New Tool Manages App Vetting ProcessNIST Releases a Mobile App Testing Framework
A hot topic among U.S. federal government security managers and other information security professionals, is developing a process to vet mobile applications. The National Institute of Standards and Technology is offering a solution.
NIST, working with the Defense Advanced Research Projects Agency, has created what it characterizes as the first open source Web application for managing the mobile app vetting process. Known as AppVet, the mobile app vetting system is available for free to government agencies and others.
"This tool itself does not do the app testing; it's more of a framework to manage that workflow," says Tom Karygiannis, a NIST senior researcher.
AppVet manages mobile app vetting workflow that involves submitting apps to testing for virus detection and reliability. For example, AppVet receives reports and risk assessments from testing tools and combines risk assessments from these tools into a single assessment. Analysts then can review the reports and risk assessments and decide whether to approve or reject the app based on the organization's requirements.
Testing mobile apps is difficult. Organizations use multiple software tools to test mobile apps for security and compatibility with enterprise systems because no one tool tests for everything. App testing often involves manually testing apps, a complex and time-consuming process because of the large number of tools used.
Karygiannis says AppVet eases that burden by creating a framework for the review process, which includes the ability for testers and analysts to incorporate their comments on the test results.
AppVet emerged from a collaboration between NIST and DARPA, which needed a vetting process to provide a level of software assurance for commercially available mobile apps that the military would deploy in combat.
Karygiannis says NIST is in discussions with the Department of Homeland Security and other federal agencies to develop testing requirements and processes to help them deploy a process to test commercially available mobile apps.
"What's clear is that most of the agencies need some sort of app vetting and that each agency may have different acceptance criteria," Karygiannis says. "You wouldn't test an app and give it a thumbs up for everybody, or a thumbs down for everybody. You would provide the test results, and depending on the agency's mission or need, they would decide whether those risks are mitigated through some other way or they find them acceptable for their particular need."
AppVet is designed to support organizations that test a large number of apps but can be used by smaller entities as well. It can support apps from different mobile platforms, including Android, iOS and Windows, depending on tool availability for those platforms. NIST does not provide the testing tools; instead it provides an interface to manage the test results of multiple commercial and open source testing tools.
AppVet can be downloaded for free at http://csrc.nist.gov/projects/appvet.