NIST Offers Guidelines for Vetting Mobile Apps

    Sep 23, 2014

    The use of mobile devices at work may improve productivity, but it can also challenge the organization’s data security and privacy. Third-party mobile applications need to be thoroughly vetted before allowed in the workplace. This is true for all sectors, including government. That’s why the National Institute of Standards and Technology (NIST) drafted guidelines for vetting third-party apps.

    "Agencies need to know what a mobile app really does and to be aware of its potential privacy and security impact so they can mitigate any potential risks," Tony Karygiannis, a computer scientist in the NIST’s Computer Security Division told InformationWeek. "Many apps may access more data than expected and mobile devices have many physical data sensors continuous[ly] gathering and sharing information."

    For example, individuals could be tracked without their knowledge via a calendar app, social media app, a Wi-Fi sensor, or other utilities connected to a global positioning system. "Apps with malware can even make a phone call recording and forward conversations without its owner knowing it," Karygiannis said.

    The draft offered the following key recommendations:

    • Understand the security and privacy risks mobile apps present and have a strategy for mitigating them.
    • Provide mobile app security and privacy training for your employees.
    • Vet all mobile apps and their updates to ensure they remain suitable throughout their lifecycle.
    • Establish a process for quickly vetting security-related app updates.
    • Advise stakeholders what the mobile app vetting does and doesn’t provide in terms of security.
    • Have a software analyst review mobile app testing results within the context of the organization’s mission, security policies, and risk tolerance.

    © 2017, ARMA International