You are here

Science and Technology Mobile Application Security

Mobile Application Security

The increased use of mobile technologies to deliver mission services and data and the amount of personal and government data stored on mobile devices makes mobile apps a lucrative target for attacks. Mobile application management solutions manage distribution, update and removal of managed apps from a DHS-managed device, however, standards-based methods are needed to vet apps prior to installation and continuously scan installed apps for new vulnerabilities. As with traditional desktop and enterprise applications, mobile apps can have security vulnerabilities that could be exploited by attackers to gain access to sensitive government information and resources. Therefore, to proliferate secure mechanisms into the mobile device ecosystem, DHS Science and Technology Directorate (S&T) has initiated the Mobile Application Security (MAS) R&D project. This project seeks to  automate and incorporate-security-by-design into a series of security tools for mobile apps that assist developers, analysts and security and network operators.

Motivation

Users’ increased ability to access and act upon data through mobile technology is changing the way missions are performed. Mobile applications (apps) improve mission effectiveness and productivity by providing connectivity, real-time information sharing and unrestricted mobility. User demand for mobile apps includes commercial apps as well as custom-developed apps designed to meet mission needs. However, the increasing use of mobile apps is leading to apps replacing operating systems as the most prominent avenue of cyberattack. As with traditional desktop and enterprise applications, mobile apps can have security vulnerabilities that could be exploited by attackers to gain access to sensitive government information and resources. Unlike desktop applications, precise location information, contact details, sensor data, photos and messages can be exposed through mobile apps. The combination of traditional software vulnerabilities, the additional information and services accessible through mobile apps, and the number of mobile apps demands a different approach to security.

Approach

The need for standardized, cost-effective automated methods and tools to develop, vet, deploy and manage mobile apps has been identified as a key enabler for the federal government’s adoption of mobile technologies. The MAS project supports these objectives directly. Currently, the MAS project is developing new and innovative approaches in two areas: continuous validation and threat protection for mobile applications and integrating security throughout the mobile application lifecycle. The first area addresses a new approach for testing the security of mobile apps using criteria developed through an interagency working group and seeks to continuously monitor the security posture of installed apps, identify malware and vulnerable code and anticipate and react to future mobile app threats and vulnerabilities. The second area seeks to fortify mobile app development tools with functionality that—transparently to the developer—incorporates secure mechanisms as mobile apps are developed.

Performers

Lookout, Inc.: Continuous Validation & Threat Protection for Mobile Applications

New app-threat, -risk and -vulnerability detection and protection capabilities as well as enhancements to Lookout’s capabilities in its cloud-based Mobile Endpoint Security platform are being developed in this effort. The work will enhance detection of risky applications and side-loaded applications and advanced network-based threats; and mobile device and application vulnerability detection and management. It also will enhance the certificate authority reputation system. The enhanced platform will be applicable to iOS and Android operating systems.

United Technologies Researcher Center (UTRC): COMBAT: COntinuous Monitoring of Behavior to Protect Devices from Evolving Mobile Application Threats

This effort develops and implements a mobile app security system for Android devices that will run on a hybrid mobile-device-cloud environment. The system will accurately detect malicious and vulnerable apps of varying risk-severity levels. It will also evaluate app security risk and produce a detailed risk-assessment report. The solution will include on-device-based behavior monitoring to track the behavior of vetted apps in real time and enforce policies.

Apcerto, Inc.: Mobile App Certification Tool  

This effort develops a rating system for mobile app security based on standards and a framework for orchestrating the entire mobile app security process. The framework will provide a testbed for mobile app security orchestration and the normalization of results to security standards. The platform also will evaluate security tools and measure tool outputs. This effort will provide security-analysis-as-a-service, enabling the public and private sectors to vet apps.

Qualcomm Technologies, Inc.: Hardware-Anchored Continuous Validation and Threat Protection of Mobile Applications

In this effort, technology to anchor mobile application security to device hardware and a demonstration of a mission-critical-grade security layer (MCGSL) are being developed. The MCGSL framework will continuously validate and secure third-party apps and services. The design will cover a wide range of threats while using application and user-behavioral profile information to reduce false-positive identification of security incidents and possibly reveal previously unseen advanced persistent threats.

News

Press Releases and Media Advisories

S&T Announces Transition of New Phishing Protection for Mobile Devices, July 5, 2018

S&T Announces Release of Mobile Security R&D Program Guide Vol. 2, April 13, 2018

DHS S&T Pilot Project Helps Secure First Responder Apps From Cyberattacks, December 18, 2017

DHS S&T Awards $750K To Manassas, Va.-based Tech Firm For Mobile Application Development Security Research, October 11, 2017

DHS S&T Awards $640K to the Critical Infrastructure Resilience Institute for Supply Chain Cyber-Threats Research, September 14, 2017

DHS S&T Awards $8.6 Million for Five Mobile Application Security R&D Projects, September 6, 2017

Snapshot Articles

S&T Leading Development of Secure Mobile Apps, April 10, 2018

Resources

2017 R&D Showcase: Mobile App Vetting

DHS Study on Mobile Device Security

Mobile App Security Study: Securing Mobile Applications for First Responders

Mobile Device Security Fact Sheet

Mobile Security R&D Program Guide, Volume 2

Visit the cybersecurity projects, news and resources pages for cyber specific articles and other written products or connect with us at the next S&T cybersecurity event.  

Archive

Press Releases and Media Advisories

DHS S&T Pilot Project Helps Secure First Responder Apps From Cyberattacks, December 18, 207

DHS S&T Awards $750K To Manassas, Va.-based Tech Firm For Mobile Application Development Security Research, October 11, 2017

DHS S&T Awards $640K to the Critical Infrastructure Resilience Institute for Supply Chain Cyber-Threats Research, September 14, 2017

DHS S&T Awards $8.6 Million for Five Mobile Application Security R&D Projects, September 6, 2017

DHS to Hold Mobile App Security Research and Development Industry Day, June 6, 2016

DHS S&T’s Mobile Security Performer to be First R&D Performer Added to GSA IT Schedule 70, April 8, 2015

DHS S&T Awards $2.9 Million for Mobile App Security Research, July 23, 2015

DHS S&T Applies Mobile App Archiving Technology to Copyright Infringement, July 17, 2015

DHS S&T Expands Mobile App Archiving Technology, April 8, 2015

DHS S&T App Technology Transitions to Commercial Market, December 5, 2014

Snapshot Articles

S&T and APCO Partner to Improve Interoperability and Security of Public Safety Mobile Apps, November 7, 2016

Videos

2016 R&D Technical Workshop: Mobile Malware Analysis

2016 R&D Technical Workshop: Mobile App Software Assurance

2016 R&D Technical Workshop: Mobile Application Communications Using GUI & Data Instrumentation

2014 R&D Technical Workshop: Dissecting Mobile App Markets

2014 R&D Technical Workshop: Code Analysis to Detect Malicious Android Apps

Publications

V. Sritapan and A. Stravou, “Mobile App Testing for the Enterprise,” in ISSA Journal, vol.14, issue 3, March 2016.

R. Johnson, N. Kiourtis, A. Stavrou and V. Sritapan, "Analysis of content copyright infringement in mobile application markets," Electronic Crime Research (eCrime), 2015 APWG Symposium on, Barcelona, 2015, pp. 1-10.

R. Johnson, M. Elsabagh, A. Stavrou and V. Sritapan, "Targeted DoS on android: how to disable android in 10 seconds or less," 2015 10th International Conference on Malicious and Unwanted Software (MALWARE), Fajardo, 2015, pp. 136-143.

Contact

Program Manager: Vincent Sritapan

Email: SandT-Cyber-Liaison@hq.dhs.gov

 

 

 

Was this page helpful?

This page was not helpful because the content:
Back to Top