Navigating the Future of Mobile Services Report

American Technology Council & Federal CIO Council, October 2017

Introduction

The Federal Government increasingly relies on commercial and custom-built mobile applications (apps) to conduct business and to deliver government information and services to the public. The mobile apps can be developed by trusted in-house developers, by contractors, or third parties having no previous relationship with the agencies using the mobile apps. Well-intentioned developers can make programming errors that can expose both user and enterprise sensitive information. Moreover, while federal agencies have access to source code for internally developed apps, they must submit third party apps through a software assurance vetting process without access to source code.

Mobile applications increase productivity by providing users real-time information sharing and ‘anytime anywhere’ access to perform enterprise or mission-specific tasks and communicate with the public. As with traditional desktop and enterprise applications, mobile apps can contain malware or have security vulnerabilities that could be exploited by attackers to gain access to sensitive government information and resources. Unlike desktop applications, precise location information, contact details, sensor data, photos, and messages can be exposed through mobile apps, and personal information collected by these apps can be sold to marketers or advertising agencies. Additional threats include ransomware and malware that surreptitiously records the user with the device’s camera or microphone. As mobile applications rely on cloud services to store enterprise data, mobile apps that do not use secure programming practices can expose the cloud infrastructure to new risks.

The sheer number of available apps (millions), the frequently unknown provenance of app developers, and the frequent use of third-party libraries in apps, requires a software assurance process tailored for mobile apps. App vetting is part of the software assurance process that occurs after app development: it evaluates mobile apps against a set of security requirements to identify weaknesses, vulnerabilities, poor programming practices, improper use of cryptographic functions, insecure authentication to cloud services, and malicious or privacy invasive behaviors. Its objective is to provide federal agencies with a level of assurance that commercial and customdeveloped mobile apps used to conduct government business will not compromise federal systems or information, operate as described, do not request more permissions than needed, and do not expose information that could harm the privacy, security, or safety of employees or the public.

This document provides guidance and recommendations for vetting the security of mobile apps based on standards and agency best practices. It is intended for federal departments and agencies (D/A) currently performing or considering app vetting, and is aimed broadly at federal government executives, information technology middle managers, software assurance analysts, software developers, and program managers. The guidance applies to vetting both in-house custom-developed apps and apps obtained from commercial app stores (e.g., Google Play Store, Apple App Store, BlackBerry World, Amazon).