A Department of Homeland Security (DHS) Science and Technology Directorate (S&T) pilot project successful remediated potential cybersecurity vulnerabilities in mobile applications used by U.S. public-safety professionals, supporting the creation of an on-going mobile app-testing program.
In emergency and disaster situations, mobile devices and apps enable public-safety professionals to receive and share critical information in real-time, which enhances the delivery of life-saving services. As reliance on mobile technology grows, it is important that mobile apps used by public safety are free of malware or vulnerabilities.
The pilot testing project—“Securing Mobile Applications for First Responders”—was a joint effort of the Homeland Security Advanced Research Project Agency’s Cyber Security Division, S&T’s First Responder Group (FRG), Association of Public-Safety Communications Officials (APCO) and Kryptowire, LLC, the developer of a leading mobile app-vetting platform that was funded by S&T.
Its dual goals were to improve mobile app security for the public-safety community and determine the need for a sustainable model for testing the security and privacy-protection capabilities of public-safety apps. To these ends, the pilot sought to determine the degree to which the selected public-safety apps are vulnerable to cyberattacks—malware, ransomware and spyware—or had coding vulnerabilities that could compromise the device’s security, expose personal data or allow for eavesdropping.
“This pilot project illustrates the efficacy, benefits and value an ongoing app-testing program will provide to the public-safety community and the nation,” said Vincent Sritapan, S&T’s Program Manager for Mobile Security Research and Development. “During the testing phase, numerous cyber vulnerabilities were identified and remediated. This model can be used to ensure all apps used by the public-safety professionals are secured against cyberattacks and other security and privacy weaknesses.”
For the study, APCO selected thirty-three popular apps (iOS and Android versions counted separately) created by twenty developers that are offered through AppComm, its public-safety application directory. The pilot was conducted over three months by the team using Kryptowire’s mobile app software testing platform integrated into APCO’s AppComm website. The testing scrutinized each app’s security, privacy, and information and device access.
The pilot-testing project discovered potential security and privacy concerns—such as access to the device camera, contacts or Short Message Service messages—in thirty-two of thirty-three popular apps that were tested. Eighteen apps were discovered to have critical flaws such as hard-coded credentials stored in binary, issues with handling Secure Sockets Layer certificates or susceptibility to “man-in-the-middle” attacks.
Pilot project leaders worked with each app developer to remediate identified vulnerabilities. So far, ten developers successfully remediated their apps, and as a result of the pilot project, the security and privacy concerns of fourteen mobile apps were addressed.
Most developers who fixed their app’s vulnerability(ies) reported investing approximately one hour on remediation. Remediation steps included removing old or unused code, enabling built-in security provided by the operating system, and ensuring the functionality requested is necessary for operations.
“As more apps are adopted for public-safety missions, it is critical that a formal, ongoing app-evaluation process with incentives for developer participation be adopted to ensure current and new mobile apps are free of vulnerabilities,” said John Merrill, Director of the S&T FRG Next Generation First Responder Apex program.
Additional Resource: DHS S&T Report on Securing Mobile Apps for First Responders (December 2017)