DHS Funds Tech to Root Out Malware in Government Mobile Apps

SAN FRANCISCO – Federal agencies have built hundreds of mobile apps during the past decade, ranging from useful to educational to um, this.

Many of those apps weren’t built with security in mind, however, and even apps that were built securely half a decade ago may now be riddled with unpatched vulnerabilities if no one’s been actively maintaining them.

That means there’s a real danger that an app the government built to serve the public could now be serving up malware that will compromise users’ personal information.

Recently, the Homeland Security Department’s cybersecurity research and development wing funded a new technology to help mitigate those vulnerabilities.

The technology, which Homeland Security funded through the open-source tech company Red Hat, scans mobile apps for digital vulnerabilities through their entire life cycle and alerts the app’s owner when a new vulnerability pops up.

“The platform itself can actually alert them that: ‘Hey, your app is vulnerable; hey, a new threat came out and you should care,’” said Vincent Sritapan, a program manager focused on mobile security in Homeland Security’s science and technology division.

The technology is one of several that Sritapan and his colleagues are boosting at the RSA Cybersecurity conference in San Francisco this week.

Because many apps share common features, such as how the user navigates through them, they often rely on the same libraries of open-source computer code.

As a result, when someone discovers a hackable vulnerability in one of those open-source code libraries, a lot of apps become suddenly vulnerable. And if no one’s assigned to keep an eye out for new vulnerabilities, an app can stay vulnerable for a long time.

For a newly built app, the Red Hat tool would guide the developer through the process of building the app securely rather than scanning for vulnerabilities once it’s already built.

For existing apps, the tool would regularly scan for newfound vulnerabilities in the various code libraries that it draws from.

There’s a private-sector incentive to get better at vetting mobile app security, Sritapan said, but, given the pressing need to make government apps more secure, it was worth investing government research and development money to speed up the process.

A separate science and technology division-funded project Sritapan is touting at RSA this week is a tool that sits on mobile devices and scans for phishing attacks that come via email, text message or through a web browser.

The tool was built by the company Lookout. Homeland Security and other agencies are already running pilot programs with Lookout to scan mobile devices for known security vulnerabilities and for strange app behavior. When the anti-phishing tool comes online in June, it will likely be incorporated into some of those pilots, Sritapan said.

Lookout is seeking a certification from FedRAMP, a government cloud security authorization, so it can sell directly to the government, but that process takes a long time, Sritapan said. In the meantime, agencies are able to use the product through waivers, exceptions and pilot programs, he said.  

Sritapan’s work is part of a broader government effort to surge mobile device security as more government work gets done on smartphones and tablets.

The 2018 fiscal year, for example, is the first year that agencies are required to report about mobile security in their annual FISMA reports. Homeland Security also released a major report on mobile device security in 2017.