Imagine a bright red Lamborghini parked outside of your front door and a sign right next to it screaming “FREE!”
Initial reaction….Score! Secondary reaction……What’s the catch?
With a little bit of healthy skepticism, you might reach the conclusion that the new gift may come with a hidden price tag. Because of the high market purchase price, the value of Lamborghini’s can be measured easily and quantitatively. But with mobile apps, the relative value and hidden strings are not as easy to identify.
This and their abundance could be why it’s so easy to accept “FREE” mobile apps. Plus, it’s not like you can survive without Candy Crush or the new Kim Kardashian app.
What is the downside to this onslaught of “FREE” phone apps? And how do we screen for their negative sides??
Tom Karygiannis, a senior computer scientist and researcher at NIST, spoke with Chris Dorobek on the DorobekINSIDER program about the importance of security regarding new mobile apps and NIST’s new draft publication Technical Considerations for Vetting Third Party Mobile Applications[EJ1].
Lay the Groundwork
“The first thing we want to do is inform people what they’re getting into when they start using these apps,” Karygiannis said. “When you install an app, how do you know what it actually does, and how do you understand what their impact is on a user’s private network.”
Although many of mobile apps are incredibly beneficial in regards to workplace productivity, they can also put sensitive data and other network resources at risk. The National Institute for Standards and Technology (NIST) has produced the Technical Considerations[EJ2] draft to inform people about how to take advantage of the benefits of these mobile apps while also navigating and avoiding potential risks.
Karygiannis stated that mobile devices have similar capabilities to laptops and desktops of just a few years ago. He emphasized that not only are people and information tracked with GPS via their mobile devices, but there also is Wi-Fi, bluetooth and other similar things collecting personal data. And with their extremely portable nature, it’s much easier to lose and misplace these devices, which further adds to security vulnerabilities.
“Whether you’re a medical professional, in a tactical military environment, public relations, law enforcement or you’re another government official, you need to protect different types of data and different types of network resources,” Karygiannis explained. “If you are in a classified environment, you might have different needs and requirements. We want you to understand what an app does, look at the data and network resources you want to protect, and make the decisions on whether you’re going to allow the use of this app.”
The intention of the Technical Considerations for Vetting Third Party Mobile Applications[EJ3] draft discusses certain common testing requirements for mobile apps. Karygiannis suggested that with the onslaught of all of these new apps, a way an agency can streamline the testing process is to develop a database of already-approved and tested apps.
Karygiannis described one example of a test using cryptography. “Some apps use cryptography, and we’ve seen apps in the banking and finance industries where they are hard coding cryptographic keys or initialization vectors or other poor programming practices.” This can’t be applied to all apps due to the variety of design, but this is one of many suggestions in the NIST publication.
“NIST email addresses are on the website, and if you have any comments of suggestions on the document, feel free to contact us,” Karygiannis said. “We try to make the process as transparent as possible.”