Mobile app security grabs feds' attention

A report from NIST outlines key areas where businesses can reduce security risks in their use of mobile apps

Recognizing the increased use of mobile apps at businesses, the National Institute of Standards and Technology (NIST), a U.S. government agency, has come forward with recommendations on vetting security of these applications with steps ranging from risk management to testing.

In the January report, NIST notes how mobile apps can provide "unprecedented" connectivity between employees, customers, and vendors. The apps also offer unrestricted mobility, as well as improved functionality and real-time information sharing.

At the same time, NIST points out concerns. "Despite the benefits of mobile apps, however, the use of apps can potentially lead to serious security issues. This is so because, like traditional enterprise applications, apps may contain software vulnerabilities that are susceptible to attack," the report says. "Such vulnerabilities may be exploited by an attacker to gain unauthorized access to an organization's information technology resources or the user's personal data."

NIST advises development of security requirements on issues such as securing of data and acceptable levels of risk. Specific recommendations are offered for the planning, app testing, and app approval/rejection processes. For planning, key recommendations include:

  • Performing a risk analysis to understand the potential security impact of mobile apps on computing, networking and data resources
  • Documenting mobile device hardware and operating system security controls and identifying which security and privacy requirements can be addressed by the device itself
  • Documenting mobile enterprise security technologies, such as mobile device management, and identifying security and privacy requirements that can be addressed by these technologies
  • Reviewing the organization's mobile security architecture
  • Developing application security requirements by noting general and context-sensitive requirements
  • Procuring an adequate budget for vetting of applications

In the testing realm, NIST advises:

  • Identifying general app security requirements
  • Selection of testing tools and methodologies for determining the satisfaction or violation of general app security requirements
  • Reviewing licensing agreements associated with analyzers and understanding security implications and licensing issues
  • Ensuring that apps transmitted over the network use an encrypted channel and that apps are stored on a secure machine at the analyzer's location. Only give authorized users access to that machine

For app approval/rejection, recommendations include:

  • Identifying criteria for vetting context-sensitive app security requirements
  • Monitoring public databases, mailing lists, and other publicly available security vulnerability reporting repositories
  • Training auditors on security requirements and interpretation of analyzer reports and risk assessments

The report also covers Android and iOS vulnerability types, as well as testing approaches and understanding the limitations of vetting. NIST touches on traditional vs. mobile security issues too. "Mobile devices provide access to potentially millions of apps for a user to choose from. This trend challenges the traditional mechanisms of enterprise IT security software where software exists within a tightly controlled environment and is uniform throughout the organization."

Join the CSO newsletter!

Error: Please check your email address.

Tags securitymobile security

More about Technology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Paul Krill

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place