Mobile devices such as smartphones and tablets and the applications (apps) we load onto them have become indispensable to our daily lives. On the business side, more and more government agencies and private-sector entities are adopting mobile systems to improve business operations and employee efficiency.
The catch is, though, mobile apps are susceptible to malware, ransomware, spyware, coding flaws and other attacks that could compromise personal data stored on the device.
Apps also can end up used to gain access to sensitive enterprise resources. Additionally, mobile apps and related services are evolving at a rapid pace, with new apps and updates, operating system updates and service provider updates introduced regularly.
This speedy development and implementation process increases mobile technology attack surfaces and exposes devices and apps to new threats and exploits. Average users have few options to assess app security. Even the Android and iOS app stores have had apps with malware, bugs and other vulnerabilities.
The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) is working to increase mobile app security by developing solutions that will extend beyond deployment of an app to provide continuous security assurance throughout an app’s lifecycle.
The Mobile App Security project has two primary research and development (R&D) points of interest. The first is continuous mobile app monitoring, vetting and security assurance to safeguard against vulnerabilities and future threats. The second is establishing a security framework and integrated development environments that will result in development platforms that enable developers to transparently ensure security and functionality throughout the mobile app lifecycle.
“S&T is conducting numerous mobile security projects addressing both device and app security,” said Mobile Security R&D Program Manager Vincent Sritapan.
The first S&T-backed effort is focused on the development of continuous validation and threat protection of mobile devices and apps. The effort is developing a solution that will use mobile device hardware-anchored Mission Critical Grade Security Layer (MCGSL) to protect against Zero Day attacks by leveraging its mobile security platform and extending research partner’s — Kryptowire LLC — mobile app security testing platform.
This approach will provide an application programming interface to the mobile app vetting platform so it can check the integrity of a device and its apps. It will leverage device utilization context, app behavioral profile information and user authentication information to cover a wide range of threats, reduce false-positives of security incidents and defend against Zero Day threats. The solution provides enhanced security and lowers the risk for government and private-sector users.
Monitoring the security of an app shouldn’t stop once it is developed and released; it should be an ongoing process. That’s the objective of the second research effort by Red Hat, Inc., which also is working with Kryptowire. The two are seeking to secure the mobile app development lifecycle where unsecure code could be introduced — either intentionally by a rogue worker or unintentionally.
Discovering and remediating insecure code can save an app developer considerable time and valuable financial resources. For instance, correcting a defect during the requirements phase results in costs of less than one percent of the cost of correcting a defect after the app is in operation. In later lifecycle stages corrective costs continue to rise, eventually surpassing 100 percent once an app is in operational use.
The companies are developing new code-scanning technology by building an integrated platform that enforces end-to-end security for mobile solutions and reduces the cost of maintaining mobile security policies during the app development process and while it is in use.
The resulting continuous security assurance solution automatically will check proprietary code and third-party and open-source code libraries to ensure risk-based decisions comply with federal government mobility standards before an app is deployed. If a new security or privacy vulnerability is identified, the platform will quickly push security updates.