NIST SP 800-163 Vetting the Security of Mobile Applications
1
1 Introduction
When deploying a new technology, an organization should be aware of the potential security impact it
may have on the organization’s IT resources, data, and users. While new technologies may offer the
promise of productivity gains and new capabilities, they may also present new risks. Thus, it is important
for an organization’s IT professionals and users to be fully aware of these risks and either develop plans
to mitigate them or accept their consequences.
Recently, there has been a paradigm shift where organizations have begun to deploy new mobile
technologies to facilitate their business processes. Such technologies have increased productivity by
providing (1) an unprecedented level of connectivity between employees, vendors, and customers; (2)
real-time information sharing; (3) unrestricted mobility; and (4) improved functionality. These mobile
technologies comprise mobile devices (e.g., smartphones and tablets) and related mobile applications (or
apps) that provide mission-specific capabilities needed by users to perform their duties within the
organization (e.g., sales, distribution, and marketing). Despite the benefits of mobile apps, however, the
use of apps can potentially lead to serious security risks. This is so because, like traditional enterprise
applications, apps may contain software vulnerabilities that are susceptible to attack. Such vulnerabilities
may be exploited by an attacker to steal information or control a user's device.
To help mitigate the risks associated with software vulnerabilities, organizations should employ software
assurance processes. Software assurance refers to “the level of confidence that software is free from
vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during
its life cycle, and that the software functions in the intended manner” [1]. The software assurance process
includes “the planned and systematic set of activities that ensures that software processes and products
conform to requirements, standards, and procedures” [2]. A number of government and industry legacy
software assurance standards exist that are primarily directed at the process for developing applications
that require a high level of assurance (e.g., space flight, automotive systems, and critical defense
systems).
Although considerable progress has been made in the past decades in the area of software
assurance, and research and development efforts have resulted in a growing market of software assurance
tools and services, the state of practice for many today still includes manual activities that are time-
consuming, costly, and difficult to quantify and make repeatable. The advent of mobile computing adds
new challenges because it does not necessarily support traditional software assurance techniques.
1.1 Traditional vs. Mobile Application Security Issues
The economic model of the rapidly evolving app marketplace challenges the traditional software
development process. App developers are attracted by the opportunities to reach a market of millions of
users very quickly. However, such developers may have little experience building quality software that is
secure and do not have the budgetary resources or motivation to conduct extensive testing. Rather than
performing comprehensive software tests on their code before making it available to the public,
developers often release apps that contain functionality flaws and/or security-relevant weaknesses. That
can leave an app, the user’s device, and the user’s network vulnerable to exploitation by attackers.
Developers and users of these apps often tolerate buggy, unreliable, and insecure code in exchange for the
low cost. In addition, app developers typically update their apps much more frequently than traditional
applications.
Examples of these software assurance standards include DO-178B, Software Considerations in Airborne Systems and
Equipment Certification [3], IEC 61508 Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related
System [4], and ISO 26262 Road vehicles -- Functional safety [5].