NIST producing guide to help government vet mobile apps
The National Institute of Standards and Technology knows that even the best apps can have unseen and undiscovered vulnerabilities. With agencies trying to balance the versatility of mobility with keeping data secure, NIST is asking for the public’s help in creating a guide that will allow agency security analysts to scrutinize mobile apps.
The publication will include standard requirements, tools and techniques for testing mobile apps, with a focus on security, functionality, performance and reliability so agencies can find and close vulnerabilities before data becomes compromised.
“Agencies and organizations need to know what a mobile app really does and to be aware of its potential privacy and security impact so they can mitigate any potential risks,” said NIST computer scientist Tom Karygiannis in a statement.
NIST’s guide will include common ways apps can hold personally identifiable information, such as when apps hold tracking information through a Wi-Fi connection, GPS location or other identifiers stored in social media or calendar apps.
“Apps with malware can even make a phone call recording and forward conversations without its owner knowing it,” Karygiannis said.
In addition to outlining how to test for malicious code, the guide will point out ways apps can zap productivity because of an intense workload or a drain on battery life.
The document will serve as a set of recommendations rather than a step-by-step guide, with NIST saying each agency should take into account what apps each department uses in order to do its job.
The guide plans to highlight common vulnerabilities on applications that run on both iOS and Android platforms.
NIST is accepting comments for the publication until September 18.