Email this Article Email   

CHIPS Articles: Vetting the Security of Mobile Apps: NIST Releases Draft Pub for Comment

Vetting the Security of Mobile Apps: NIST Releases Draft Pub for Comment
By CHIPS Magazine - July 24, 2018
How many apps do you use? A few, 10, 25… more? Mobile applications have become such an engrained part of daily life, from ordering lunch, browsing the news, to banking and shopping, not to mention the professional apps that we use to improve efficiency, performance and communications. As both public and private organizations rely more heavily on mobile apps, securing these applications from vulnerabilities, defects and hacking becomes increasingly important.

The level of risk related to vulnerabilities varies depending on several factors including the data an app can access, NIST said in a release. For example, apps that access data such as precise and continuous geolocation information, personal health metrics or personally identifiable information (PII) may be of higher-risk than those that do not access such sensitive data. In addition, apps that depend on wireless network technologies (e.g., Wi-Fi, cellular, Bluetooth) for data transmission may also have elevated risk since these technologies also can be used to steal information remotely, NIST said.

To understand the potential security risks that may reside in mobile apps, the National Institute of Standards and Technology issued Draft NIST Special Publication (SP) 800-163 Revision 1, Vetting the Security of Mobile Applications, which defines the app inspection process — a software assurance methodology for mobile applications. Revision 1 updates this publication to address and expand on changes in the mobile arena to better define the app vetting process as a whole, while providing greater detail about the roles, capabilities and strategies of mobile app testing. Cybersecurity requirements and references have been added to assist organizations in developing or upgrading their own app approval policy. A brief discussion of the mobile app threat environment is included to better explain the need for app vetting, NIST said.

Comments on Draft SP 800-163 Rev. 1 are due Sept. 6, 2018, and may be sent to nist800-163@nist.gov please enter “Comments on Draft SP 800-163 Rev. 1” in the Subject field.

Related CHIPS Articles
Related DON CIO News
Related DON CIO Policy

CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988
Hyperlink Disclaimer