As more businesses turn to mobile apps for various business processes, the need for app security also increases. Mobile applications are often more vulnerable to attacks than other software used in the enterprise. This is why they need to be thoroughly vetted prior to release to the workforce.
According to the National Institute of Standards and Technology (NIST), vetting mobile apps involves “a sequence of activities that aims to determine if an app conforms to an organization’s security requirements.” The process of vetting an application consists of careful testing and looking at the results to either approve or reject the app.
In our IT Downloads section, you will find NIST documentation that explains how to test mobile apps. “Vetting the Security of Mobile Applications” was created by NIST as part of its directive under the Federal Information Security Management Act of 2002. Its purpose is to help companies understand the importance of mobile app security and assist them in setting up their own mobile application security plans.
Prior to attempting to test any applications, an organization should create its own app security plan. It should include a budget, staff to perform the vetting, and a list of security requirements that the apps must possess to pass the vetting. The NIST document contains a section to help develop your own requirements. For example:
Developing app security requirements involves identifying the security needs and expectations of the organization and identifying both general and context-sensitive requirements that address those needs and expectations. For example, if an organization has a need to ensure that apps do not leak PII, the general requirement Apps must not leak PII should be defined. If the organization has an additional need to ensure that apps that record audio or video must not be used in a SCIF, then the context-sensitive requirement Apps that record audio or video must not be used in a SCIF should be used. After deriving general requirements, an organization should explore available analyzers that test for the satisfaction or violation of those requirements. In this case, for example, an analyzer that tests an app for the leakage of PII should be used.
The document also includes sections on vetting limitations, budgeting, app testing, protecting sensitive data and different testing approaches. It also contains lists of vulnerability types for both Android and iOS apps, along with a glossary and acronym list.
CTOs, IT managers and any staff that works with mobile applications should read this guide. The task of vetting and approving mobile apps for enterprise use can be tricky, so having such a detailed documentation to move your team through the proper stages will save time and headaches.