NIST Updating Recommendations for Mobile App Security

NEWS ANALYSIS: Security experts provide insight on the National Institute of Standards and Technology (NIST) revised guidance for how organizations can better secure mobile applications.

NIST Mobile App Security

The National Institute of Standards and Technology is working on updating its recommendations for how organizations and developers can keep mobile applications secure.

The updated recommendations are being made to the Special Publication (SP) 800-163, Vetting the Security of Mobile Applications document that was initially released in January 2015. The 50-page draft revision includes additional clarity and details on how to minimize mobile app risks.

"Mobile technology changes quickly, and our publication needs to move fast to keep up," computer scientist Michael Ogata, one of the draft's coauthors, wrote in a statement. "Security specialists in both the private sector and government have been working to improve app vetting, and this update reflects their efforts."

The draft revision is open for public comment until Sept. 6.

Security experts contacted by eWEEK were largely optimistic about the new NIST mobile security guidance.

"NIST's recommendations for mobile app vetting are fairly comprehensive and very thoughtful," Michael Covington, vice president of product strategy at Wandera, told eWEEK. "It's good to see guidance that looks closely at the technical merits of an app and goes beyond very coarse, category-based policies."

NIST has clearly considered a breadth of risks and even factored in tradeoffs that some organizations may be willing to make, Covington said. However, while the guidance itself is technically solid, Covington said he struggles to see how any organization can scale to adopt the guidelines for all of their mobile apps.

Mukul Kumar, CISO and vice president of Cyber Practice at Cavirin, commented that NIST 800-163 provides one piece of the puzzle in securing the mobile ecosystem. 

"However, it must be adopted in conjunction with other policies and procedures that secure the device," Kumar told eWEEK.  "Ultimately, the real test will be adoption, as we've seen larger enterprises are more likely to have the means of adopting this and other NIST recommendations, while smaller enterprises are more at risk."

Michael Murray, vice president of security intelligence at Lookout, also sees NIST 800-163 as a comprehensive standard for describing the style of risk assessments that enterprises and large organizations should be implementing when deploying applications widely to their fleet.

"SP800-163 describes the special considerations that should be applied to applications that will be distributed to and run on devices on mobile platforms," Murray told eWEEK. "The one blind spot is that with the increasing use of BYOD, application control is harder to maintain." 

Murray added that as users are increasingly able to install applications of their choosing on devices with enterprise assets, the ability to pre-vet applications will become harder and harder, requiring other strategies to minimize risk on those devices.

Jatin Maniar, director of product strategy at Nok Nok Labs, sees a few missing pieces in the SP800-163 guidance. In his view, the guidelines narrowly focus on application testing and security requirements. The guidelines do not, however, emphasize the need to have security and privacy by design principles baked into the culture and incorporated as part of the application vetting and testing process.

"It assumes that analyzers can identify all exploitable vulnerabilities in the underlying operating systems like Android and iOS across all device types," Maniar said. "Agility in mobile application development is key, so it is imperative that … security and privacy by design principles … be baked into [an organization’s] security requirements to ensure high assurance and make that design criteria integral to their application vetting process."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.