As more organizations deploy mobile apps to facilitate their business processes, it is important that those organizations develop a specific app vetting process in order to mitigate the security risks that such apps can bring. To assist this process, last month the National Institute of Standards and Technology (NIST) set forth its special publication, "Vetting the Security of Mobile Applications," providing step-by-step recommendations to augment data security.
When adopting a new technology, organizations should always investigate and consider the potential security impact that technology may have on its information security resources, its data and its customers. Part of this investigation should always center on whether the technology can perform and function within the organization's systems in its intended manner and whether it is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle.
Unlike a desktop computer system where software exists within a tightly controlled environment that is uniform throughout the organization, mobile apps pose unique security challenges. They cull personal information from physical sensor data, personal health metrics, pictures and video, to a much higher and more precise degree than before. Mobile devices also have a wider variety of network services than traditional enterprise applications, like Wi-Fi, 2G/3G and 4G/LTE in addition to short-rage data connectivity options like Bluetooth and Near Field Communications. All of these mechanisms for data transmission can be vectors for remote exploits.
How Should You Evaluate a Mobile App's Impact on Your Security?
The following key questions will aid an organization in identifying, understanding and documenting the potential security impact of mobile apps on the organization's computing, networking, and data resources:
How will data used by an app be secured?
Apps that collect, store, and transmit sensitive data should protect the confidentiality and integrity of this data. This protection extends to preserving privacy, such as asking permission to use personal information and using it only for authorized purposes.
On what environments will the app be deployed?
Apps that are used only on mobile devices will pose less risk than those that interact with the organization's system-wide desktop software. Apps should have only the minimum permissions necessary and should only grant other applications the necessary permissions.
What are the acceptable levels of risk for this particular app?
An app that is critical to the organization's business processes or that will be made available to the organization's customers or the general public needs to be vetted more thoroughly, as the repercussions from a security breach are much higher than apps with more limited use.
What is the planned implementation of the app?
New apps should be rolled out slowly and to a select few before organization-wide distribution, to test the mobile security architecture.
For More Information
A well-defined and comprehensive vetting process for mobile apps should be a part of any organization's overall informational security strategy. Polsinelli's Intellectual Property team can help your organization:
- Understand the importance of vetting the security of mobile apps as related to your industry.
- Plan for the implementation of the app vetting process.
- Develop app security requirements that are specific to your business and your industry's standards.
- Understand the types of app vulnerabilities and how to detect those vulnerabilities.
- Determine if an application is acceptable for deployment on your organization's mobile devices.
For assistance in launching or refining your own app-vetting process, please contact the authors, a member of the Intellectual Property practice, or your Polsinelli attorney.