NIST taking input for mobile security guidelines

A new NIST publication aims to alert enterprises of potential security dangers within commercial apps

The U.S. National Institute of Standards and Technology (NIST) is developing a guide for testing third-party apps to ensure that they are secure and don't introduce any vulnerabilities.

The government agency has prepared a draft of its recommendations, "Technical Considerations for Vetting 3rd Party Mobile Applications," and is seeking industry feedback by Sept. 18. The aim is to help enterprises make full use of commercial mobile programs.

"Agencies and organizations need to know what a mobile app really does and to be aware of its potential privacy and security impact so they can mitigate any potential risks," said NIST computer scientist Tom Karygiannis in a statement announcing the release of the draft.

The draft publication "describes tests that allow software security analysts to discover and understand vulnerabilities and behaviors before the app is approved for use," Karygiannis said.

The document, once finished, will give organizations a guide for testing third-party apps that they may want to use for official business. It will also detail the different types of vulnerabilities commonly found on Android and Apple iOS devices.

Many of today's mobile apps, such as calendars, require access rights to various parts of the device's OS. Granting permissions to these apps, however, can introduce security vulnerabilities to a secured system. For instance, giving a collaboration app access to a contact list could inadvertently reveal names on the list that should remain private.

Mobile devices can also gather a lot of data unbeknownst to the owner of the device. Malware, for instance, could be surreptitiously installed to record phone conversations, or users could be secretly tracked through the phone's GPS functionality.

In addition to offering techniques for testing and vetting apps, the publication will also provide descriptions of undesirable behavior, how to manage an app through its entire life cycle, and examples of how vulnerabilities could lead to system compromises.

Beyond security, the publication will also detail how to manage the power that apps can consume on a device.

An agency within the U.S. Department of Commerce, NIST works with industry to develop standards and technologies to encourage innovation, advance U.S. economic competitiveness and improve the quality of life.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is Joab_Jackson@idg.com

Tags securitymobile securityU.S. National Institute of Standards and Technology

More about AppleDepartment of CommerceIDGNewsTechnology

Comments

Comments are now closed

Symantec donates $260k towards cyberbullying prevention

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]