The National Institute of Standards and Technology (NIST) has issued a revised draft and a call for public comment for Special Publication 800-163 Vetting the Security of Mobile Applications that is designed to give organizations basic guidance on app security.
The 50-page document contains the basics on how enterprises can create and implement an in-house app vetting process, develop security requirements for mobile apps the organization is planning on rolling out to its staff, identify the right tools for testing apps and how to determine if an app is acceptable and should be deployed. All of the requirements contained in the publication came from cybersecurity experts and are based on several standards, including those by NIAP, OWASP, MITRE and earlier NIST publications.
“Mobile technology changes quickly, and our publication needs to move fast to keep up,” said computer scientist Michael Ogata, one of the draft's coauthors. “Security specialists in both the private sector and government have been working to improve app vetting, and this update reflects their efforts.”
The suggestions included in the report start with basic steps, such as obtaining an understanding of the organization's risk tolerance by considering factors like compliance with security regulations, recommendations and best practices, privacy risks, security threats, data and asset value, industry and competitive pressure and management preferences.
NIST then goes into more physical issues, such as, checking to see if the app has any flaws that have been previously reported to the U.S. National Vulnerability Database and if so stop the procurement process on the app to demonstrating how to set up a proper app vetting process along with some simple instructions that will work for any enterprise.
“Although app vetting processes may vary among organizations, each instance of the process should be repeatable, efficient and consistent. The process should also limit errors to the extent possible (e.g., false-positive results),” NIST said.
The need for app security is certainly not in doubt. Hundreds of publicly available apps found in the Google Play Store, and to a lesser extent in the Apple Store, have been found to be malicious. These range from the Polar fitness app making user data visible endangering service members and government workers to a glitch in Samsung's messaging app randomly sending user's pictures to their contacts.
The public comment period for the NIST document runs from July 23 through September 6, 2018.