Mobile app security grabs feds' attention

Recognizing the increased use of mobile apps at businesses, the National Institute of Standards and Technology (NIST), a U.S. government agency, has come forward with recommendations on vetting security of these applications with steps ranging from risk management to testing.

In the January report, NIST notes how mobile apps can provide "unprecedented" connectivity between employees, customers, and vendors. The apps also offer unrestricted mobility, as well as improved functionality and real-time information sharing.

At the same time, NIST points out concerns. "Despite the benefits of mobile apps, however, the use of apps can potentially lead to serious security issues. This is so because, like traditional enterprise applications, apps may contain software vulnerabilities that are susceptible to attack," the report says. "Such vulnerabilities may be exploited by an attacker to gain unauthorized access to an organization's information technology resources or the user's personal data."

NIST advises development of security requirements on issues such as securing of data and acceptable levels of risk. Specific recommendations are offered for the planning, app testing, and app approval/rejection processes. For planning, key recommendations include:

In the testing realm, NIST advises:

For app approval/rejection, recommendations include:

The report also covers Android and iOS vulnerability types, as well as testing approaches and understanding the limitations of vetting. NIST touches on traditional vs. mobile security issues too. "Mobile devices provide access to potentially millions of apps for a user to choose from. This trend challenges the traditional mechanisms of enterprise IT security software where software exists within a tightly controlled environment and is uniform throughout the organization."


Paul Krill

Zur Startseite