DHS invests in mobile app security
Connecting state and local government leaders
The Department of Homeland Security's Science & Technology Directorate is funding research to secure the entire app development lifecycle.
When it comes to the securing mobile computing, government agencies are challenged not only by traditional software vulnerabilities, but also by the number and types of services accessible through mobile apps.
The Department of Homeland Security’s Science and Technology Directorate began taking an active role in validation and threat protection for mobile apps two years ago when it began working with Kryptowire for assessing risk, analyzing vulnerabilities and archiving mobile applications. On Sept. 6, the company won its second S&T award for a $1.9 million project with Red Hat to secure the entire app development lifecycle.
“Our work in the past was focused on the testing of third-party apps, which is any app that you don’t have access to the source code,” Tom Karygiannis, vice president of product at Kryptowire, told GCN. “With the new award, we are analyzing mobile applications during the development process so we can detect any security or privacy issues before the apps end up on a user’s device or in an app store.”
The partners will develop a framework for automating security and privacy compliance in the mobile application lifecycle. The goal is to automatically ensure app code and third-party libraries comply with security standards through the development, deployment and maintenance processes.
This most recent funding for mobile research came out of agencies' desire to build their own applications, according to Vincent Sritapan, mobile security program manager for S&T’s Cyber Security Division.
“There could be a commercial off the shelf capability that is good, but we need it to meet a standard … [that ensures] the apps are not risky, vulnerable or include additional malware,” Sritapan said. “Having an app development platform that integrates security is the next step.”
Mobile security provider Lookout received a $1.8 million award to add capabilities to detect threats, risks and vulnerabilities to its cloud-based Mobile Endpoint Security platform. The company will focus on detecting malicious behavior in applications whether they come from man-in-the middle attacks, side-loaded applications and other risky behaviors.
“The government would like for us to alert them when applications have been removed from the app store and need to be removed from devices because of malicious activity,” Bob Stevens, vice president of federal at Lookout, said. “They want to know if data from apps is being sent to a particular cloud service and other enhancements to risky behavior that we are detecting today.”
DHS is also purchasing 2,500 licenses for Lookout’s Mobile Endpoint Security to be used by any government agency. S&T will share the licenses with agencies for testing, and they can provide feedback on other desired capabilities from the Lookout service.
S&T also issued three other awards related to mobile app security research.
QualComm Technologies received $1.84 million to demonstrate how mobile app security can be integrated into a device's hardware.
The United Technologies Research Center was awarded $1.45 million to develop a hybrid mobile-device-cloud environment to detect malicious and vulnerable apps and build a device-based behavior monitoring service to dynamically track the behavior of vetted apps in real time.
Apcerto received $1.64 million to develop solutions to normalize and rate apps based on predefined standards and create a framework for orchestrating the entire mobile app security process.