The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) has awarded funding to five research and development (R&D) projects that will enhance the secure use of mobile applications (apps) for the federal government.
These Mobile Application Security (MAS) R&D projects will be managed by the DHS S&T Mobile Security R&D program, which is part of the Cyber Security Division in the Homeland Security Advanced Research Projects Agency. S&T says that the recently launched MAS project is focused on continuous validation and threat protection for mobile apps and integrating security throughout the mobile app lifecycle. It also is developing a security framework and integrated models that will enable the development of secure mobile apps for mission use by DHS components, other government agencies and enterprise organizations.
“Adversaries can use a compromised or vulnerable mobile app as an avenue to target and gain a foothold on a user’s device,” said Acting Under Secretary for Science and Technology William N. Bryan. “The Mobile Application Security project will deliver innovative security solutions that will ensure apps used by government personnel and the public are secure.”
The project contracts were awarded under Broad Agency Announcement HSHQDC-16-R-B0006, which was issued in June 2016 by the S&T Cyber Security Division.
“Each group has proposed and will develop innovative secure solutions that will greatly improve the enterprise security of mobile devices and apps connected to backend systems,” said Mobile Security Program Manager Vincent Sritapan. “Through these and future projects, the Mobile Application Security R&D project will ensure mobile apps are secure no matter whether they are developed by the enterprise or acquired from third-party app markets.”
The following organizations and their projects are the funded MAS awards:
— Qualcomm Technologies, Inc. of San Diego, California, was awarded $1,842,739 to utilize and integrate its commercial technology to demonstrate a platform on which mobile application security can be anchored in the hardware of a device. The effort will include the demonstration of a Mission-Critical-Grade Security Layer (MCGSL). The MCGSL will extend continuous observations from the mobile device through Application Programming Interfaces to third-party applications and services across the commercial mobile ecosystem. The MCGSL framework will be engineered to continuously validate and secure third-party apps and services, helping to protect their integrity on the mobile device. This approach is designed to offer broad coverage against a wide-range of threats due to device utilization context, application and user behavioral profile information that can be utilized to reduce false-positive identification of security incidents, and uncover previously unseen advanced persistent threats. The project is intended to demonstrate the potential for broad use across devices with Qualcomm® Snapdragon™ platforms.
— Lookout, based in San Francisco, California,was awarded $1,800,000 to add new app-threat, -risk and -vulnerability detection and protection capabilities and enhance existing capabilities in its cloud-based Mobile Endpoint Security platform. These enhancements will strengthen the government’s ability to securely enable the use of mobile technologies for mission-critical activities. The work will enhance visibility into risky applications; detection of side-loaded applications and advanced network-based threats such as man-in-the-middle attacks; mobile device and application vulnerability detection and management; and its platform’s Certificate Authority reputation system. The enhanced platform will be applicable to iOS and Android operating systems.
— United Technologies Researcher Center (UTRC), located in East Hartford, Connecticut, was awarded $1,453,655 to develop and implement a mobile app security system that will be run on a hybrid mobile-device-cloud environment called COMBAT (COntinuous Monitoring of Behavior to protect devices from evolving mobile Application Threats). COMBATwill process diverse sources of information along with artificial intelligence to accurately and efficiently detect malicious and vulnerable apps of varying risk severity levels. COMBAT also will evaluate the risk of an app for a given operational environment and produce a detailed risk-assessment report that includes an explanation of why an app is considered malicious. UTRC will build an in-device-based behavior monitoring service to dynamically track the behavior of vetted apps in real time to enforce desirable policies (e.g., provide protection from app masquerading and other obfuscation attacks). COMBAT will be demonstrated on Android devices.
— Apcerto, Inc.of Ashburn, Virginia, was awarded $1,643,419 to research and develop solutions for normalizing and rating mobile apps based on predefined standards as well as a framework for orchestrating the entire mobile app security process. The first solution will provide a testbed for mobile app security orchestration and the normalization of results to standards, including the National Information Assurance Partnership, Open Web Application Security Project, Health Insurance Portability and Accountability Act, and Sarbanes-Oxley Act. Apcerto’s platform will integrate with security tool vendors and translate their respective outputs to a scoring system. The platform will provide a sustainable model of “security analysis as a service” that enables the public and private sectors to vet mobile apps and create secure mobile solutions.
— Red Hat, Inc., of Raleigh, North Carolinaand Kryptowire, LLC of Fairfax, Virginia jointly were awarded $1,902,750 to integrate security throughout the entire mobile app development lifecycle. They will develop an extension of the Red Hat Mobile Application Platform (RHMAP) that will enable security templates for developers and integrate automated mobile app security testing. This effort will adhere to appropriate U.S. government mobile security standards (e.g., National Information Assurance Partnership—Software Protection Profile). The goal is to automatically enforce checks to ensure developed app code and third-party libraries comply with security standards throughout the mobile app lifecycle development process. The mobile security technology will be optimized for iOS and Android apps.