people can be tracked unknowingly through calendar apps, social media apps, a Wi-Fi sensor and other services connected to the GPS systems in mobile devices, Karygiannis noted. “Apps with malware can even make a phone call recording and forward conversations without its owner knowing it,” he said.
NIST’s guidelines address the growing mobile application market where security protocols may not be implemented into individual apps. Since developers are often eager to launch apps, they don’t always conduct extensive testing on their code before realizing the app, according to NIST scientists. Some developers have little experience with building secure software.
The trend toward bring your own device (BYOD) to work is bringing “extremely unreliable business applications inside the walls of corporations,” said Sarah Isaacs, managing partner at Conventus. “There are a lot of software vulnerabilities. Every app that is free or 99 cents, probably doesn’t have great level of security. And people don’t install patches either.”
The NIST urges agencies to adopt their own set of requirements for third-party applications and develop a vetting system that identifies the tools and procedures needed to identify security, privacy, reliability, functionality, accessibility and performance of an app.
NIST researchers also suggest agencies should take the following precautions when vetting apps:
- Understand the security and privacy risks mobile apps present and have a strategy for mitigating them
- Provide mobile app security and privacy training for employees
- Put all software updates through the vetting process, treating new versions of mobile apps simply as new mobile apps.
- Establish a process for quickly vetting security-related application updates
- Make users and other stakeholders aware of the mobile app vetting process does and does not provide in terms of secure behavior of app
- Review mobile app testing results in the context of their agencies’ mission objectives, security posture and risk tolerance as mobile apps are part of a larger system