DHS: App Vetting Tools Are a Must-Have for Agencies, Despite Their Flaws 

Agencies can boost their cyber posture by integrating two popular mobile security products into a single system, but none of the combinations available on the market today would meet all the government’s needs, according to Homeland Security Department researchers.

However, adopting an imperfect device security platform is still better than not using one at all, they said.

As mobile devices proliferate across the government, agencies need a way to manage their expanding tech ecosystems and ensure their devices—and the software running on them—are free of vulnerabilities. Federal cyber leaders have identified two popular technologies that could help meet those needs: continuous app vetting, which scans individual applications for potential exploits, and enterprise mobility management, or EMM, which allows organizations to remotely manage their devices’ security settings.

Merging both these tools into a unified system would give agencies a bird’s-eye view of their entire mobile ecosystem, allowing officials to push security settings and approve or reject apps across the enterprise. But while this integration is technically feasible, every combination of EMM solutions and mobile vetting tools available today carries at least some “critical weaknesses,” according to the Homeland Security Systems Engineering and Development Institute.

In a recent study, the institute evaluated integrations of six different app-vetting tools with two popular EMM solutions on 43 test cases involving custom-developed and commercial apps, like Twitter, Angry Birds, Facebook and DuckDuckGo. While each combined system passed the organization’s test, researchers uncovered various shortcomings in each of the builds. 

Many systems struggled to score the reputation of different app developers, and every one failed to properly assess apps that were “sideloaded” or came from sources other than the Google Play or Apple App Store. In some cases, EMM systems also failed to block access to apps that were flagged by vetting tools. 

“Integration of EMM and app vetting is still an emerging capability and vendors are actively developing new features and improving their offerings,” researchers wrote. “HSSEDI found no single integrated product that implements all security-relevant capabilities.”

But that doesn’t mean agencies should avoid EMM and app vetting solutions altogether. 

Despite their shortcomings, numerous systems “showed an ability to mitigate many of the risks mobile apps present to the enterprise,” according to researchers. Vendors make constant upgrades to the security tools they offer the government, and DHS initiatives like .govCAR and the Continuous Diagnostics and Mitigation program will continue to drive those improvements in the years ahead, they said.

"Given the rapidly changing solution space, [agencies] can still improve their overall security posture by employing these capabilities,” they said. Still, they added, it’s critical that federal leaders understand the strengths and weaknesses of different tools.