The increased use of mobile technologies to deliver mission services and data and the amount of personal and government data stored on mobile devices makes mobile apps a lucrative target for attacks. Mobile application management solutions manage distribution, update and removal of managed apps from a DHS-managed device, however, standards-based methods are needed to vet apps prior to installation and continuously scan installed apps for new vulnerabilities. As with traditional desktop and enterprise applications, mobile apps can have security vulnerabilities that could be exploited by attackers to gain access to sensitive government information and resources. Therefore, to proliferate secure mechanisms into the mobile device ecosystem, DHS Science and Technology Directorate (S&T) has initiated the Mobile Application Security (MAS) R&D project. This project seeks to automate and incorporate-security-by-design into a series of security tools for mobile apps that assist developers, analysts and security and network operators.
Users’ increased ability to access and act upon data through mobile technology is changing the way missions are performed. Mobile applications (apps) improve mission effectiveness and productivity by providing connectivity, real-time information sharing and unrestricted mobility. User demand for mobile apps includes commercial apps as well as custom-developed apps designed to meet mission needs. However, the increasing use of mobile apps is leading to apps replacing operating systems as the most prominent avenue of cyberattack. As with traditional desktop and enterprise applications, mobile apps can have security vulnerabilities that could be exploited by attackers to gain access to sensitive government information and resources. Unlike desktop applications, precise location information, contact details, sensor data, photos and messages can be exposed through mobile apps. The combination of traditional software vulnerabilities, the additional information and services accessible through mobile apps, and the number of mobile apps demands a different approach to security.
The need for standardized, cost-effective automated methods and tools to develop, vet, deploy and manage mobile apps has been identified as a key enabler for the federal government’s adoption of mobile technologies. The MAS project supports these objectives directly. Currently, the MAS project is developing new and innovative approaches in two areas: continuous validation and threat protection for mobile applications and integrating security throughout the mobile application lifecycle. The first area addresses a new approach for testing the security of mobile apps using criteria developed through an interagency working group and seeks to continuously monitor the security posture of installed apps, identify malware and vulnerable code and anticipate and react to future mobile app threats and vulnerabilities. The second area seeks to fortify mobile app development tools with functionality that—transparently to the developer—incorporates secure mechanisms as mobile apps are developed.
Lookout, Inc.: Continuous Validation & Threat Protection for Mobile Applications
New app-threat, -risk and -vulnerability detection and protection capabilities as well as enhancements to Lookout’s capabilities in its cloud-based Mobile Endpoint Security platform are being developed in this effort. The work will enhance detection of risky applications and side-loaded applications and advanced network-based threats; and mobile device and application vulnerability detection and management. It also will enhance the certificate authority reputation system. The enhanced platform will be applicable to iOS and Android operating systems.
United Technologies Researcher Center (UTRC): COMBAT: Continuous Monitoring of Behavior to Protect Devices from Evolving Mobile Application Threats
This effort develops and implements a mobile app security system for Android devices that will run on a hybrid mobile-device-cloud environment. The system will accurately detect malicious and vulnerable apps of varying risk-severity levels. It will also evaluate app security risk and produce a detailed risk-assessment report. The solution will include on-device-based behavior monitoring to track the behavior of vetted apps in real time and enforce policies.
Apcerto, Inc.: Mobile App Certification Tool
This effort develops a rating system for mobile app security based on standards and a framework for orchestrating the entire mobile app security process. The framework will provide a testbed for mobile app security orchestration and the normalization of results to security standards. The platform also will evaluate security tools and measure tool outputs. This effort will provide security-analysis-as-a-service, enabling the public and private sectors to vet apps.
Qualcomm Technologies, Inc.: Hardware-Anchored Continuous Validation and Threat Protection of Mobile Applications
In this effort, technology to anchor mobile application security to device hardware and a demonstration of a mission-critical-grade security layer (MCGSL) are being developed. The MCGSL framework will continuously validate and secure third-party apps and services. The design will cover a wide range of threats while using application and user-behavioral profile information to reduce false-positive identification of security incidents and possibly reveal previously unseen advanced persistent threats.
Publications, Fact Sheet & Videos
- Automating National Information Assurance Partnership Requirements Testing for Mobile Apps Report
- DHS Study on Mobile Device Security
- Mobile App Security Study: Securing Mobile Applications for First Responders
- Mobile Security R&D Program Guide, Volume 2
- Mobile Device Security Fact Sheet
- 2017 R&D Showcase: Mobile App Vetting Video