Mobile devices such as smartphones and tablets and the applications (apps) we load onto them have become indispensable to our daily lives—both personal and professional. On the business side, more and more government agencies and private-sector entities are adopting mobile systems to improve business operations and employee efficiency.
However, mobile apps are susceptible to malware, ransomware, spyware, coding flaws and other attacks that could compromise personal data stored on the device. Apps also can be used to gain access to sensitive enterprise resources. Additionally, mobile apps and related services are evolving at a rapid pace, with new apps and updates, operating system updates and service provider updates introduced regularly. This speedy development and implementation process greatly increases mobile technology attack surfaces and exposes devices and apps to new threats and exploits. Average users have few options to assess app security. Even the Android and iOS app stores have had apps with malware, bugs and other vulnerabilities.
The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) is working to increase mobile app security by developing innovative solutions that will extend beyond deployment of an app to provide continuous security assurance throughout an app’s lifecycle. The Mobile App Security project has two primary research and development (R&D) foci. The first is continuous mobile app monitoring, vetting and security assurance to safeguard against vulnerabilities and future threats. The second is establishing a security framework and integrated development environments that will result in development platforms that enable developers to transparently ensure security and functionality throughout the mobile app lifecycle.
Two prominent S&T mobile app security research efforts will be spotlighted at the RSA Conference, April 16-20 in San Francisco.
“S&T is conducting numerous mobile security projects addressing both device and app security. We look forward to showcasing its innovative mobile app security solutions at the RSA Conference,” said Mobile Security R&D Program Manager Vincent Sritapan.
The first S&T-backed effort is focused on the development of continuous validation and threat protection of mobile devices and apps and will be exhibited by performer Qualcomm Cyber Security Solutions in its RSA booth (S2441). The effort is developing a solution that will use mobile device hardware-anchored Mission Critical Grade Security Layer (MCGSL) to protect against zero-day attacks by leveraging its mobile security platform and extending its research partner’s—Kryptowire LLC—mobile app security testing platform.
This approach will provide an application programming interface to the mobile app vetting platform so it can check the integrity of a device and its apps. It will leverage device utilization context, app behavioral profile information and user authentication information to cover a wide range of threats, reduce false-positives of security incidents and defend against zero-day threats. The solution provides enhanced security and lowers the risk for government and private-sector users.
Monitoring the security of an app shouldn’t stop once it is developed and released; it should be an ongoing process. That’s the objective of the second research effort by Red Hat, Inc., which also is working with Kryptowire, which will be demonstrated in S&T’s RSA booth—S1839. The duo is seeking to secure the mobile app development lifecycle where unsecure code could be introduced—either intentionally by a rogue worker or unintentionally.
Discovering and remediating insecure code can save an app developer considerable time and valuable financial resources. For instance, correcting a defect during the requirements phase results in costs of less than one percent of the cost of correcting a defect after the app is in operation. In later lifecycle stages corrective costs continue to rise, eventually surpassing 100 percent once an app is in operational use.
The companies are developing new code-scanning technology by building an integrated platform that enforces end-to-end security for mobile solutions and reduces the cost of maintaining mobile security policies during the app development process and while it is in use. The resulting first-of-its-kind continuous security assurance solution automatically will check proprietary code and third-party and open-source code libraries to ensure risk-based decisions comply with federal government mobility standards before an app is deployed. If a new security or privacy vulnerability is identified, the platform will quickly push security updates.
To learn more about S&T’s mobile security research efforts, get a copy of the newly released Mobile Security R&D Program Guide and talk with principal investigators and Sritapan at S&T’s booth—S1839—in the RSA Conference Exhibit Hall from April 16-19.
The 13 cybersecurity research efforts that will be demonstrated in the S&T booth span from data privacy to denial of service defense and software quality assurance to transition-ready technologies from the Transition to Practice program.