NIST taking input for mobile security guidelines
The U.S. National Institute of Standards and Technology (NIST) is developing a guide for testing third-party apps to ensure that they are secure and don’t introduce any vulnerabilities.
The government agency has prepared a draft of its recommendations, “Technical Considerations for Vetting 3rd Party Mobile Applications,” and is seeking industry feedback by Sept. 18. The aim is to help enterprises make full use of commercial mobile programs.
“Agencies and organizations need to know what a mobile app really does and to be aware of its potential privacy and security impact so they can mitigate any potential risks,” said NIST computer scientist Tom Karygiannis in a statement announcing the release of the draft.
The draft publication “describes tests that allow software security analysts to discover and understand vulnerabilities and behaviors before the app is approved for use,” Karygiannis said.
The document, once finished, will give organizations a guide for testing third-party apps that they may want to use for official business. It will also detail the different types of vulnerabilities commonly found on Android and Apple iOS devices.
Many of today’s mobile apps, such as calendars, require access rights to various parts of the device’s OS. Granting permissions to these apps, however, can introduce security vulnerabilities to a secured system. For instance, giving a collaboration app access to a contact list could inadvertently reveal names on the list that should remain private.
Mobile devices can also gather a lot of data unbeknownst to the owner of the device. Malware, for instance, could be surreptitiously installed to record phone conversations, or users could be secretly tracked through the phone’s GPS functionality.
In addition to offering techniques for testing and vetting apps, the publication will also provide descriptions of undesirable behavior, how to manage an app through its entire life cycle, and examples of how vulnerabilities could lead to system compromises.
Beyond security, the publication will also detail how to manage the power that apps can consume on a device.
An agency within the U.S. Department of Commerce, NIST works with industry to develop standards and technologies to encourage innovation, advance U.S. economic competitiveness and improve the quality of life.