The Department of Homeland Security’s (DHS) Science and Technology (S&T) Directorate https://www.dhs.gov/science-and-technology has established a pilot project to automate and incorporate security. This pilot project will entail designing up-to-date security tools for mobile apps to assist developers, analysts, and security and network operators.
In emergency and disaster situations, mobile devices and apps enable public safety professionals to receive and share critical information in real-time to enhance the delivery of life saving services. As the reliance on mobile technology grows, it is important that mobile apps used for public safety purposes are free of malware or vulnerabilities.
The DHS S&T pilot project is working to develop cost effective automated methods to vet, deploy, and manage mobile apps. The pilot project is currently developing new and innovative approaches to enable continuous validation and threat protection mobile apps and to enable the integration of security throughout the mobile app lifecycle.
Testing the pilot was a joint effort of the Homeland Security Advanced Research Project Agency in their Cyber Security Division, S&T’s First Responder Group, the Association of Public-Safety Communications Officials (APCO) https://www.apcointl.org, and Kryptowire LLC, www.kryptowire.com, the developer of the mobile app-vetting funded by S&T at DHS.
For the study, APCO selected 33 popular apps (iOS and Android versions counted separately) created by 20 developers that are offered through AppComm, their public safety application directory.
The pilot was conducted over three months by the team using Kryptowire’s mobile app software testing platform that was integrated into APCO’s AppComm website. The testing scrutinized each app’s security, privacy, information, and device access.
The pilot testing discovered potential security and privacy concerns such as access to the device camera, contacts or messages in 32 of the 33 popular apps tested. Eighteen apps had critical flaws such as hard-coded credentials stored in binary, issues with handling Secure Sockets Layer certificates, and were found to be susceptible to attacks.
Pilot project leaders worked with each app developer to identify vulnerabilities. So far, ten developers have successfully remediated their apps, and as a result of the pilot project, the security and privacy concerns for 14 mobile apps have been addressed.
Go to https://www.dhs.gov/publication/csd-mobile-app-security-study-first-responders to view the DHS S&T report “Securing Mobile Applications for First Responders” concerning the pilot’s testing results and recommendations.