DHS, NSA Conclude Pilot of Automated Mobile App Security Vetting Tool

Security leaders in the homeland and national security space announced the successful initial pilot of an automated tool to ensure new mobile applications meet baseline cybersecurity standards.

Ensuring the security of mobile devices is a difficult task made significantly harder by the wealth of apps launched daily—some with dubious origins, others with lax security standards.

In order to prevent this from being a bottleneck to productivity, the Homeland Security Department’s Science and Technology Directorate and the National Security Agency’s National Information Assurance Partnership, or NIAP, have been working on an automated process for certifying that mobile apps meet the standards under NIAP’s Protection Profile.

Tuesday, the agencies announced the successful test of a pilot program that vetted Intelligent Waves’ Hypori app—itself a security app that helps manage security on personal devices connecting to enterprise networks—on Andriod and Apple operating systems using an automated system developed by Kryptowire. The results of the analysis were then independently verified by NIAP analysts and by the Leidos Common Criteria Testing Laboratory.

“The results are extremely promising as the pilot demonstrated that it is indeed possible to automate significant portions of the app software evaluation process, thereby increasing efficiencies, shortening approval times, and reducing costs,” according to a summary report published Monday. “Additional analysis by NSA experts concluded that most of the automated tests fully met the intent of the requirements—87% for iOS and 64% for Android. Others partially met the intent—20% for Android—of the requirement for a variety of reasons—e.g., did not gather enough data to unambiguously assess a pass or fail against—but could meet the intent with some implementation changes.”

“Automated testing will help bring the speed of NIAP evaluations to keep pace with the rapid, agile development and release cycles of today’s modern mobile app ecosystem,” NIAP Director Mary Baish said in a release announcing the results.

The agencies learned some other significant lessons through the pilot, including:

• Automated assessments can reduce security risks by certifying basic compliance before starting a lengthy, official evaluation.
• Apps can be tested without access to the source code.
• App updates can be tested quickly as they are deployed.
• Updates to the NIAP Protection Profile can be integrated easily.

Through the pilot, the team also noticed its own procedures are not always the most efficient.

“Some of NIAP’s requirements and prescribed testing approaches, as defined in protection profiles, are not necessarily the best or most effective ways to test certain security requirements and there is a need for greater flexibility to exercise a variety of test procedures, while ensuring security,” the report states.

“The pilot’s success is significant in that automating these evaluations to deliver accurate and trustworthy results will lower the barrier to entry by reducing the burden needed for NIAP PP Mobile App Vetting certifications,” said Vincent Sritapan, program manager for S&T Mobile Security and Emergency Communications, or Mobile SEC. “This increased testing will raise the security posture of the government’s mobile app ecosystem and at the same time raise confidence among app end-users, primarily the tax-paying public.”