The National Institute of Standards and Technology (NIST) is requesting public comments on a guide designed to help organizations determine potential security and privacy risks posed by third-party mobile applications before putting them to use.
Third-party mobile apps are often leveraged to increase productivity, but before using such programs, organizations should ensure that they don’t expose sensitive information.
According to NIST, the publication in development is not a step-by-step guide. Instead, it describes tests that allow software security analysts to discover and understand vulnerabilities and behaviors in mobile applications before they’re approved for use.
“Agencies and organizations need to know what a mobile app really does and to be aware of its potential privacy and security impact so they can mitigate any potential risks,” explained NIST computer scientist Tom Karygiannis.
Some harmless-looking applications might access address books that could contain sensitive information. Others could track the user’s location through Wi-Fi, social media apps or pieces of software that have access to GPS, NIST warned.
“Apps with malware can even make a phone call recording and forward conversations without its owner knowing it,” Karygiannis explained.
In addition to security risks, organizations might also want to be aware if certain apps drain the battery too quickly, especially if they’re utilized by employees working in the field who don’t have access to a power source.
The NIST guide provides useful information on common evaluation requirements (e.g. security, performance, functionality and reliability), and mobile app vetting tools and techniques. Additionally, it contains an overview of software assurance issues, and describes the most common types of vulnerabilities plaguing iOS and Android applications. It also provides advice for app power consumption testing.
The authors of the guide point out that each organization must take into account several factors, including the environment in which the application is used, security requirements, the context in which they’re utilized, and the underlying security systems that support their use.
Comments on “Technical Considerations for Vetting 3rd Party Mobile Applications” can be sent to nist800-163@nist.gov by September 18, 2014.
Earlier in this month, NIST also announced that it was seeking information to build a reconfigurable cybersecurity testbed for industrial control systems in an effort to provide guidance on how to efficiently implement security strategies, and measure the performance of industrial systems during a cyberattack.