S&T, NSA Test Automated Security Vetting For Mobile Apps

WASHINGTON— Ensuring the security of mobile application (app) software for use within the federal government no longer needs to be time consuming or expensive.  Under a joint pilot program, the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) and National Information Assurance Partnership (NIAP) within the National Security Agency (NSA)  cybersecurity mission have demonstrated that the process can be automated. 

Assessing whether mobile apps are compliant to a NIAP Protection Profile (PP) has traditionally been a long and costly process. By automating that process, S&T and NIAP offer agencies the ability to quickly, affordably, and reliably determine if their apps meet NIAP’s stringent security requirements.

“Automated testing will help bring the speed of NIAP evaluations to keep pace with the rapid, agile development and release cycles of today’s modern mobile app ecosystem,” said Mary Baish, Director of NIAP.

For the pilot, researchers worked with S&T Mobile Security and Emergency Communications (Mobile SEC) partners Kryptowire and Intelligent Waves, using Kryptowire’s vetting infrastructure to perform an automated analysis of the Android and Apple iOS versions of Intelligent Waves’ Hypori® app. 

The Leidos Common Criteria Testing Laboratory then analyzed Kryptowire’s results to determine if they were consistent with a conventional evaluation. Separately, NIAP experts provided additional analysis. Evaluators determined that automated testing accurately met NIAP requirements while requiring less time, personnel, and money.

“The pilot’s success is significant in that automating these evaluations to deliver accurate and trustworthy results will lower the barrier to entry by reducing the burden needed for NIAP PP Mobile App Vetting certifications,” said Vincent Sritapan, Mobile SEC Program Manager. “This increased testing will raise the security posture of the government’s mobile app ecosystem and at the same time raise confidence among app end-users, primarily the tax-paying public.”

The pilot also produced findings that show how NIAP certifications and app vetting can be designed and conducted in the future, including the following:

• Automated vetting against NIAP requirements allows for faster testing and fielding of app updates.
• Apps can be assessed for basic compliance before a formal NIAP evaluation, providing risk reductions for several stakeholders including agencies, software vendors, and end-users.
• Apps can be accurately vetted, even if analysts and evaluators do not have access to source code.
• Apps can be vetted against updated requirements without undergoing a full NIAP recertification.
• The results bode well for other security automation efforts, some of which already are underway.

The pilot testing report, titled Automating National Information Assurance Partnership Requirements Testing for Mobile Apps, demonstrates that automated testing tools and methodologies are reliable and efficient.