StudyDaddy Computer Science SAR / RAR

SAR / RAR

Vetting the Security of Mobile Applications by Steve Quirolgico, Jeffrey Voas, Tom Karygiannis, Christoph Michael, and Karen Scarfone comprises public domain material from the National Institute of Standards and Technology, U.S. Department of Commerce. Vetti ng t h e S ecu rit y o f M obil e A pp lica tio n s S te v e Q uir ol gic o J effrey V oas T om K ar ygiann is Ch ris toph Mi chael K aren Sca rfo ne This publ ication is a vaila ble f ree of ch arg e f rom: ht tp: //d x .doi.or g/10.6028 /N IS T.S P.800 -163 C O M P U T E R S E C U R I T Y Vetting the Security of Mobile Applications by Steve Quirolgico, Jeffrey Voas, Tom Karygiannis, Christoph Michael, and Karen Scarfone comprises public domain material from the National Institute of Standards and Technology, U.S. Department of Commerce. Vetting t h e S ecurity of Mo bile Ap pl i cations Steve Qui rol gico, J effr e y Vo as, Tom K ary gi annis Comput er S ecuri ty Di vis ion Information T echnology Laboratory Christoph Michael Leidos R eston, VA Kare n Sc arfon e Sc arfone Cybe rse curi ty Cl ifton, VA This publ icat ion is a vaila ble f ree of ch arg e f rom: ht tp: //d x .doi.or g/10.6028 /N IS T.S P.800- 163 Ja nua ry 2015 U.S. D epartm ent of Com merce Pe nny P ritz ker, S ecret ary Natio nal In stit ute o f S ta nd ard s a n d T echn olog y Wi llie M ay, Actin g U nder S ecret ary o f C omm erce fo r S tanda rd s and Tec hnology and Actin g Di re cto r Auth orit y T his pub lic a tion has be en de veloped by N IST in ac cor da nce with its s ta tu to ry re spons ib il it ies und er th e Fede ral Inf or mation Securit y M ana gem ent A ct o f 200 2 (F ISM A), 44 U.S. C. § 3541 et s e q ., Pu blic L aw 107- 347. NIST is re spo nsibl e for de velop ing inf orm ation se cu rity stan dard s an d gui de line s, in clu di ng m ini mum requir em en ts f or f ed era l in fo rm ation sy ste m s, but su ch s tand ards and g ui de lin es s ha ll no t a pp ly t o na tio nal secu rity s yste m s w ithou t t he e xp re ss a pprov al o f ap prop riate fe d era l o ffic ia ls ex erc is ing pol icy au tho rity over such sy ste m s. Thi s gui deline is consis te n t wi th the req uire men ts of the Offi ce of M ana gem ent and Budg et ( O MB) Ci rc ul ar A -130, Sec tion 8b( 3), Se cur ing Age ncy Inf orma ti on System s, as ana lyz ed in C ircu la r A -1 30, A ppend ix IV : An aly sis o f K ey S ecti on s. Sup ple m en tal in fo rm ation i s pr ov ided in Ci rc u la r A -130, A ppendix III, Secur ity o f F edera l A utom ated I nform ation R esou rces .

N ot hing in th is pub lication shou ld be ta k en to co ntr adi ct th e sta n da rds a nd gui delines m ade m anda tor y and bind ing on fed eral a g enc ies by the S ecr eta ry of C om merce unde r sta tu tor y au thor ity. N or sh ou ld t he se gui de lines be int erp re ted as alte ring or sup erse d ing the ex is ting au tho riti es of the Secr eta ry of C om merce, D irec to r of the O MB, or any o the r fede ral of fic ia l. This pub lica tion may be us ed by nong overn m en tal or gan iz a tions on a vol unt ary b asis and is no t s ub je ct to copy rig ht in the United S ta te s.

A ttr ibu tio n woul d, ho wev er, be ap p re cia ted by N IS T . N ati onal Inst it ute of S ta nd ards and Tec hnol og y S peci al Publicati on 80 0-1 63 Nat l. I n st. Sta nd. T ech no l. S pec. P ubl. 8 00 -1 63, 44 p ages (J anuary 2 01 5) C O DEN: NSPU E2 This p ublic at ion is ava ila ble f r ee of c h arge fr o m: ht tp: // d x.d oi.or g/1 0.6 028/N IS T.SP .800- 163 C ertain c o mm ercial e n tit ies, e q uip m en t, o r m ate rials m ay b e i d en tified in t h is doc um en t in ord er t o d esc rib e an e x p erim en tal pro ced ure o r c o ncep t ad eq uate ly . S uch i d en tif ic atio n is n o t i n te n d ed to i m ply r e co mme nd atio n o r e n dor se m en t b y N IS T , n o r is it i n te n d ed to i m ply t h at t h e e n titie s, m ate rials , o r e q uip m en t a re n eces sa ril y t h e b est a v aila ble f o r t h e p urpo se. There m ay b e r e fe re n ce s i n t h is p ub licatio n to o th er p ub licati ons c u rre ntl y u nd er d ev el op men t b y N IST in a ccord an ce with its a ss igned s tat uto ry r e spon sib ilit ie s. T he i n fo rm atio n i n t h is p ub lic atio n, i n cl ud in g c o ncep ts a n d m eth odol ogies, m ay b e us ed b y f e d eral a g en ci es e v en b efor e t h e c o m pletio n o f s u ch c o m pan io n p ub lica tio ns . T hus, unt il eac h p ub lic atio n is c o m plete d, c u rre nt r e q uir em en ts , gu id elin es, a n d pro ced ures, w here t h ey e x is t, r e m ain ope rativ e. F or p la nn in g a n d t r a ns it io n p urpo s es, f e d eral a g en cies m ay w is h to cl ose ly f o ll o w t h e d ev el op m en t o f t h ese n ew p ub licatio ns b y N IS T . O rg an iz ati ons a re e n co ura g ed to r e v ie w a ll dr aft p ub lication s d urin g p ub lic c o mm en t p eriod s a n d pro vid e f e edb ac k to N IS T . A ll NIST C om puter Sec urit y D iv is io n p ub lication s, o th er t h an t h e o nes n o ted a bov e, a re a v aila ble at h ttp ://c src .n is t. gov /p ub lications .

C omments on this publi c ation may be su bmitt ed to: Nat io na l I n stitu te o f S ta nda rds a nd T ech n olo g y A ttn : Co mputer S ecuri ty D ivi sion , In for mation Tech n olo gy L abora to ry 1 00 B ur eau D riv e (M ail S to p 8 9 30) G aith ers burg, MD 20 899 -8 930 n is t8 00-1 63@ nis t. gov ii Reports on C om pute r S ys tems T echnolog y T he Inf or matio n Tech nol ogy Labora to ry (IT L) at th e N ati ona l Ins titu te o f St anda rd s and Techno log y ( N IS T ) pr om otes the U .S. econom y and publ ic w elf ar e by p rov idi ng techn ic al le ade rsh ip for th e N atio n’s m easu re m ent and stan dard s inf ra str uctu re. IT L de velops te sts, te st m ethods, refe rence data, pr oof of conce pt im pl em en ta tio ns, and tech nic al an aly se s to ad vance th e de velo pm ent and produc tive use of i nf orm ation te chno logy. IT L’s re sp ons ib ilit ies inc lud e the de velopm ent of m an agem en t, ad mini str a tiv e, t ech nic al, and physic al s ta nda rd s a n d gui de lin es for the c o st-e ffe ctiv e s e cu rity and priv acy of o the r th an na ti ona l se cu rity -r e la ted in for mation in fe d eral in fo rm ation sy ste m s. T he Spe cial Pub li c ation 80 0-s eri es r ep ort s on IT L’s re se arc h , gui de lin es, an d ou tr e ach effo rts in inf orm ation sy stem se cu rity , and its co ll ab ora tiv e ac tivitie s w ith i ndus try, g overn m en t, and academ ic o rg an iz a tions. Abstra ct T he pu rpo se of thi s do cument is to he lp or gan iz a tion s ( 1) unde rs tand the pr oces s f or v etting the s e cu rity of m obile ap plic atio ns, (2 ) pl an fo r the im pl em en ta tion of an app v ett ing p roc ess, (3) d ev elop app s ecurity r eq uir em en ts , (4) u nde rs ta n d th e ty pes of app vul ne ra b ilit ies and th e te sti ng meth ods us ed to detect those v ul ne ra b ilit ie s, and (5 ) de te rm ine if an app i s acc ep tab le fo r de ploy ment on th e or gan iz a tion' s m obile de vices .

Keyw ords app vetting ; ap ps; malw are; mobile devic es; se cu rity requi re m en ts ; se cu rity vetting ; sm art phones; softw are a ssur anc e; s oft w ar e s ecur ity ; s oft w are t e sting ; so ftw are v etting Ackn ow le dgments Special th an ks to the N atio nal Sec urity A genc y’s C ent er for A ssu red So ftw are fo r pr ov idi ng A ppend ic es B and C whi ch de sc ribe A ndr oid and iO S app vul ne rab il itie s. A lso, than ks to all the or gan iza tion s a n d i ndi vidu als w ho made cont ribu tio ns to th e pu blica tion in clud ing Robe rt M artin of The M IT R E C or por ation, Paul B la ck and Ir ena B oja n ov a of N IS T , the D epa rtm ent of H om eland Securit y (DHS), a n d t he D epa rtm ent o f Ju sti c e (D OJ). Fi nally , sp ec ia l th an ks to the D efen se A dv anced R ese arch Pr oje c ts A gency (D ARPA ) T ra n sfor mati v e A pplic ations ( T ran sA pps ) pr og ram for f u ndi ng N IST r e se arch in m obile app s e cu rity v etting . Tradem ark s A ll r eg is te re d tr ade mark s be long t o the ir r e spe ctiv e o rg an iz a tions . 3 Table of Con tent s 1 Int ro ducti on ............................... ...................................................................................... . 1 1.1 Tra d it io nal vs. M obile A pplicati on Sec urit y Issu es ................................ .....................1 1.2 App Vet tin g Bas ics ............................................................................................... ..... 2 1.3 Purpose and Sco pe ............................................................................................... .... 3 1.4 Audi ence ................................ ................................................................ ...................3 1.5 Doc um ent St ruct ure ............................................................................................... ... 4 2 App V etti ng Proce ss ............................................................................................... ......... 5 2.1 App Test in g ............................... ................................................................ ............... .5 2.2 App Appro va l/ R ejecti on ............................................................................................ .5 2.3 Planning ................................ ................................................................ ....................6 2.3.1 Deve lo p ing S ec urit y R eq uir ement s .............................................................. . 6 2.3. 2 Unders ta n din g V etti ng L im it ati ons ............................................................... .. 9 2.3.3 Budg et a nd S ta ffi ng ..................................................................................... .10 3 App T esti ng ............................... ..................................................................................... .11 3.1 General Req uir e m ents ........................................................................................... .11 3.1.1 Enabling A uth oriz ed Functi onalit y ............................................................... .12 3.1. 2 Pre ve nting Unauth oriz ed Functi onalit y ........................................................ .12 3.1.3 Lim it ing P erm issi ons ............................................................... ..................... 13 3.1.4 Protec ting S ensi tiv e D ata ............................................................... ..............14 3.1. 5 Sec uring A pp C ode D epe ndenc ies ............................................................. .15 3.1.6 Testing A pp Update s............................................................... ..................... 16 3.2 Testing A pp ro ach es ............................................................................................... .16 3.2.1 Cor rectne ss Test in g .................................................................................... .16 3.2.2 Source C ode Versus Bi na ry C ode ............................................................... .17 3.2. 3 Static V ersus D yn am ic A nal ysi s ............................................................... .... 17 3.2.4 Autom ated T ool s ......................................................................................... .18 4 3.3 Sharing R es ults ................................................................................................ .......20 4 App A ppro val /R eje cti on ............................................................................................... ...21 4.1 Report a nd Ris k Audi tin g ........................................................................................ .21 4.2 Org ani zati on-S pe ci fic Vetti ng C rit eria ................................................................ ......22 4.3 Fin al A ppro va l/ R ejecti on ......................................................................................... .23 A ppen dix A — Recommend atio ns ......................................................................................... .24 A.1 Planning ................................ ................................................................ ..................24 A.2 App Test in g ............................... ................................................................ ............. .24 A.3 App Appro va l/ R ejecti on .......................................................................................... .25 A ppen dix B — A ndro id A pp V uln erabi lit y T yp es ............................................................... ....26 Appen dix C — iO S A pp Vulnera bili t y T yp es ............................................................... ...........29 Appen dix D — Glo ssary ................................ ............................................................... ...........32 Appen dix E — A cron ym s and Abbre viat io ns............................................................... ..........33 Appen dix F— Referen ce s ............................................................................................... ........34 List of Figu res and Tables Figure 1. A n app v etting proce ss an d it s re la ted a ctor s. ..................................................... . 6 Figure 2. O rg aniz ati onal a p p s ecu rit y requ ire men ts. ........................................................... . 8 T ab le 1. A ndro id V uln erabi lit ie s , A L evel ................................................................ ..............26 Tab le 2. A ndro id V uln erabi lit ies by L eve l................................................................ ..............27 Tab le 3. iOS V uln erab ilit y D escr ip tio ns, A L eve l ............................................................... ...29 Tab le 4. iOS V uln erab iliti es by L evel .................................................................................... .30 5 Exec utiv e S u mmary R ecen tly , or gan iz a tio ns hav e be gun to depl oy m obile app lic atio ns (o r app s) to fac ili ta te the ir bu sin ess pr oc esse s. Su ch ap ps ha ve inc re ase d prod uctiv ity by pr ov idi ng an u npr eced ented le v el of conne ctiv ity be tw een e mpl oy ees, vendor s, and cu stom ers, re a l-ti m e inf orm ation sha ring , un re stri cted mobi lity , and i m pr ov ed f unc tion ali ty . D espi te th e ben efits of m obi le app s, how ev er, th e use o f apps can po te n tia ll y lead t o se riou s se cu rity is sue s. T his is so beca use , lik e tr ad ition al e n te rp rise a pp lic ation s, apps m ay cont ain so ftw are vul ne ra b il it ies th at a re su scep tible to att ack . Such vul ne ra b ili tie s m ay be expl oited by an a ttack er t o gain una utho rized acc ess to an or gan iza tion ’s in for mation techn olog y re sou rc es or the us er’s p erso na l da ta. T o help mitig ate th e ris k s asso cia ted with app vul nera b il it ie s, or gan iza tion s shoul d dev elop s ecu rity r eq uir em en ts tha t sp ecif y, for exa mpl e, how da ta us ed by an app shoul d be s e cur ed, th e en vir onm ent in w hi ch an app wi ll be de ploy ed, and the acc ept abl e le v el of risk for a n app. To he lp en su re th at an app conf orm s to such re q uir e m en ts, a p ro ce ss for e v alu ati ng the se cu rity of ap ps sh oul d be pe rfo rm ed. We r e fer to th is pr oces s as an a pp vett ing pr oce ss . A n app vetting pr oc ess is a s e qu en ce of a c tiv ities th at a im s t o dete rm ine if an a pp co nf orms to an or gan iz a tion ’s se cur ity requi re m en ts. A n app vetting p roc ess co mpri se s tw o main activ ities: app te sting an d app a pprov al/ r e je cti on . The a p p te sting act iv ity in vol ves t he te sting of an app f or soft ware v ul nerab ili ti es by s ervic es, too ls, a nd hum ans to de rive v ul ne ra b ili ty r ep ort s a n d risk a sse ssm en ts. T he a pp app rov al/ r e je ction activ ity inv olves the e v alua ti on of th ese repo rts and risk asse ssm en ts, along w ith addi tion al cri te ri a, to de te rm ine the ap p 's conf ormance w ith or gan iz a tiona l s e cu rit y re q u ir em en ts and ult im ate ly , the ap prov al or re je cti on of the a p p fo r de ploy ment on t he or gan iz a tion 's m obile de vic es. B efor e us ing an app vetting pr ocess , an o rg an iz a tion must firs t pl an fo r its im pl em en ta tion. T o fa cili ta te t he p lan ning of an app v etting pr ocess im pl em en ta tion, t hi s do cum ent:

 de sc ri bes the g ene ral a nd cont ex t-s e ns itiv e r e q uir e m en ts tha t m ak e up an or gan iz a tion' s app se cur ity r eq uir em en ts .

 pr ovides a q ue stio nna ire for ide ntif ying the s ecu rit y needs a nd expec ta ti ons o f an or gan iz a tion th at a re n ecessa ry t o de velo p t he o rg an iz a tion' s app s ecu rity r equi re m en ts. W it h r esp ect to the a pp te sting act iv ity of an app v ettin g pr ocess , th is d ocu ment desc ribe s:

 t he app te sting a ctiv ity and its r e la ted a cto rs.  i ssu es a nd r ecommenda tion s s urroun ding t he s e cur ity o f app files du ring t e sti n g.

 g eneral ap p se cu rity re q uir em en ts inc lud ing : pre v en ting unaut horized fu nc ti ona li ty , protecti ng s e ns it iv e da ta, and s e cur ing app cod e depend enc ie s.

 i ssu es and reco mmenda tio ns s u rroun ding th e use of sour ce co de v s. b in ary co de, s ta tic v s. dy namic ana ly sis, a nd au tom ated t ools f or t e sti ng apps .

 i ssu es a nd r ecommenda tion s s urroun ding t he sh ari ng o f t est resu lts.  A ndroid and iO S app vul ne rab ilit ie s.

W it h r esp ect to the a pp app rov al/r e je cti on acti vity of a n app v etting p ro ces s, this docu ment desc ribe s:

 t he app ap prov al/r eje c tion a ctiv ity and its re la te d a cto rs .

 or gan iz a tion- specif ic v ettin g c rit eri a tha t m ay be us ed to he lp de te rm ine an a p p' s conf ormance to cont ext -s e ns itiv e s ecu rity r equ ir e m en ts . 6 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions 1 Intro duction When de ploy ing a new tec hnol ogy, an or gan iz a tio n shoul d be awa re of the po ten tial s e cu rity im pact it m ay ha ve on th e o rg an iza tion ’s IT re sour ces, da ta, and use rs. Wh ile new te chnol ogie s m ay offer the pr om ise of p rodu ctiv ity g ains a n d new cap abili ti e s, the y m ay a lso pr ese nt new risk s. T hu s, it is im por ta n t f or an o rg an iz a tion ’s IT pr of ess ion als and users to be f ul ly aware of the se ris k s and eithe r de velop pla n s t o m itigate th em or accep t t he ir co nse qu enc es. R ecen tly , th ere has been a pa ra d ig m sh ift w here org an iz a tio ns ha ve be gun to deploy new m obi le t ech nol og ie s to fa cil ita te the ir bus ine ss pr oce sse s. Such te chno log ies have inc reas ed pr oduc tivity by pr ov idi ng (1) an unpr ecedent ed le v el o f conne ctiv ity be tw een e m pl oy ees, v en dor s, and custom ers; (2) r e al- ti m e inf or mation sh ari ng ; (3) unr estr ic ted m obili ty ; and (4) im pr oved func tion ality . These m obile t ech nol og ie s co mpri se m obile de vic es (e. g., sm art pho nes and ta bl ets ) a n d re la te d mobile ap plicat ion s (o r apps ) th at prov ide m is sio n -sp ecif ic capa bil it ies ne eded by us ers to perfor m the ir duties with in th e or gan iz a tion (e. g., sa le s, d is tr ibu tio n, a nd m ark eting ). D esp ite the b en efits of m obi le a pps, howev er, th e use of ap ps can po te n ti a ll y lead to se rious se cu rity ris k s. T hi s is so be cau se, li k e tr ad iti on al e n te rp ris e app lic ati ons, apps m ay cont ain so ft w are v ul nerab ili tie s th at a re su sce ptib le to a ttack . Such v ul ne ra b iliti e s m ay be expl oit ed by an a ttack er to s te al inf or mation or con tr o l a u se r's d ev ice. To help mitig ate the risk s a ssoc ia ted wi th sof tw are vul ne ra b ili tie s, o rg an iz a tio ns s houl d empl oy so ftw ar e a ssu ran ce pr oc esse s. So ftw are assu ran ce re fe rs to “the le v el o f co nfidenc e th at so ft w are is free from v ul ne ra b ilit ie s, e ith er in te nt ion ally de sig ned int o the s oft ware o r a c cide nta lly ins erted a t any tim e dur ing its li f e c y cle , and that the s oft ware f unc tion s in the in tended manne r” [ 1] . T he s o ftw are a ssu ra n ce proc ess inc ludes “ the p la n ned and s yste m atic se t o f a ctiv itie s tha t e n su res tha t sof tw are p roc esses and p rodu cts conf orm to req uir em en ts , standa rds , a n d proc edur es” [2] . A nu mber o f g ov ernm ent and ind ustr y le g acy so ftw are a ssu rance s tandar ds e x is t that a re p ri m arily dir ected a t the p roc ess fo r de velopi ng a p pl ic atio ns t ha t r e qu ir e a h ig h le v el of a ssu rance ( e. g., sp ace f lig ht , a u tom otive s y ste m s, and c riti cal de fen se s y ste m s). 1 Althoug h co nsid era b le pr og re ss has been made in the p ast de cad es in the a rea of sof tw are ass uran ce , and re se arch an d de velopm ent e ffo rts ha ve r e su lted in a g row ing m arket of s o ft w are a ssu ran ce t ool s and s ervic e s, the sta te of pr ac tice for m any today stil l inc lud es m anual ac tiv iti es tha t ar e tim e- cons umin g, co stly , and dif fic u lt to qu an tif y and mak e rep ea ta bl e. The ad ven t of m obile co mputing ad ds new ch all en ges be cau se i t d oes not ne cess a rily supp ort tr ad ition al so ftw are as sura n ce t echniqu es. 1.1 T radi tional vs. Mobi le A ppl ic ati on Secu rit y I s su es T he e conom ic m odel of the ra p id ly e vol ving app m ark etpl ace ch all en ges the tr a d it ion al so ftw are de velopm ent pr oc ess. A pp de velope rs a re a ttr acted by the oppor tun it ies to re ach a m ark et of m illion s of us ers v ery qu ic k ly . H ow eve r, su ch de velo pe rs m ay ha ve litt le exp erien ce bui ld in g qua lity so ftw are tha t is s e cu re a nd do not ha ve the budg eta ry re sou rc es o r m oti vation to condu ct ex ten siv e te sti ng . R athe r than pe rfor ming c om pr ehen siv e so ftw are te sts on th eir code be for e m ak ing it a v aila ble to th e publ ic , de velope rs o ften re leas e a p ps th at co nta in func tion ali ty fl aws a nd/ or sec urity -r e le v ant w ea kne sse s. Th at can leav e an ap p, th e us er’s dev ice, and the us er’s ne tw or k vul ne rab le to ex pl oita tio n by a ttack ers .

D ev elope rs a n d us ers o f th ese apps o ften to le ra te buggy , unr elia b le , and i nse cu re code in exc han ge f o r the l ow c o st. In addit ion, a pp develope rs ty pi cally upda te th eir ap ps m uch mor e freque ntly th an trad itiona l app lic ati ons. 1 E xam ples of th ese so ftw are assu rance st anda rds in clu d e D O -1 78B, S oftw are Cons id era tions in A ir bor ne Syst ems and E qui pm en t Ce rtific atio n [ 3 ], IEC 61508 F unctio nal Sa fety o f E lec tri ca l/E lectr onic/Pr ogram mable E le ctr onic S afet y-r ela ted S yst em [4 ], an d IS O 2 6 26 2 R oad vehi cles -- Func tio n al s a fety [5 ]. 1 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions Org an iz a tion s tha t on ce sp ent c o ns ide rab le r eso urces t o develop i n-house appl ic ati ons a re ta k ing ad van ta g e of ine xpe nsiv e thir d-pa rty ap ps and web se rv ices to im pr ove the ir o rg an iz a tion ’s p roduc tivity .

I nc reasi ngly , bus ine ss pro cesses are condu cted on mobile de vic es. T his co ntr a sts w ith the tr a d it ion al i nf orm ation inf ra str uc tu re w he re the a v era g e e m pl oy ee us es on ly a ha ndf ul o f a p pl ica tion s and web- ba sed en te rpr is e da ta b ase s. M ob ile de vic es p rov ide a cce ss to po ten tia ll y milli ons o f a pps for a us er to choos e from . T his tr end ch a llen ges the tr ad itio nal m echan is m s of e n te rpr ise IT s e cu rity so ftw are w he re so ftw ar e ex is ts w ithin a t ig htly cont rol led en vir onm ent and is un iform t hr ou ghout the o rg an iz a tion. A not her m ajor d if f e ren ce be tw een apps a n d en te rp rise applic ations is th at un lik e a de sk top computing s y ste m , far m or e p re cise a n d con tinuo us de vic e loc atio n inf or mation, physic al s e n sor da ta, pe rson al he alt h m etri cs, and pictu res and aud io abou t a us er can b e expos ed thr oug h apps . A pps can sen se and stor e i nf orm ation inc ludi ng us er pe rs o na lly iden tif ia bl e inf orm ation (P II) . A lthoug h many apps a re ad verti sed as being free to co nsu mers , the h idden cost of the se a pps m ay be s elli ng the u se r’s p rof il e to mark eting co mpani es or on line ad vertis i ng a g enc ie s. The re ar e also dif f e ren ces be tw een th e ne tw ork c apab ili ti es of tr a d iti ona l co mput ers th at en te rp rise app lic ati ons r un on and mobi le de vic es tha t ap ps ru n on. Unl ik e tr a d it iona l co mput ers tha t c onne ct to th e ne tw or k v ia E the rne t, m ob ile de vic es h av e acc ess t o a w ide v arie ty of netw ork s ervic es in clu di ng W ir e le ss Fi delity ( W i- F i) , 2G /3G, a n d 4G /L ong Term E vol ution (L T E). This is in ad dit ion to sh ort-r a ng e da ta c onne ctiv ity p rov ided by services su ch as Blu eto ot h and N ear F ie ld C om muni cations (N FC ). A l l o f t he se m echan is m s of d ata tr an sm is sion a re ty pi ca ll y av aila ble to apps th at r un on a m obi le de vic e a nd can be v ect ors f o r r e m ot e e x pl oi ts. Fu rthe r, m obi le de vices a re n ot phy sic ally p rot ected to the s a m e ex te n t as de sk top or la p top comput ers and can the re for e a llow a n attac ker to mor e e asily ( ph ysical ly ) acq uir e a lo st or sto len de vic e. 1.2 A pp V etti ng Basics T o p rov ide s o ft w are a ssu ra nce f o r app s, org an iz a tio ns shoul d dev elop se cu rit y re qui re m en ts tha t s p ec if y , f or exa mpl e, how d ata us ed by an app should be secu red, the en vir on ment in whi ch an ap p wil l b e depl oyed, and the a ccep ta b le le v el o f risk f or an a pp (s e e [ 6] f or m or e inf or matio n). T o help en su re tha t an app con fo rm s to su ch re qui re m en ts, a pr oce ss f o r ev alua ting the s e cu rity of apps shoul d be pe rfor med.

We re fe r to th is p roc ess as an app vettin g pr oce ss . A n app vetting p roc ess is a se quence o f a ctiv iti es tha t a im s to dete rm ine if an app confor ms to th e or gan iz a tio n’s se curity re qui re m en ts . 2 This pr oces s is pe rfor med on an app afte r the app has been dev elo ped an d re lea sed for di str ibu tion but p rio r to its depl oyment on an org an iz a tion' s m obile de vic e. T hus, an ap p vetting p roc ess is dis ti ng uished fr om so ftw are a ssu ran ce p r oc esses tha t m ay occur du ring the so ftw are d ev elopm ent lif e c y cle of an a p p. Note t ha t an app v etting p roc ess ty pi cally inv olves ana ly sis of an ap p’s co mpile d, binary rep re se n ta tio n but c an a ls o inv olve an aly sis o f t he app’ s so urce code i f i t i s a v ailab le. The so ft w are d is tr ibut ion model that has a ris e n w it h m obile co mputing pr ese n ts a num ber of so ft w are a ssu ran ce ch allen ges, but it a lso c re ates oppo rtun it ie s. A n app vetting p roc ess a c k now led ges th e conc ep t t ha t so meone ot he r than the so ftw are v endor is e n title d to ev alua te th e so ftw are ’s beha vio r, allo w ing or gan iz a tions to e v alu ate soft ware in th e co nte x t of the ir o w n se cu rity po lic ie s, pl anned u se, and risk t ol era n ce. H ow ev er, dis tan cing a de velo per from an or gan iz a tion’ s app v etting pr oc ess can al so m ak e t hose activ itie s le ss e ffe ctiv e wi th re sp ect t o i mpr ov ing the secu re b eha vior of t he ap p. 2 The ap p ve ttin g p ro cess can a lso b e use d t o a sse ss oth er ap p issu es i n clu d in g re lia b ili t y , p erf orm anc e, a n d acces sib ility but is p ri m ari ly i n te nde d t o a sse ss secu rity -re la ted issu es. 2 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions App s to res m ay pe rfor m app vetting pr oces se s to v erify co mplia nce wi th th eir ow n r eq uir em en ts .

H ow ev er, beca use each app sto re has its ow n uni que, and no t alw ay s tr an sp are n t, requ ir e m en ts an d v etting pr oc esse s, it is ne ce ssa ry to cons ult c u rr en t ag ree men ts and docum enta ti on fo r a pa rtic ula r a p p s tor e to a sse ss its pr act ice s. O rg an iz a tion s shou ld not assum e th at an app ha s be en fu lly vette d an d conf orm s to th eir s e cu rity requ ir e m en ts s im pl y becau se it is av ailab le th rou gh an of fic ial app s to re. Thir d- pa rty a sse ssm en ts tha t ca rry a m oni ker of “app rov ed by ” or “cer ti fi ed by ” w ithout pr ov id ing de ta ils o f w hi ch te sts a re pe rfo rm ed, what th e fi ndi ng s w ere, o r how ap ps a re sc o red or ra ted, do not p rov ide a r e lia b le indi cation of s o ftw are a ssu ranc e. The se a ss e ssm en ts are als o unl ik ely to t ak e or gan iz a tion - sp ecif ic re q u ir e m en ts an d re co mmenda tions in to ac coun t, s uch as fe d era l-sp ecif ic cry pt og raphy r eq uir em en ts . A lthoug h a “o ne s iz e fit s a ll” app roach to app v etti ng is not pl aus ibl e, the b asic fi nd ing s from one app v etting e ffort m ay be r eu sa bl e by o the rs. Le vera g ing anot her or gan iz a tion ’s f ind ing s f or an app shou ld be cont em pl ated to av oi d du plica ting wor k and w astin g s carce app vetting re so ur ces. W ith ap propr ia te s tan dard s f o r s cop ing , m an ag ing , licen sing , and re cor ding the fi nd ing s fr om so ftw are a ssu ran ce a ctiv itie s i n co ns is tent w ay s, app vett ing re su lts c an be loo ked at co lle ctiv ely , an d co mmon pr obl em s and so lu tion s m ay be app licab le acr oss the i ndu str y or wi th s im ilar org an iz a tio ns. An app vetting p ro cess sh oul d be inc luded as p art o f the o rg an iz a tion 's o vera ll s e cu rity s tr a te gy. If the or gan iz a tion has a f o rm al pr oc ess fo r e sta b lis h ing and documenting s ecu rity req uir e m en ts, an app v etting pr oc ess shou ld be a b le to im por t th ose req uir e m en ts c re a te d by the pr oc ess. Bug and inc ide nt rep orts c re ated by t he o rg an iz a tion coul d also b e im por ted by an app vetting p roc ess , as coul d pu blic ad vis o rie s conc ern ing v ul ne ra b il it ie s in co mmerc ia l a nd open s ou rce apps and lib ra rie s, and conv ers e ly , re sul ts from app v etting pr oc esses m ay g et sto red i n the o rg an iz a tio n’ s bug t r ac king s y ste m . 1.3 P urpo se an d S co p e T he p urpos e o f th is do cum ent is to he lp org an iz a tions (1) und ers ta n d the app vett ing p roc ess, (2 ) p lan for t he im pl em en ta tion of an a pp vetting p roc ess, (3) d ev elop ap p se cu rity req uir em en ts, (4) un ders tand th e t y pes o f a p p vul ne ra b ilit ies and the te sting methods u sed to de te ct tho se vul nera b il itie s, and (5) de te rm ine i f an app is acc eptab le f or d ep loy ment on the or gan iz a tion' s m obile de vices . Ul tim ate ly , the acce ptance o f an app depends o n the o rg an iz a tion’ s se cu rity req uir em en ts w hi ch, in tur n, de pend on the en vir onm ent in w hic h t he app is de ploy ed, the co nte x t in which it wil l be us ed, and the unde rlying m obile te chno log ies us ed to run th e app. This docum ent hi ghl ig ht s th os e ele m en ts th at are parti cul arly im port an t to be cons ide red be fo re a pps are appr oved a s “ fi t- f or -us e.” N ot e that th is do cument d oes no t ad dre ss the secu rity of the und erly ing m obile pl atf orm and ope ra ti ng s y ste m , w hi ch a re ad dre sse d in other pub li c ation s [ 6, 7, 8] . W hil e the se a re im po rtant c h arac te ris ti cs fo r or gan iz a tions to und ers tand and consider in s e le cti ng m obile de vices, th is docum ent is f oc use d on how to v et apps a fte r the cho ice of pl atf orm has been made. Si mila rly, di sc us sion s urro unding t he se cur ity of w eb s er vic es u sed to sup por t ba ck -end pr ocess ing f o r ap ps i s o ut o f s co pe for t h is docu men t.

1.4 A udienc e T his docum ent is in ten ded for or gan iz a tions tha t p la n to im pl em ent an app vetting pr oc ess or le v era g e ex is ti ng app vetting r e su lts from ot her or gan iz a tion s. It is a lso in te n ded f o r de velope rs th at a re in te re sted i n unde rs tan ding the ty pe s of so ft w are vul ne ra b il ities tha t m ay ari se in the ir apps dur ing the app’ s so ftw are de velopm ent lif e cy cle. 3 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions 1.5 Docume nt S truct ure T he r e m aind er of t his doc um ent is o rg an iz ed i nto t he follow ing s e ction s and appendi ces:  Sec tion 2 pr ese nt s a n overv iew of an a pp v etting p roc ess inc lud ing reco mmenda ti ons f o r pl an ni ng the i m pl em en ta tio n of an a pp v etting pr oc ess.  Sec tion 3 desc ribe s the a p p te sting act iv ity of an ap p vetting pr oc ess. O rg an iz a tions in te re sted in le v era g ing onl y ex is ting s e cu rit y rep ort s and risk a sse ssm en ts from o ther or gan iz a tions c an sk ip th is s e cti on.  Sec tion 4 de sc ribes t he app appr oval/re je ction activ ity of an app v etting pr oces s.  A ppendi x A d esc ri bes re co mmenda tions re la te d to the a p p te sting a nd app ap prov al/r e je ctio n activ iti es o f an app v etting pr oc ess a s well a s the p lan ning of an app v etting pr oces s impl em en ta tion.  A ppend ices B and C id en tif y and define p la tf orm -sp ecif ic v ul ne rab ili ti es fo r apps ru nni ng on the Andr oid and i O S op era ting s y ste m s, r espe ctiv ely .  A ppendi x D de fin es s ele c te d t erm s u se d i n th is d ocu men t.  A ppendi x E de fines s ele c te d ac rony ms a nd abbr ev ia tio ns us ed in t his do cumen t.  A ppendi x F l is ts re fe re n ces used in t his docu men t. 4 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions 2 App Ve tting Pro cess A n app vetting pr oce ss co mpri se s a se qu ence of tw o main activ iti es: app te stin g and app approv al/r e je cti on. In thi s s ectio n, we p rov ide an ove rv iew of the se tw o a ctiv ities as well as p rov ide r eco mm enda tions f or p lan ning t he i m pl em en ta tio n of a n app v etting pr oces s.

2.1 A pp T esti ng A n app vetting p roc ess be gins w hen an a p p is subm itte d by an adm ini stra to r to one or m or e anal yze rs fo r t e sting . A n ad min is tr a tor is a m em ber of the or gan iz a ti on who is re spons ib le for depl oying , m aint aini ng , and se cu ring the org an iz a tion' s m obile de vic es as well as en su ring tha t de ploy ed de vices and th eir i ns ta lled ap ps co nfor m to the or gan iz a tion' s se cu rit y requir em en ts. A pps tha t are sub mitted by an ad mini str a tor f o r te sting wi ll ty pi cally be acq uired fro m an app stor e or an app dev elope r, each o f w hic h m ay be int erna l or ex te rna l to the or gan iz a tio n. Not e that th e ac tiv it ies su rroun ding an ad mini str a to r's acqu is iti on of an app are n ot pa rt o f an app v etti ng pr oc ess. A n ana lyz er is a s er vic e, to ol , or hum an that te sts an a pp for s p eci fic so ftw are v u lne ra b ili tie s and may be i nt erna l or ex te rn al to the or gan iz a tion. When an app is rece iv ed by an ana lyz er, th e an alyz er m ay pe rfor m so me pr ep roce ss in g of the app prior to te sti n g the app. Prepr oc essing of an app may be us ed to de te rm ine the app 's su itab il ity for te sting and may in vol ve en suri ng th at the ap p deco mpile s c o rr ectly , ex tr a cti ng m eta -da ta from the app (e. g., app name and vers ion num ber) and stori ng the a pp in a loca l da ta b ase . A fter an app has been re c eiv ed and pre p roc essed by an a n alyz er, th e a n alyz er then te sts the app for th e pr esence of s o ft w are v ul ne rab iliti e s. Such t esting may inc lud e a w ide vari ety of te st s inc ludi ng sta tic and dy namic an aly se s and m ay be pe rfor med in an a u tom ated o r m anual f a shi on. N ot e th at the te sts pe rfor med by an an alyz er are not or gan iza tion -sp ecif ic bu t ins tead ar e aim ed at ide nti f y ing so ftw are v ul ne ra b ilit ie s that m ay be co mmon across d if f e re n t apps . A fter te sting an app, an an alyz er g ene ra tes a r ep ort th at ide nti f ies de te c ted s o ft w are v ul ne ra b ilit ie s. In addit ion, th e a n aly zer g ene ra te s a risk a sse ssm ent tha t e stim ates the lik elihoo d tha t a de te c te d vul ne ra b il ity will be e xp loi ted and the im pact tha t t he d ete cted v ul ne ra b il ity m ay ha ve on the a pp or its re la ted d ev ice o r n etw ork . Risk a sse ss m en ts a re t y pi cally rep re se n ted a s or dina l v alues in di ca ting the s e v erit y of the risk ( e. g., low -, m ode ra te -, and high - ri sk ). 2.2 A pp A ppro val /R eje cti on A fter the r e p ort and risk a ss e ssm ent a re g ene ra te d by an an alyz er, they a re m ade a v aila ble to one o r m or e audi tors of the o rg an iz a tio n. An aud ito r is a m em ber of th e or gan iz a tio n who inspe cts rep orts and risk a sse ssm en ts from one or mor e ana lyz ers to en su re that an app m eet s th e secu rity req uir em en ts o f the or gan iz a tion. The au dito r a lso ev alua tes ad ditio nal crite ria to dete rm ine if the app viol ates any or gan iz a tion -sp ecif ic s e cu rity req uir em en ts th at c o ul d no t b e a sc erta in ed b y the a n alyz ers. A fte r e v alua ting a ll re po rts, ri sk a sse ssm en ts, a nd addit iona l c rite ria, the a ud it or th en co ll a tes th is in for mation i nt o a s ing le re p or t and ris k a sse ssm ent and deriv es a re com menda tion fo r ap provi ng or r e je cting th e a p p ba sed on the ov era ll secur ity pos tu re of the ap p. T his re co mmenda tion is then m ade av aila ble to an approv er. A n ap prov er i s a high -le v el m em ber of the org an iz a tio n re spon sib le for de te rm ini ng w hi ch ap ps w ill be de ploy ed on the o rg an iz a tion 's m obile de vices . A n appr over us es the re com menda tions pr ov ide d by one or m or e audi tor s th at de s cribe the s ecu rity po stur e of the app as well a s o ther non -s e cu rity -r e la ted c rite ri a to de te rm ine the org ani za tion 's of fic ia l ap prov al o r re jec ti on of an a pp. If an a p p is a p pr ov ed by t he a p pr ov er, the ad mini str a tor is then p erm itt ed to de ploy the app o n the or gan iz a tion' s m obile de vic e s.

I f , how ev er, the app is re je cted, th e org an iz a tion will fo llow spe cif ied procedur es fo r id en tif ying a 5 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions suit a b le alte rna tiv e app or rec tif ying is sues wi th th e p robl em atic app. Fig ur e 1 shows an app vetti ng pr oc ess a nd its r e la ted a ctor s.

F ig ure 1 . A n a pp v e tti ng pr ocess a nd it s r e la te d a c tor s. N ot e tha t an app vetti ng pr oc ess can b e pe rfor med m anua lly or thr oug h sy ste m s that prov ide se m i- au tom ated mana gem ent of the app te sting a nd ap p appr oval/re je ction a ctiv itie s [9 ]. Fur ther no te tha t althoug h app vetti ng p roc ess e s m ay vary am ong o rg an iz a tion s, or gan iz a tio ns s hou ld stri ve to im pl em ent a pr oc ess th at is rep ea ta bl e, e fficien t, c ons is ten t, a nd th at li m its error s (e. g., fa ls e p ositiv e and fa lse negativ e r e su lts ).

2.3 P la n ning B efor e an or gan iza tion can im pl em ent an app vetting pr oc ess, it is ne ce ssa ry for the or gan iz a tio n to firs t ( 1) de velop app se cu rity requ ir e m en ts, (2 ) und ers ta n d th e lim ita tion s o f a pp vetting , and (3) p roc ure a budg et and s ta ff fo r suppor ti ng t he app vetting p roc ess. Reco mm enda tions fo r plan ning t he i m pl em en ta tio n of an a pp v ettin g pr oc ess a re de sc ribed i n Appe ndi x A .1.

2 .3 .1 Deve lo ping Secur ity R eq uire men ts A pp se cu rity requ ir e m en ts st ate an o rg an iz a tion ’s ex pect ations for a p p s e cu rity and dri ve th e e v alua tio n pr oc ess. W hen pos sib le, ta ilo ri ng app se cur ity a sse ssm en ts to the or gan iz a tion ’s un ique m is sion r eq uir em en ts , po lic ie s, risk tol era nce, and a v aila ble secu rity coun te rm easu re s is m or e co st-e ffe ctiv e in tim e and re so urc es. Such asse ss m en ts co uld mini miz e the r isk of a ttack ers exp lo iting beha vio rs no t ta k en i nt o a ccoun t du ring v etting , since fo re se eing a ll fut ure ins ecu re beha vio rs dur ing depl oyment is unr eal is tic. U nf or tuna te ly , it is not a lw ay s pos sib le to g et s e cu rity r eq uir e m en ts from app end users ; th e 6 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions user ba se m ay be too broa d, may not be a b le to sta te the ir s ec urity req uir em en ts conc re te ly en oug h fo r t e sting , or may not have ar ti c u la ted any s e cu rity r e q uir e m en ts or expe cta tio ns o f s ecu re be hav ior .

A n organ iz a tio n's app se cu rity requ ir e m en ts co mpr ise tw o ty pes of req uir em en ts: ge nera l and con tex t- s e ns it iv e. A g ene ra l requ ir e m ent is an app secu rity re q uir em ent tha t s p ecif ies a s o ft w are c h arac te ris tic o r beha vior th at an app shou ld exhi bit in orde r to be con side red s ec u re. For an app, t he sa tis fa ctio n or v iol ation o f a g ene ra l r e qu ir e m ent is d ete rm ined by ana lyz ers tha t te st the a pp f o r so ftw are v ul ne ra b il it ie s duri ng th e app te sti ng ac tiv ity of an app vetting p ro ce ss. If an ana lyz er de te cts a soft ware v ul ne ra b ili ty in an a p p, the app is c o ns ide red to b e in v io la tion of a g ene ral r e qu ir e m en t. E xa mpl es of g ene ra l r eq uir em en ts in clud e Apps must pr eve nt un aut hor iz e d func tionalit y and A pps m us t pr ote ct s en sit ive data.

We de sc ribe g ene ra l r eq uir e m en ts i n Sect ion 3 .1. A cont ext-s e ns itiv e r equ ir e m ent is an app s ecu rity re q uir em ent th at s p ec if ies how apps shoul d be us ed by t he o rg an iz a tion to ens ure the or gan iz a tio n's s e cu rity pos tu re. F or a n a p p, the s a tis fa ction or v iol ation of a cont ext -s e ns itiv e r eq uir em ent is no t b ase d on the p re se nce o r a b se nc e o f a so ftw are v ul ne rab ilit y and th us cann ot be de te rm ined by ana lyz ers, bu t ins te ad must be de te rm ined by an aud ito r w ho use s o rg an iz a tio n- sp ecif ic v etting crite ria fo r the app d ur ing the app ap pr ov al/r e je ctio n activ ity of an a p p v etting p ro ces s.

Such crite ria m ay inc lude the app 's int ended se t of us ers or in te n ded de ploy ment en vir on men t. If an aud itor de te rm ines th at th e or gan iza tion -sp ecif ic vetting c rite ria for an app conf lic ts w ith a con tex t- s e ns it iv e re q uir e m en t, the app is cons ide red to be in viol ation of the co nte x t-s e ns itiv e re q uir e m en t.

Exa mpl es of con tex t-s e ns iti v e req uir em en ts in clud e A pps th at a cce ss a netw or k m ust no t be u se d in a s e ns it ive compa rtm en ted in form ation fac il it y (SC IF) and Apps that reco rd au dio or v id eo m us t on ly be us ed by clas sif ied p erson nel. W e desc ri be or gan iz a tion -sp ecif ic v etting c rite ri a in Sec tion 4.2. T he re la tions hip betw een the or gan iz a tion' s app se cu rity requir em en ts an d gene ral and co nt ext -s e ns itiv e r eq uir em en ts i s shown in F igur e 2.

Here, an or gan iz a tio n's app s e cu rity r eq uir e m en ts co mpri se a sub set o f g ene ra l r e qui re m en ts and a su bse t of c o nt ext -s e ns itiv e req uire men ts. The sh ad ed a re as re pr esent an o rg an iz a tion' s a pp se cu rity req uir em en ts t ha t a re app lied to one o r m or e ap ps. D ur ing the app appr oval/r e je cti on activ ity of an app vetti ng p roc ess, t he au dito r r e v iews rep ort s and risk a sse ssm en ts g ene ra ted by ana lyz ers to de te rm ine an app' s s at is fact io n or v iol atio n of g ene ra l requ ir e m en ts as w ell a s ev alua te s or gan iz a tio n -sp ecif ic v etting c rite ria to de te rm ine t he app 's s atis fa ction or vio la tion of con tex t-s e ns it iv e r equir e m en ts. D ev elopi ng app se cu rity requ ir e m en ts inv olves ide ntif ying the secu rity needs and ex pec ta tions o f the or gan iz a tion and ide nti f y in g bo th gene ral and conte x t- s e ns it iv e r e q ui re m en ts tha t addr ess tho se need s a n d expe cta ti on s. For e x am pl e, if an or gan iza tion has a n eed to en su re tha t apps d o not le ak PII, the g ene ra l r eq uir em ent Ap ps must no t l eak P II sh oul d be de fined. I f the or gan iz a tion has an addi tion al n eed to e nsur e t ha t apps tha t reco rd au di o or v ideo must no t be us ed in a S C IF, then th e co nte xt -s e ns itiv e req uir e m ent Apps that re co rd au dio or v id eo m ust not be us ed in a SC IF sh ou ld be u sed. After de riv ing gene ra l r eq uir em en ts , an or gan iz a tion shou ld exp lor e a v aila b le ana lyz ers th at te st f o r the s at is fac tion or v iol atio n of those r e qu ir e m en ts. I n thi s c a se, fo r e xa mpl e, an an alyz er tha t t e sts a n app fo r th e le a k ag e of P II shoul d be used. Sim ila rly , f o r co nte x t-s e ns itiv e re qu ir e m en ts, an au ditor shou ld i dentif y appr opria te or gan iz a tion -sp ecif ic v ettin g c ri te ria ( e. g., the f e a tu res or pu rpos e o f the app and the int ended de ploy ment en vir on men t) t o de te rm ine i f t he a pp records a ud io or v ideo and if t he app w ill be us ed in a S CIF. T he f o ll ow ing que sti onna ir e m ay be us ed by o rg an iz a tions to help id en tif y th eir s pec if ic s e cu rity n eeds in or de r t o de velop the ir app s ecurity r e qu ir e m en ts. 7 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions Fig ure 2 . O rg an iz a ti onal a pp securi ty re quire ment s.  D oes th e o rg an iz a tion ha ve sp ecif ic s e cu rity and pri va cy needs, s ecu re b ehav ior expe cta tion s, a nd/ or ri sk mana gem ent nee ds? For exa mpl e, w hat a sse ts in the o rg an iz a tion m ust be pr otec ted, a nd w ha t e v en ts m ust be a v oi ded? What is the im pact if the a sse ts a re co mpr om is e d or the un desir ed e v en ts occu r?  What i s t he s e t of us ers t ha t a re p erm itt ed t o us e an ap p?  U nder what c ircum stanc es shou ld an a pp not be us ed ?  What vett ing has alr eady be en pe rform ed by t he of fic ia l app sto re, i f k now n?

A re the c rit ic al a sse ts lo ca ted on mobile d ev ices, or is the conc ern th at m obi le dev ices will be us ed as a s pr ing boa rd to attack t hos e ass ets?  A re t hre at a sse ssm en ts b ein g pe rfor med?  What ch ara cte ris tics of a tta c k s a nd a tta c k ers is the org an iz a tion c oncerned about? For e xam pl e: o What infor mation abo ut personne l w ou ld ha rm t he or ganiza tion as a wh ole if i t w ere d is c lo se d ? o Is t he re a d anger of esp ionag e? o Is t he re a d anger of malw are de sig ned t o di srup t ope ra ti ons at crit ic al m om en ts? o What kinds o f e nti ties m ig ht pr ofit f rom a ttac king t he o rg an iz a tio n? 8 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions  What is the m obi le co mputing en vir on men t? D o wir e le ss d ev ices carried by pe rs o nne l conn ect to publ ic pr ov ide rs, a co mm uni cation in fra str uc tur e o w ned by the or gan iz a tion, or bot h at d if fe re n t tim es? How se cu re i s t h e o rg an iz a tion 's wi re le ss i nfra str uc tur e i f i t ha s one ?

 I s the or gan iza tion int ere sted on ly in vetting apps , or is an app vett ing pr oces s expe cted to ev alu ate ot he r a sp ec ts of m obile dev ice se cu rit y su ch as th e o pe ra ting s y stem (O S), fir mw are, ha rdw are, a n d co mmuni cations? Is the app vetti ng pr oc ess m eant onl y to perfo rm e v alua tio ns or d oes it p lay a br oa der r o le in th e or gan iz a tion’ s ap proa ch to mobile s e cu rity ? Is the v etting p rocess pa rt o f a la rg er s e cu rity inf ra str uc tur e, and if so, w hat are the o ther co mponent s? Not e that o nly so ftw are -r e la te d v etting is in th e s c op e of thi s do cumen t, but if the organ iz a tion expe cts m or e th an th is, the v etting pr oc ess d esi gne rs s hou ld be aware of it. H ow m an y apps pe r w eek w ill t h e a p p vetting p ro ces s be e xpe cted t o hand le, and how m uch vari atio n is pe rm is sibl e in the ti m e need ed to proce ss indi vidual app s? H ig h vol um e co mbi ned with low f undi ng m ig ht neces sit a te co mpr om is e s in the qua lity of the ev alua tio n. Some or gan iz a tion s m ay be li e v e tha t a fu lly au tom ated a ss e ss m ent pi peli ne pr ov ides m or e ri sk r educ tion than it act ually do es and t here fo re ex pect un re alis tic ally l ow day-to -da y expens es. O rg an iz a tion s shou ld pe rfo rm a ri sk ana ly sis [ 10] to unde rs ta n d and docum ent th e pot en tial s e cu rity ri sk s in order to he lp id ent ify a ppr opr ia te s ecu rity requi re m en ts. So me ty pes of v ul ner abili tie s or w eak ness e s di sc ov ered in apps m ay be m iti gate d by o ther s e cu rity con trol s inc lud ed in the en te rpr is e m obile de vic e a rc h it ec tu re. W ith re sp ect to the se o the r c on tr o ls, o rg an iz a tions s h ou ld re v iew a n d docum ent the m obi le de vice hardw are a nd ope ra ting s y stem s ecu rity contr ols (e. g., en cry pt ed file s y ste m s), to ide nti f y w hi ch s e cu rity and pri vacy req uir e m en ts can be ad dre ssed by the m obile de vic e it s e lf . In addi tion, m obile en te rpr is e se cur ity techn olog ies such as Mo bile D ev ice Mana gem ent (MDM) sol ution s shoul d also be r e v iewed t o i denti f y w hi ch s e cu rity r eq uir em en ts can b e addre ssed by t he se tec hno log ie s.

2 .3 .2 Unde rsta ndi ng Vet ting Lim it at io ns A s w ith any s oft w are ass urance p roc ess, th ere is no gua ra n tee th at e v en th e m ost thor oug h vetting p roc ess w ill unc over a ll po ten tia l v ul ne ra b il it ie s. O rg an iz a tion s sh oul d be m ade aware th at a lthoug h app s e cu rit y a sse ssm en ts shou ld g en era ll y im pr ove the s e c u rity po stur e o f the o rg an iz a tion, the de gre e to w hich they do so m ay not be e a sily or im med ia te ly a sc e rta ined. O rg an iz a tions shou ld a lso be made aware o f w ha t th e v etting pr oces s doe s and does no t pr ovid e i n te rm s of secu rity .

O rg an iz a tion s shou ld also be educa ted on th e v alue of hum ans in se cu rity ass e ssm ent pr oces se s an d en sur e tha t the ir app v etting does no t re ly so le ly on autom ate d te sts. S ecu rity an aly sis is pr im aril y a hum an -dri ven pr oc ess [11, 12]; au tom ated too ls by the msel ves cannot ad dre ss m any of the co nte x tua l a n d nuanc ed in te rde pende ncies tha t und erlie so ftw are s ec urity . T he most obv ious re a son for th is is th at fu lly unde rs ta nd ing so ftw are be hav ior is o ne of the c la ss ic im pos sibl e p rob le m s o f c o m put er s c ience [ 13 ], an d in fa ct c u rrent techn olog y has no t e v en re ach ed the lim its o f w ha t is the ore tic ally po ss ib le. C om plex, m ultif acet ed s oft w are a rc h it e ctur es canno t be f u lly an alyz ed by au to m ated m eans. A fur the r pr obl em is tha t c urre nt so ftw are a n aly sis to ol s do not inh eren tly unde rs tand what s o ft w are ha s t o do t o behave in a s ecu re m anner in a pa rti cu lar c o ntex t. F or exa mpl e, fa ilur e t o enc ry pt da ta tr a n sm itte d t o the c loud may not be a s e cu rity is s ue if the tr an sm is si on is tu nne led thr ou gh a v irt ual p ri vate ne tw ork (V PN ). Even if th e se cu rity requi re m en ts fo r an a pp ha ve been c o rrec tly pr ed ic ted and a re co mpl ete ly unde rs too d, the re is no c u rr ent te chno log y for una mbi guous ly tr an sla ting hum an -r eadab le req uir e m en ts i nt o a fo rm t hat can b e unders tood by m ach ine s. For the se re a son s, sec urity ana ly sis req uir es hum ans (e. g., au dito rs) in th e lo op, and by exten sion the qua lity of th e ou tco me de pends , am ong ot her th ing s, on th e le v el o f hum an e ffo rt and le v el of expe rti se 9 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions av aila ble for an e v alua tion . A udito rs sh oul d be fa m ili ar w ith sta n da rd proc esses and be st p ra cti ces for so ftw are s ecu rity a ss e ss m ent ( e. g., se e [ 11, 14 , 15, 16 ]) . A r obus t app v etting pr ocess sh ou ld use m ultip le a sse ssm ent too ls and p roces se s, as w ell as hum an int era ction , to be s u cce ssfu l; re liance o n onl y a s ing le t ool , ev en wi th hum an interac tion, is a s ig ni fican t r isk becau se of t he i nhe rent l im ita tion s of each t oo l.

2 .3 .3 Budget a n d Sta ffing A pp softw are assu ran ce ac tiv ity co sts sh oul d be in clude d in proje ct budg ets and sh oul d n ot be an a fte rthoug ht. Such costs m ay inc lu de licen sing co sts for an alyz ers and sa la ri es for au dito rs, ap prov ers, and adm ini str ato rs. Or gan iz a tions th at h ir e con tr a cto rs t o de velop a pps shou ld s pecif y t ha t app a ss e ss m ent co sts be inc lud ed a s pa rt of the a p p de velo pm ent pr oces s. N ot e, how ev er, tha t for apps de velop ed in - hous e, atte mpt ing to im pl em ent app asse ssm en ts s o le ly at the end o f the de velo pm ent e ffo rt w il l lead to i nc reas ed cos ts and len gthened pr oje ct tim elin es. It is str ong ly reco mmended to ide ntif y po ten tia l v ul ne ra b ilit ie s o r w eak nesses during the d ev elopm ent pr oc ess when th ey can sti ll be add re ssed by th e ori gina l de velope rs. To prov ide an op tim al ap p vetting p roc ess im pl em en ta tion, it is crit ic al fo r the or gan iz a tion to hir e pe rs o nne l wi th app ropr ia te exp ertis e . For ex am pl e, o rg an iz a tions shou ld hir e aud it or s ex pe rie n ced in so ftw are s e cur ity and inf ormation a ssur ance as w ell as ad mini str a tor s e xperien ced i n m obile s e cu rity . 10 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions 3 App Testing I n the app te sting ac tiv ity , an app is s e n t by an a d m ini str a to r to one or m or e ana lyz ers. A fter r e ce iv ing an app, an analyz er a ssu mes contr ol o f t h e ap p in or der t o pr ep roc ess it p rior t o te sting. Thi s i nit ia l p art o f t he app te sting ac tiv ity int rodu ces a num ber of se c u rity- re la ted is su es, bu t su ch iss ues pe rtain mor e to the s e cu rity of t he app f il e itse lf ra the r than th e v ul nera b il itie s tha t m ig ht e x is t in th e app. Reg ard le ss, su ch i s su es sh oul d b e con sider ed by the or gan iz a tion f or en su ring the in te g rity of the app, pr o te cting i nt ell e ctua l p rope rty, and ensu ring co mplian ce wi th licen sing and othe r a g reem ents. Mo st o f th ese is su es a re r e la ted to una utho rized acce ss to t he ap p. I f an app is subm itted ele ctr oni cally by an ad mini str a tor to an an alyz er ov er a n etw ork, is sue s m ay a rise if t he tr an sm is si on is m ade ov er unenc ry pt ed c h anne ls, pot en ti a lly a llow ing unau th ori zed a cces s to the app by an attack er. A fter an app is re ce iv ed, an an alyz er w ill o ften sto re an ap p on a loc al file sy ste m , da ta b ase , or rep ositor y. If the app is s to red on an unse cured m ach ine, unauth or iz ed us ers co uld acce ss the app, lead ing to po ten ti a l lic en sing viol ations (e. g., if a n unau tho riz ed us er co pie s a licen sed a p p fo r th e ir pe rs o nal u se ) and in te g rity i s su es (e. g., if t h e app is m odi fied or r e p la ced w it h an other app by an a ttack er).

I n additio n, viol ations of in te lle c tu al pr op erty may a ls o arise if un autho riz ed us ers a cce ss the sour ce code of the a pp. Even if s o urce code f o r an app is not p rov ided by an ad mini str a tor , an ana lyz er w ill of ten b e r eq uir ed to deco mpile th e ( bi na ry ) app pri or to te sting . In bot h case s, the so urce o r deco mpi led co de wil l oft en be sto re d on a m ach ine by the an alyz er. If that m ach ine is uns ecured, the app' s code m ay be acce ssib le to una uth o ri zed us ers, po te n tia lly a llow in g a viol ation of in te lle ctu al pr ope rty . Not e tha t or gan iz a tions sh oul d re v ie w an app’ s E nd U se r L icen se Agreem ent (E U LA ) re g ardi ng the s e nd ing of an app to a t hird -pa rty f or a n aly sis as we ll a s the r e v erse eng inee ring of t he ap p’s cod e by t he or gan iz a tion or a t hird -pa rty t o en su re t ha t t he or gan iza tion is not in v io la tion of t he E ULA . I f an ana lyz er i s ex te rn al t o t he or gan iz a tio n, th en th e re spons ib il ity of e n su ring t h e secu rity of t h e app f ile f a lls on the an alyz er. Thu s, the be st th at an o rg an iz a tion can do to ensu re th e int eg rit y of apps , th e pr otec tion of in te lle ctua l p rope rty, and the co mplian ce with lic ens ing a greem ent s is to und ers tand th e s e cu rity im plicat ion s su rro undi ng the tr an sm is sion, stor ag e, and proc essing of an app by th e sp ecif ic ana lyz er.

A fter an app has b een pr ep roc essed by an ana lyz er, the an alyz er w ill th en te st th e app fo r so ftw ar e v ul ne ra b ilit ie s th at v iol ate one or m or e g ene ral a p p secu rity req uir e m en ts. In th is se ction, w e de sc ribe t he se g ene ral req uir e m en ts and t he te sti ng appr oach es us ed to de te ct v ul ne ra b ilit ies tha t v io la te the se r eq uir em en ts . D esc rip ti ons of s p ecif ic A nd ro id and iO S app vul nera bi li ti es a re pr ov ided in A ppe ndi ces B and C . In addi tion, reco mm enda tion s re la ted t o the app t e sting a ctiv ity a re d esc ri bed in A pp endix A.2. F or m or e inf or matio n on se cu rity te sting and asse ssm ent too ls and tech niques that m ay be he lpf ul fo r pe rfor ming app t esting , see [ 17]. 3.1 Gen er al R eq uireme nts A g ene ral requ ir e m ent is a n app se cu rity r eq uir e m ent that sp ecif ies a so ftw are c ha ra c te ris tic o r beha vio r t ha t an a pp shoul d ex hib it i n or der t o be cons ide red s e cu re. G eneral app s ecurity r equi re m en ts i nc lude :

 E nabling au tho riz ed fu ncti on ali t y : The app must w or k as desc ri bed; a ll bu tto ns, m enu items, and ot he r in te rfa ces must w or k. E rror co nditio ns m ust be ha ndl ed g race fu lly , su ch as when a s er vice or f unc tion is una vaila b le ( e. g., d is a bl ed, u nre acha ble, etc .) .

P reve nti ng una utho riz ed fu nctiona li t y: Una utho riz ed func tiona li ty , such as da ta ex fil tr a tio n pe rfor med by malw are, m ust no t be supp orted. 11 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions Lim it ing pe rm is s ions: A pps shou ld ha ve onl y the m ini mum pe rm is si ons ne cessa ry and shou ld onl y g rant other ap plic ations t h e neces sa ry pe rm is si on s.

P ro te cting sens it ive d ata : A pps that co lle ct, sto re, and tr a n sm it se n sitiv e da ta shou ld pro tect th e con fide nti a lity a n d inte g ri ty of th is da ta. This c ate g or y inc lude s p re se rv ing pr iv acy , su ch as a sk ing pe rm is sion t o use pe rson al i nf orm ation and us ing i t on ly f or autho rized pu rpo se s.  Secur ing app code depe ndenc ie s: T he app must us e any dependen cie s, su ch as on libra rie s, in a r eas ona ble m anner and no t f or m alic iou s reas ons.  T est ing a pp u pd ate s: N ew v ers ion s of the app m ust b e t este d t o ide ntify any new w eaknesse s. We ll- w ritte n secu rity req uir e m en ts a re most us efu l to aud ito rs w hen they can ea sily be tran sla te d in to sp ecif ic ev alua tion a ctiv itie s. T he v ariou s p roc esses co nce rn ing th e e lic it a tion, mana gem en t, and tr a c k ing of req uir e m en ts are co lle ctiv ely k now n as req uire m en ts en gin eer ing [18, 19] , and thi s is a re la tiv ely m atur e a ctiv ity w ith too ls s uppor t. P re se n tly , the re is no methodol ogy for dr iv ing a ll req uir e m en ts dow n t o the le v el w here th ey co uld be ch ec k ed co mpl etel y 3 by au tom atic so ftw are a n aly sis, w hi le e ns uri ng th at t he f u ll s c op e of th e o rig ina l r eq uir e m en ts is p re se rv ed. T hu s, the b est w e c an do may be to docum ent the pr oc ess in suc h a w ay tha t hum an r e v iews c an find gaps and con centr a te on t he ty pes of v ul nera bi li ti e s, or w eak nesse s, t h at fall i nt o th ose gap s. 3 .1 .1 Enab lin g A uth orized F u nc tiona lity A n im port an t p art o f c o nfir m ing au thori zed func tiona lity is te sting th e m obile u ser int erface (U I) di sp la y , w hi ch can vary greatly for d if fe rent de vice sc re en siz es an d re so lut ion s. T he rende ring of im ag es or pos itio n of bu ttons m ay no t be co rre ct du e to the se dif f e renc es. If appl icab le, the UI shoul d be v iewed in bot h por trait and lands ca p e m ode. If the pa ge allo w s fo r da ta en tr y , the v ir tual key boa rd shou ld be i nv oked to con fir m it d is p la y s and wor ks as ex pe cte d. Ana lyz ers sho uld also te st any de vice phy sic al s e ns o rs us ed by t he app su ch as G lobal Po sition ing S ystem ( G PS), fron t/ba ck ca mera s, video, mic rop hone f or voi ce reco gn ition , acce le rom ete rs (or gyr oscope s) fo r motion and ori en ta ti on -s e ns ing , an d co mmuni cation be tw een dev ices (e. g., phone “ bumping ”). T elep hony func tion ality e nco mpa ss a w ide v arie ty of m ethod calls th at an app can use if g iv en the pr op er pe rm issions, inc ludi ng mak ing phone cal ls, tr an sm itti ng Short M essa g e Se rv ic e (SM S) m essa g es, and r e tr ie v ing uni que pho ne ide ntif ier in for matio n. Mos t, if not a ll of the se te lep hony even ts a re sen sitiv e, a nd so me of th em p ro vide a cce ss to PII. M any apps m ak e use of the un ique phone iden tif ier in fo rm ation in or de r to keep tr ack of us ers ins tead o f us ing a us erna me/pa ssword s che me. A not her s e t of s e ns it iv e cal ls can g iv e an app acce ss to the phone num ber. M any le g iti mate apps us e th e phon e num ber of the de vic e as a uni que ide nti f ie r, bu t th is is a bad c odi ng p ra cti ce a nd can le ad to los s o f P II. T o m ak e m atte rs w ors e , m an y of th e c arrie r co mpa nies do no t ta k e any cau tion in prot ect ing th is in for mation. Any app tha t m ak es use of th e phone ca ll or SMS m essa g es that is not c le arl y s ta ted in the E U LA or app desc ri pti on as i nt end ing t o use t hem shou ld be i mmedia te c ause f o r s usp ic ion. 3.1 .2 Preven ting Unaut hor ize d F unc tiona lity So me apps (as well as the ir lib ra rie s) a re m alic iou s and in te n ti ona lly pe rfor m func tion ality th at is no t di sc los ed to th e us er a n d viol ates most expe cta ti on s of s e cu re be ha vior . T his und ocum ented f unc tiona li ty m ay inc lude ex filt r a ting confi den tia l inf or mation or P II to a thir d pa rty , de fra uding the us er by s endi ng pr em ium SMS messa g es (pr em ium SMS messa g es are m eant to be us ed to pay f o r pr odu cts or s e rv ic es), 3 In t h e m ath ema tical s e n se o f “co mplet en ess,” c o m plet en ess mea ns th at n o v io lati ons of t h e r equire me nt w ill b e ove rlooke d. 12 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions or tr ack ing us ers’ lo catio ns w ithou t th eir know led ge. O ther for ms of m alic iou s func tionalit y inc lud e i n jec tion of fa k e w eb sit es int o th e v ic tim ’s br ow se r in o rder to co lle ct s e n sitiv e inf ormati o n, acting as a s ta rting poi nt f o r a tta c k s on ot he r de vic e s, a nd g ene ra lly di srup ting or denying ope ra tio n. A not her exa mpl e is the us e of banner ad s tha t m ay be pr ese nt ed in a m anner w hich cau se s th e use r to uni nte n tion ally s ele ct a d s that m ay a tte m pt to dece iv e the us er. T hese ty pes of b eha vior s suppo rt ph is h ing a ttack s and may not be de tect ed by m obile a n tiv ir us o r so ftw are v ul ne rab ili ty s canne rs as they a re s e rv ed dy namical ly and no t a vaila bl e f or i ns pecti on prior t o the i nsta lla tion o f t he a pp. Open sou rce and commerc ia lly a v aila ble m alw are de tec tion and ana ly sis too ls c an id en tif y bo th know n and new f or ms of m alw are. The se too ls can b e inc orpo ra ted as part of an o rg an iza tion ’s e n te rpr ise mobile de vice mana gem ent (M DM) s o lu tio n, organ iza tion ’s app stor e, or a pp vett ing p roc ess. N ote th at e v en if t he se too ls ha ve not de te c ted k now n m alw are in an app, one shou ld not a ssu me that m alic ious f unc tion ality is n ot p re sen t. It is e ss e n tia lly im pos sible for a v etti ng p roce ss to gua ra n te e tha t a p ie ce o f so ftw are is fr ee from m alic ious fun ction ality . Mo bil e de vices may h av e so me bu ilt -in pr otecti ons a g ains t m alw are, for e xa mpl e app s andbox ing and us er appr oval in ord er t o acce ss sub sy ste m s such as t he GPS or t e x t m essa g in g. H ow ev er, sa ndbox ing on ly m ak es it m or e di fficu lt f or a p ps to int erf e re w it h on e a no th er or wi th the op era ti ng s y ste m ; i t does not prev en t m any ty pes of m alic ious f unc ti o na lity . A fi nal c ate g or y of unaut hori zed fun ctiona li ty to co nside r is co mmuni cation wit h disrepu tab le w eb site s, dom ains, ser vers , etc . If the app is ob se rv ed to co m muni cate with sites kno wn to ha rbo r m alic iou s ad vert is ing , spa m, phi sh in g a ttack s, or othe r m alw are, th is is a str ong ind ica tion of una utho riz ed f unc tion ality .

3.1 .3 Limiti ng Pe rm iss io ns Some apps ha ve pe rm is sio ns th at a re no t c o ns is tent with EU LA s, a pp pe rm is sions, app desc rip tions, in- pr og ram no tific atio ns, o r ot he r exp ected beha vio rs and w oul d no t be c on sid ered to ex hib it s e cu re beha vior . A n ex am pl e is a w allp aper app th at co lle c ts and s tor es s e ns it iv e in for mation, su ch as pa ssw ords or P II, or acces ses the ca mera and mic ro phone . A ltho ugh the se ap ps m ig ht not ha ve m alic ious in ten t— t hey may just b e poo rly de signe d— the ir e x ces siv e pe rm is si on s s till expo se th e us er to th re ats that s tem from the m is m ana gem ent of se n sit iv e dat a a nd the loss or th eft of a de vice. S im ila rly, so me apps ha ve pe rm is sions a ssi gned tha t they don’ t a c tu ally us e. M oreo ver, us ers rou tin ely re fl ex iv ely grant w ha te v er acce ss p erm is sions a n ew ly ins ta lled app req uests , shoul d th eir m obile de vic e O S pe rfor m pe rm is sion r eque sts . It is im port an t to not e th at ide nti f y ing apps that h av e exc essiv e pe rm is si ons is a m anua l pr oce ss.

I t in vol ves a su bje ctiv e de cis ion from an aud itor th at c e rta in pe rm is si ons a re not appr opria te and th at th e beha vior of t he a pp is i ns ecur e. Excess iv e pe rm is sion s c an m an ifest i n o the r w ay s i ncludi ng:

 Fi le in p ut/outp ut ( I /O ) an d re mov able s to rage : F il e I/O can be a s e cu rity r is k , espe cia lly w hen th e I /O happens on a re m ov able or un enc ry pt ed por tion of the file sy ste m . Reg ardi ng the app’ s o w n beha vior , file sc an ni ng or acc ess to fil es that are n ot pa rt of an app’s o w n d ir ect ory cou ld be an i ndi cator o f m alic iou s a ctiv it y or bad co di ng pr ac tic e. F iles writt en to ex te rnal sto ra g e, su ch as a r e m ovab le Secu re D ig it al (S D) ca rd, may be r eadab le and write able by ot he r ap ps tha t m ay ha ve been g ran ted d if f e re n t pe rm is si ons, t hus p la cing da t a w ritt e n t o un prote cted s to ra g e a t ri sk . P riv ile ged c o m m an ds: A pps m ay pos se ss the a bility to inv oke low er-le v el c omm and line p rog ra m s, w hi ch m ay a llow access to low -le v el str uc tur es, suc h as the root d ir ec to ry , or m ay a llow acces s to s e ns it iv e co mmands . The se pr og ra m s pot entia lly allow a m alic ious app ac ce ss to vari ou s sy stem r e sou rc es and in for mation (e. g., find ing out the r unn ing p rocess es on a de vice) . A lthou gh the m obile ope ra ti ng sy stem ty pi cal ly offe rs prot ection ag ain st dir ectly acce ss ing re so ur ces be yond wha t is 13 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions av aila ble to the us er acco unt tha t the app is runn ing unde r, thi s op ens up the p ot en ti al fo r pri vile g e e le v ation a tt ack s. A PIs : T he app only us es d esi gna ted A PIs from the v endor -pr ov ide d so ft w are d ev elopm ent k it (S D K ) and uses them pr op erly ; n o other A PI ca lls are per mitted . 4 For the pe rm itted A PIs, the an alyz er shou ld no te wh ere t he A PIs ar e t r an sfe rri ng da ta t o a nd from t he a pp. 3.1 .4 Prote ct ing Sensiti ve Data Many apps co ll e c t, stor e, a nd/ or tr ans mit s e n sitiv e da ta, su ch as fin an cial da ta ( e .g., cred it c a rd num bers ), pe rs o nal da ta (e. g., so cial s ecu rity nu mbe rs ), and log in crede ntia ls (e. g., pa sswo rds ). W hen im pl em en ted and used p rope rly, cry pt ogr aphy can he lp maint ain th e co nfi den tia li ty and i nte g rit y of th is d ata , ev en if a pr otec ted m obile de vic e is los t or sto len and fa lls int o an a ttac ker’s ha nds. How ev er, onl y ce rtain c ry pt og rap hic im pl em en ta ti ons ha ve been shown to be su ffic ie n tly str ong , and develope rs w ho cre ate t he ir ow n i mpl em en ta tion s ty pi cally exp ose the ir ap ps to exp lo ita tion th roug h man -in -the -m iddl e a ttac ks and o ther form s. Fede ral Inf or matio n Pr oces sing St an da rd (F IP S) 140- 2 pr ec lud es the use of unv alida ted c ry pt og raphy fo r t he c ry pt og ra p hi c p rot ectio n of s e n sit iv e da ta w it hi n fe de ra l s y ste m s. U nv alida ted c ry pt og raphy is v iewed by NIST as prov idi ng no pr otecti on to the d ata. A lis t o f F IPS 140 -2 -v alida ted c ry pt ograp hic m odul es an d an exp lan ation o f the a p pli cab il ity of the C ry pt og rap hic Mo dul e V alid ati on Prog ram (C M VP) can be f ound on the C M VP w eb site [20 ]. Analyz ers shoul d re fe re nce the C M VP-pr ov ided in for matio n to de te rm ine if each app is us ing pr op erly v alida ted c ryp tog raphi c m odul es a n d ap prov ed im pl em en ta tion s of those modul es. It is not suffic ie n t to use appropr ia te cry pt og raphi c alg ori thm s and m odul es; cry pt og raphy i m pl em en ta tio ns m ust also be m aint ained in ac cor da nce wi th appr oved pra ctic e s. Cry pt og rap hic key m ana gem ent is o ften pe rformed im prope rly, le ad ing t o expl oit ab le wea kne sse s. F or exa mpl e, th e p re se n ce of ha rd-coded c ry pt og rap hic k ey ing mate ri al su ch as k ey s, ini tia liz ation vect ors, e tc. is an in di cati on th at c ry pt og raphy has no t b een p rop erly im pl em en ted by an app and mig ht be ex ploi ted by an a tt ack er to co mpr om ise data o r ne tw ork re sou rc e s. G uide li nes fo r pr ope r k ey m ana gem ent techn iques c an be found i n [21 ]. A no the r exa mpl e of a co mmon cry pt og raphi c im pl em en ta tion prob lem is the fa ilu re to p rop erly v alida te di gital c erti f ica te s, leav ing co mmuni cation s p rot ected by the se c erti f ica te s su bject to man -in -the - m iddl e attack s.

Pri vacy con sidera tions ne ed to be ta k en in to acco unt for ap ps tha t hand le P II, inc lud ing m obile -sp ecif ic pe rs o nal in for mation lik e loca tion d ata a n d pic tur es ta k en by onboa rd cam era s, as well as the br oadc ast I D of th e d ev ice. T his ne eds to be dealt w it h in th e U I as well as in the po rtions of th e apps th at m an ipul ate th is d ata . F or e xa mpl e, an an alyz er can v erify tha t the app co mplie s w ith priv acy s ta n da rds b y m ask ing cha ra cte rs o f a ny s ens it iv e da ta wi th in th e p ag e di sp la y , but a ud it log s s houl d also be re v iew ed w hen possibl e for ap pro pri ate ha ndling of thi s ty pe of inf ormatio n. Anot her im port an t pri vacy cons ide ra tion is th at se ns itive da ta shoul d no t be d is c los ed w it hout p rior no ti f ica tion to the u se r by a pr om pt or a l icen se a gre e m en t. A not her c onc ern with pro te c ti ng s e ns itiv e da ta is da ta leak ag e. For e x am pl e, da ta is of ten le a k ed th roug h unaut hor iz ed ne tw or k co nnec tions . A pps c an use ne tw or k conn ection s for le g itim ate re asons , su ch as 4 T he e x iste nce o f a n A PI ra ises th e pos sib il ity o f m alic ious u se . E ve n if th e A PIs a re u se d p rope rly, the y m ay pose ris ks b ecau se of co ve rt c h anne ls, uni nte nde d access to o th er A PIs, acce ss to d ata exceed in g ori gin al d esi gn , a n d th e execu tio n o f act ion s outsi de o f t h e app’s n orma l ope ratin g p arame ters. 14 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions re tr ie v ing cont en t, inc lud in g con figur ation f il e s, f r om a v ari ety of ex te rn al s y ste m s. A pps can r e c eiv e and pr oc ess in fo rm ation fr om ex te rna l so urc es and also se nd in for mation out, pot ent ia ll y ex filtr a ting da ta from the m obile de vice withou t the us er’s k now led ge. A na lyz ers shoul d con side r not on ly cellu la r and W i- Fi us ag e, b ut a lso B lue toot h, NFC , and ot her for ms of ne tw or king . A not her co mmon sour ce of da ta l eak ag e is sh ared sy ste m -le v el log s, w he re m ultip le ap ps log the ir sec urity e v ent s to a sing le log file.

So me of the se log e ntr ies may con ta in sen sit iv e in for mation, eith er r e cor ded ina dv ert en tly or m alic ious ly , so th at ot her ap ps c an re tr ie v e it. Ana lyz ers sho uld exa mine app log s to look fo r s ig ns of s e n sitiv e da ta l eak ag e. 3.1 .5 Secur in g A pp Code D ep en den cies In gene ra l, an app must n ot us e any uns afe codi ng or bu il d ing pr ac tic e s. Spec if ic ally , an ap p shoul d pr ope rly u se o the r bo dies of c o de, such as libr arie s, onl y when need ed, a nd not to a tte m pt to ob fus cate m alic iou s a ctiv ity . 5 Exa mpl es i nclu de: N ative M etho ds: N ativ e m ethod calls a re ty pi ca lly ca lls to a libr ary func tion that has a lr eady been l oade d in to mem or y. The se m ethods pr ov ide a w ay for an a pp to reu se code that w as writ ten in a di ff e rent lan gua ge. T hese ca lls, how ev er, can pr ov id e a le v el of ob fu sc atio n tha t im pac ts the a bi li ty to pe rfor m ana ly sis of t he app. External L ibra ries and C las se s: This c ate g or y inc lu des a ny thi rd -pa rty libr arie s and c la sses th at a re l oade d by the app a t run tim e. T hir d-pa rty lib ra ries and cla sse s can b e c lo se d sour ce, can ha ve s e lf - m odif ying code, or c an ex ecu te unk now n ser ver-s ide code. Legiti m ate u se s fo r loade d lib ra ri es a nd c la ss e s m ig ht be for th e use of a c ry pt og ra p hi c lib ra ry or a g raphi cs API. M ali cious ap ps can u se lib ra ry and cla ss lo ad ing a s a m ethod to av oi d de te ction. From a v etting pe rsp ec tiv e, libr aries and c la ss e s a re a lso a c onc ern becau se they in tr od uce ou ts ide code to an app withou t the di re ct con tr o l of t he d ev elope r. L ib ra ries a n d cla sses can h av e the ir o w n know n vul ne ra b il it ie s, so an app us ing su ch lib ra rie s or c la sse s co uld expose a k now n vul ne ra b il it y on an ex te rna l int erface. T oo ls a re a v ailab le t ha t can li st lib ra rie s, an d the se libr aries can then be sea rched fo r in vul ne rab il it y da taba ses to de te rm ine i f t hey ha ve k nown w eaknesse s.  D ynam ic Behav ior: W hen apps exe cu te , they exhi bit a vari ety of dy namic beha vior s. N ot a ll of the se ope ra ti ng beha vior s a re a re su lt o f us er inp ut. Exe cuting apps m ay a lso re c eiv e input s from da ta s tor ed o n the d ev ice. T he k ey poi nt he re is th e n eed to know w he re d ata us ed by an app orig ina te s from and know ing w he ther and how it g ets s an itiz ed. It is c ritic al to reco gni ze th at da ta dow nloa ded from an e x te rna l so urc e is pa rti c u la rl y dang ero us as a pot en tial ex plo it v ector u nle ss it is c le ar how t he app pre v en ts ins ecu re beha v ior s r e su lt ing from da ta from a sour ce not tr usted by the or gan iz a tio n us ing the app. Data dow nloaded f rom ex te rna l sou rces shoul d be tr eated as po ten tial ex plo its un le ss it can be s h ow n tha t the app is ab le to th w art any ne gativ e cons eque nces from ex te rna ll y suppl ied d ata, e spe cia lly da ta fr om untr usted s o ur ce s. T his is ne arl y im pos sibl e, th us requ ir ing so me le v el of ris k - t ol era n ce m itigation. In te r-A ppl ic a ti on C omm unic a ti on s: A pps th at co mmuni cate wi th each othe r can p rov ide us eful capab il it ie s and p rod uctiv it y im pr ovem en ts, but th ese in te r-appl ic atio n co mmuni cati ons can also pr esent a se cu rity ris k . For ex am pl e, in Andr oid p la tf orm s, int er-appl ica tion com muni cation s ar e a llow ed but r e g ul ated by w hat A nd roi d c alls “ in te nt s.” A n i n te n t can be u se d t o s ta rt an app co mponent in a d iff ere n t a pp or the s a m e app tha t is s e ndi ng the int en t. Int en ts can a lso be us ed to 5 T here a re both b en ig n an d m alic ious reas ons fo r obf uscat ing c ode (e .g ., p ro tectin g in telle ctu al p rope rty a n d c oncea lin g ma lw are , re sp ect ively ). Code obfu scat ion m ake s static an aly sis dif fic ult, but d yna mic an aly sis can s till b e effe ctive . 15 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions int era ct a nd re que st re sour ces fr om the ope ra ting s y ste m . In gene ra l, an alyz ers shou ld be aw are o f s itua tion s w he re an a pp is us ing nonhum an en tities to m ak e A PI calls to ot her de vic e s, to co mmuni cate w ith th ird -pa rty s er vic es, or to o the rw is e i nt era ct w ith other syste m s. 3.1 .6 Test ing A pp Upda tes To prov ide long- te rm a ssu rance of t he sof tw are th ro ug hout it s l if e c y cle, a ll a pps, as w ell a s t he ir up date s, shou ld g o t hr oug h a so ftw are a ssur ance v etting p roces s, beca use e ach new v ers ion of an a pp c an i nt rodu ce new un in te n tiona l w eak nesses or unr elia b le code. Apps sho uld be v ette d be fo re b eing r e le ase d t o th e co mmunity of us ers w ithi n the or gan iz a tion. The pur pose is to vali da te that the app adheres to a pr ed efined acce pta b le le ve l of sec urity ri sk and ide ntif y w he ther the de velop ers ha ve in tr odu ced any l a tent weakne s se s that co uld m ak e t he IT i n fra str u ctur e v ulne rab le. It is inc re a sing ly co m mon f or m obile de vic es to be capa ble of and be co nf ig ur ed to au tom atic ally dow nload ap p upda te s. M obi le de vices are also g ene ra lly capab le of dow nloa ding apps of the us er’s choi ce from app stor es. Id ea lly , each app and app update s hou ld be v etted b efor e it is dow nloaded on to any of the or gan iz a tion’ s m obi le de vices. If unr estr ic te d app and app upda te dow nloads a re p erm itted, th is can by pass the vetting p ro cess . The re a re s e v eral op ti ons to work a round th is, d epen ding on th e m obi le de vice platf o rm and the de gree to whi ch th e m obile de vices are m ana ged b y the or gan iz a tion. Pos sibl e opt ions inc lude d is ab ling all au tom atic upd ate s, on ly pe rm itting use o f an org aniz a tion -pr ovided ap p s tor e, p re v en ting the in sta lla tion of upda te s thr oug h the use of appl ic ati on w hi te li s ting so ftw are, and enab ling MDM m obile a ppl ic ation m ana gem ent f e a tur es tha t m ak e app v etting a precond it ion f or a llow ing us ers to dow nloa d ap ps a n d app update s. Furt he r d is cu ss ion of thi s is o ut o f s c ope be cau se it is l a rg ely ad dre ss e d o pera tion ally as p art o f O S se cur ity p ra ctic es. 3.2 T esti ng A pproac hes T o dete ct the s a tis fa ctio n or v iol atio n of a g en era l re q uir em en t, an an alyz er te sts an app for the p re sen ce of so ftw are v ul ne ra b il it ie s. Such te sting m ay in vol ve (1) co rre ctne ss te sting , (2) ana ly sis of the a p p' s sour ce co de or b ina ry code, (3) the us e of s ta tic or dy namic ana ly sis , and (4) m anual o r a u tom atic te sting of the ap p.

3 .2 .1 Cor rect ness Test ing O ne app roa ch fo r te sti ng an app is so ftw are co rre ctn ess te sti ng [22] . Sof tw are c orre ctn ess te sti ng is th e pr oc ess of exe cu ti ng a p rog ram with the in te n t o f fi nding e rro rs. A ltho ugh so ftw are c o rr e ctne ss te sti ng is a im ed pri maril y at im pr ov ing qua lity assu rance, verify ing and valida ting de sc ri bed fun ction ali ty , or e stim ating re liab ility, it can a lso he lp to re v eal po te n ti al s e cu rity vul ne ra b il it ies since su ch vul ne ra b ili ti e s oft en ha ve a ne gativ e e ffe ct on the qu ality , func ti on ality , and re lia b ili ty of the so ftw are. For e xa mpl e, so ftw are tha t c ra shes o r e x hi bits u nexp ected be havior is o ft en ind ic ativ e of a secu rity f law. O ne of th e ad van ta g es of s o ftw are co rr e ctne ss te sting is th at it is tr ad ition ally ba sed on sp ecifi ca tions o f th e sp ecifi c so ftw are to be te sted. Thes e sp ecif ic ations can then be tr ans fo rm ed int o re qu ir e m en ts tha t s p ecif y how the so ftw are is exp ected to be hav e under te st. T his is d is ting uish ed fr om s ecu rity a sse ss m ent app roac hes tha t oft en req uir e the te ste r to de rive req uir e m en ts the msel ves; of ten su ch req uir em en ts are la rg ely ba sed on s e cu rity req uir e m en ts tha t a re con side red to be com mon acro ss m any d if f e rent s of tw are arti f ac ts and m ay not te st fo r v ul ne rab il iti es tha t a re un ique to the so ftw are und er te st. N one th ele ss, bec ause of the tig ht coup ling be tw een se cu rity and the qua li ty , fun ction ali ty , and re li ab ili ty of so ft w are, it is re co mmended t ha t s oft w are c orre ctne ss te sting be pe rf or med when p ossibl e. 16 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions 3.2 .2 Source C ode Ver sus B in ary C ode A m ajor f a cto r in pe rfo rm ing app te sting is w he the r s our ce code is a v aila b le. T ypi call y, ap ps dow nloa ded from an app s to re do n ot pr ov ide acce ss t o sour ce co de. When so urc e code i s av ailab le, su ch as in the c ase of an open sour ce app, a va riety of too ls can b e us ed to ana lyz e it. The g oa ls o f p erfo rm ing a sour ce co de r e v iew a re to find vul ne ra bi lit ies in the sour ce co de and to verif y the re su lts o f ana lyz ers. The cu rre n t pr acti ce is tha t the se ta sk s a re pe rfo rm ed m anua lly by a se cu re co de re v iew er w ho reads thr oug h the cont ent s of s our ce c o de f ile s. E ven w ith au to m ated a ids, th e an aly sis is lab or-int en sive. B en efit s to usin g au tom ated s ta ti c an aly sis tool s in clude in tr od ucing cons is te ncy be tw een d if fe re nt re v iews and m ak ing r e v iew of la rg e co deb ase s pos sibl e. R ev iewe rs sho uld gene ra lly use au tom ate d s ta ti c an aly sis too ls w he the r th ey a re c o ndu cti n g an au to m ated or a m anual re v iew, and they shou ld expr ess th eir findi ngs in t e rm s of Comm on Weak ness Enu mera tion (C W E) id en tif ie rs or some othe r wid ely ac cep ted nom encla tu re. Pe rfor ming a secu re code re v iew re qui res so ftw are dev e lopm ent and dom ain -sp ecif ic k now led ge in th e ar ea of a p pl ica tion se cu rity . O rg an iz a tion s sho uld en su re t ha t th e i ndi vidu als p erfo rm ing sour ce co de re v iews hav e the ne ce ssa ry s k ill s and expertis e . N ot e t ha t o rg an iz a tio ns th at i n tend to de velo p apps in- house sh oul d a lso re fer to gui dan ce on s ecur e p rog ra m ming techn iqu es an d so ft w are qu ali ty a ssu ran ce p roc esses to app ropr ia te ly add re ss t he en tir e so ftw are de velopm ent lif e cy cle [ 11, 23] . When so urce code is not av aila ble, bi nary co de c an be v etted ins te ad. In the c ont ex t o f apps , the te rm “b ina ry cod e” c an re fe r to e ither by te -code or m ach in e code . For exa mpl e, A ndr oid apps a re co mpiled to by te-code that is e xec uted on a v ir tual m ach ine, s im ilar to th e Ja v a V ir tua l M achine (JV M), bu t th ey can a lso co me w ith custom lib ra ries that a re pr ov id ed in the fo rm of m ach ine code, that is , code ex ecu ted dir ectly on th e m obile d ev ice' s C PU . A ndr oid bina ry apps in clu de by te -code th at can be an alyz ed w ithout ha rdw are suppo rt u sing e m ul ated a n d v ir tua l en vir onm ents. 3.2 .3 Stat ic Ve rs u s Dynam ic Ana ly s is A na ly sis too ls a re of ten c h ara cte ri zed a s be ing e ith er s ta tic o r dy nam ic . 6 St atic a n aly sis e xa mines the app sour ce co de an d bina ry code, and atte m pt s to rea son over all pos sib le be hav ior s th at m ig ht aris e at r unt im e. It pr ov ides a le v el of a ss u ran ce tha t an aly sis re su lts a re a n accu ra te de sc ri ptio n of th e pr og ra m ’s beha vior re g ard le ss of the input or e x ecu tion en vir onm ent. D yna mic ana ly sis ope ra te s by execut ing a pr og ram us ing a s e t of inp ut use c a se s and analyz ing the pr og ra m ’s r unt im e beha vior . In s o m e case s, th e enum era tion of input te st c a ses is la rg e, r e su lting in le ng thy p rocess ing tim es. H ow ev er, m ethods su ch as co mbi na tor ia l te sti ng can reduc e the nu mber of dy namic inpu t te st ca se co m bi na tion s, reduc ing th e a m ount of tim e needed to de rive a na ly sis re su lt s [ 25 ]. St ill , dy namic ana ly sis is unlik ely to pr ovide 100 pe rc ent code co vera g e [26] . O rg an iz a tions sho uld conside r the te chni cal tr ad e-of f d if f e ren ces betw een w hat s ta tic an d dy namic tool s off e r and ba la n ce th eir us ag e giv en the or gan iz a tion’ s so ftw are assu ra nc e g oa ls. St atic an aly sis requ ir e s th at b in ary code be re v erse e ng inee re d when so ur ce is not a v aila ble, w hich is r e la tiv ely easy for by te -code , 7 but can be di ffi cu lt for m ach ine co de. M any co mmerc ial sta tic a n aly sis t ool s a lr eady s u ppo rt by te -code, as do a n um ber of op en s o ur ce a nd acad em ic tool s. 8 For m ach ine code , it i s e spe cia lly ha rd to tr a ck the flow o f co ntr ol ac ros s m any func tio ns and to tr ack da ta flow thr ou gh 6 Fo r m obi le d ev ices, th ere a re a n aly sis tools th at la bel th em se lv es a s p erfo rm in g b eh av io ra l te stin g. Be hav io ra l te stin g (a lso k now n a s b eh av io ra l a n aly sis) is a fo rm o f st atic a n d d yna mic te sti ng th at a tte m pts to d ete ct ma lic ious o r ris ky b eh av io r, s u ch a s th e o ft-c ite d e xa mple o f a fla sh lig h t a p p th at acces se s a c onta ct list. [ 2 4] T his p ubl icat io n a ss u m es th at a n y me ntio n of st atic or dyna mic t esti ng a lso i n clude s b eh av io ra l te stin g a s a s ub se t o f i ts cap ab ilitie s. 7 T he A SM f ra mew ork [ 27] is a c ommonl y u se d f ra mew ork f o r byte -c ode an aly sis. 8 Such a s [28, 29, 30, 31]. 17 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions vari ab le s, since m ost variab le s a re sto red in anony mous m em or y loca tion s that can be acc esse d in di ff e rent w ay s. The m ost c om mon way to re v ers e e ng ineer m ach in e co de is to use a d is a sse m bl er o r a deco mpile r tha t tr ies to re co ver the o rig inal so urce c ode. These tech niqu es a re e spe cia lly us efu l if the pur pos e o f re v erse engineeri ng is to allow hum ans to exa mine the code, since the ou tpu ts a re in a for m t ha t can be und ers too d by hum ans w ith approp ria te s k ills. B ut e v en the b est d is a sse mbl ers m ak e m is ta k es [ 32] , an d so me of those m is ta k es can be c o rre cted w ith for mal s ta ti c a n aly sis. If t he code is be ing re v ers e en ginee red fo r sta tic a n aly sis, then it is of ten pr efe ra bl e to dis a sse m bl e the m ach ine code d ir ec tly to a f or m that th e sta tic an aly zer und ers ta n ds ra ther tha n c re ating hum an -r eadab le code as an in te rm ed ia te by produc t. A s ta tic an aly sis t ool that is a im ed at m ach ine co de is l ik ely t o a utom ate t his p roc ess.

For dy namic te sting (a s op pos ed to s ta ti c an aly sis ), th e m ost im por tant r e qu ir e m ent i s to be ab le t o s ee th e w or king s of the co de as it is be ing exe cut ed. The re a re tw o pri mary way s to obt ain thi s inf or matio n. Firs t, an ex ecu ting app can be co nnec ted to a r e m ot e debugge r, an d se cond, the c ode c a n be r u n on an e m ul ato r t ha t has debuggi ng capabilitie s bu ilt in to it. Runn ing the co de on a phy sic al de vice all ow s the an alyz er to s el ect the e xa ct ch ara cte ris tic s of the de vic e on whic h the a p p is in tended to be us ed and can p rov ide a m or e accu ra te v iew abou t how the app will be be hav e. O n the o ther h and, an e m ul ator pr ov id es mor e con tr ol , e sp ecia lly when the e m ul ato r is op en so ur ce and can be m odif ied by the e valua tor to ca ptur e w ha te v er inf orm ation is ne eded. Althoug h em ul ato rs can s im ul ate d if f e re n t de vices, they do not s im ul ate a ll of the m, and th e sim ul ation may not be c om plete ly accu ra te. N ote tha t m alw are inc re asing ly de tec ts t he us e of em ul ato rs as a te sting pl atf o rm and chan ges its be hav ior acco rd ing ly to av oi d dete c tion .

T he re for e, it is reco mm ended that a n alyz ers u se a co mbi na tion of e m ul ated a nd phy sic al m obi le d ev ices so a s t o a voi d fa lse ne gativ es f rom m alw are t ha t e m pl oy s a nti-de te ction tech niqu es. U sef ul in for matio n can b e g leaned by obs erving an a pp’ s be hav ior e v en wi thou t k now ing the pur poses of i ndi vidu al fu nc tion s. For exa mpl e, an ana lyz er can obs erve how the app in te ra cts wi th it s ex te rna l r e sou rc e s, re co rdi ng the s e rv ices it re que sts from the ope ra ti ng s y stem and the pe rm is si ons it ex erc is e s.

N ot e tha t a lt ho ugh many of the de vic e cap ab ili ti es us ed by an app may be inf erred by an ana lyz er (e. g., acce ss to a de vice 's cam era wi ll be req uir ed of a ca m era app) , an app may be pe rm itted acce ss to add itio nal de vice capa bil ities that a re b e y ond the s co pe of its d esc ri bed func tionality (e. g., a c a m era app acce ssing the de vice' s ne tw or k). Mo re ov er, if th e behav ior of the app is obs erv ed f or sp ecif ic in pu ts, th e e v alua to r c an a sk w he ther the c apa bil it ie s be ing exe rc is e d mak e s e nse in the c o nt ex t of tho se partic u la r i npu ts. F or exa mpl e, a c alendar app may le g iti mate ly ha ve pe rm is si on to se n d ca lend ar d ata a c ro ss the ne tw or k in orde r to sy nc a c ros s m ulti ple de vic es, b ut if th e us er has m ere ly a sk ed fo r a lis t o f the da y’s appoi ntm en ts a n d the a pp sends da ta that is no t s im pl y pa rt o f th e hand shak ing p ro cess need ed to re tr ie v e da ta, t he an alyz er m ig ht inve stig ate wh at da ta i s b eing s e nt and f or w hat p ur po se . 3 .2 .4 Automa ted To ols In most case s, a n alyz ers us ed by an a pp vetti ng p ro ces s w ill con sis t o f a u tom ated tool s tha t t e st an app fo r so ftw are v ul nerab ili ti es and g ene ra te a rep ort and risk a sse ss m en t. C la ss e s of au to m ated t ools inc lude :

Si mulat or s: D esk top sim ul ator s a llow the use o f a c om put er to view how th e a pp wil l d isp lay on a sp ecif ic de vic e wi thou t th e use o f an a c tu al de vice. B ecau se th e tool p rov ide s a cces s to the U I, the app fe atur es can a ls o be te sted. How ev er, in te ra ction w ith the a ctua l d ev ice hard w are f e atur es such as a cam era o r a cce le rom ete r cann ot be s im ul ated a nd r equ ir es a n actua l de vic e. R em ote D ev ice Acce ss: These ty pes of too ls a llow the an alyz er to view a n d access an a c tu al d ev ic e from a co mput er. This a ll ow s t h e t e sting of mos t de vice f e a tu res t ha t do n ot r e q uir e phy sic al m ovem ent su ch as us ing a v ideo camera o r m ak ing a phone c all. R em ot e debugg ers a re a c om mon w ay of exa mini ng and unde rs tand ing apps . 18 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions  Automated T esti ng: B asic m obile fu nc tion ality te stin g lends its elf w ell to au to m ated te sting . T here a re se v era l too ls a v ailab le tha t a llow c re ation o f au tom ated sc ri pts to re m ot ely run re g re ssion te st case s on s pecif ic d ev ices a n d ope ra ting s y ste m s.

o Use r In te rfa ce -D riven T esting: If th e ex pected re su lt s being veri fied are U I-sp eci fic, pixe l v erifi cation can be u sed. This m ethod ta k es a “s cre en shot ” of a spe cif ied num ber of pi xels fr om a pa ge of the app and v erif ies tha t i t d is p la y s a s expe cted (pi xel by pi xe l) . o Dat a-Driven T esting: D ata -dri ven v erifi ca tion u se s labe ls or te x t to id en tif y th e se cti on of th e app page to verif y. For exa mpl e, it w ill v erify the p re se nce of a “Bac k” but to n, re g ardl ess of w he re o n the p ag e it d isp lay s. D ata -dri ven au to m ated te st ca ses a re le ss brit tle and al low f o r s om e pa ge desi gn c han ge wi tho ut rew riting t he s c rip t. o Fuzzi ng: Fu zzing nor mally re fe rs to the a u tom ated g ene ra tion of te st inpu ts, e ither ran dom ly or ba sed o n confi gur ation inf or mation desc ri bing da ta for mat. Fau lt in je ction too ls m ay a lso be r e fe rr ed to as “ fuzze rs.” T his c ate g or y of te st too ls is n ot ne ce ssa rily o rthog onal to the ot hers, bu t its e m pha sis i s o n fast and au tom atic g ene ra ti on of many t e st s cen arios. o Netw ork -L ev el T esti ng: F uzze rs, pene tr a tion te st to ols , and human -dri ven ne tw or k s im ul ation s can h elp de te rm ine how th e app in te ra cts w it h the ou ts ide w or ld. It m ay be us efu l to run the app i n a sim ul ated en vir onm ent dur ing ne tw ork -le v el te sti ng so tha t its re spo nse to ne tw or k e v en ts can be obs erv ed m ore cl ose ly .  T est A utom ation: T he ter m “ te st au tom ation” us uall y re fe rs to too ls th at a ut om ate the rep eti tio n of t e sts afte r they ha ve been en ginee re d by hu man s. This m ak es it us eful for te sts that ne ed to be r ep ea te d of ten ( e. g., te sts th at wi ll b e us ed f o r m any apps or e xec uted m any tim es, w ith varia ti on s, f o r a si ngle ap p).

 Sta tic To ols : o Sta tic A na lys is T oo ls : T hese too ls g ene ra lly an alyz e the be havior o f s o ft w are (e ither sou rce o r bi na ry cod e) to find soft ware v ul nerab ili ti e s, thoug h—if ap propr ia te sp ecifi cati ons a re av aila ble — s ta tic an aly sis can also be us ed to ev alu ate co rrec tne ss. So me sta tic ana ly sis too ls ope ra te by l ook ing fo r s y nt ax e m body ing a k now n cla ss of pot entia l v ul ne ra b il it ies and th en ana lyz ing the be hav ior of the pr og ram to dete rm ine w he the r the w eak nesses can be ex ploi te d . St atic to ol s s h oul d enco mpa ss th e a pp it s e lf , but a ls o th e d ata it us es to the ext en t tha t thi s is pos sib le; k eep in m ind th at the true be hav ior o f t h e app may depend critic ally on e x te rna l resou rc e s. 9 o Met ric s T oo ls : T he se too ls m easu re a sp ects o f so ftw are not d ir ectly r e la ted to s o ft w are be hav ior but us eful in esti m ating auxi lia ry inf or mation such as the e ffor t of code e v alu ation. Metr ics c an a lso g iv e i ndi re ct i ndi cation s a bou t t he qu ality of t he de sig n and de velopm ent process. C om merc ial a u tom ated ap p te sting tool s ha ve ov erl appi ng or co mpl em en ta ry capab ilit ie s. For e xa mpl e, one too l m ay be ba sed on techn iques that fi nd int eg er ov erfl ow s [ 34] re lia b ly while an other tool m ay be be tt er a t find ing weak nesses re la ted to co mmand inj ec ti on attack s [ 35 ]. Fin ding the ri ght s e t of tool s to e v alua te a r eq uir em ent can be a c h allen ging t a sk bec ause of t he v ari ed capa bili ties of di verse commerc ia l 9 T he So ftw are A ssu ra nce M etr ic s a n d T ool E va lu atio n (S AM ATE ) te st s u ite [ 3 3] p ro vid es a b ase li n e fo r eva lu atin g st ati c a n aly sis tools. T ool ve ndors m ay eva lu ate th eir o w n too ls w ith S A M ATE, so it is to b e ex pected th at, o ve r tim e, th e tool s w ill e v en tu all y p erfo rm w ell on p recis ely th e S A M ATE s p eci fied te sts. S till , th e S A M ATE te st s u ite can h elp d eter min e if t h e t ool is mean t to do w hat a n alyze rs t houg ht, an d t h e S A M ATE t e st su ite is co ntin ually ev olv in g 19 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions and open sour ce to ol s, and becau se it can b e ch all e ng ing to de te rm ine th e capa biliti es of a g iv en tool .

C ons tr a int s on tim e and mone y m ay also pr ev ent the ev alu ato r from a sse m bling the be st po ssib le e v alua tion pr oce ss, e sp ec ia lly when the be st pr oc ess w oul d inv olve ex te n siv e h um an ana ly sis. T ool s tha t pr ov ide a hi gh -le v el ri sk r a ting shoul d prov ide tr an spa rency on how the sc o re was derived a n d whi ch t e sts w ere pe rfo rm ed. Too ls tha t pr ov ide low -le v el code an aly sis r epo rts s hou ld he lp a n alyz ers unde rs tand how t he too l’s findi n gs m ay im pact the ir s e cu rity . T he re fo re, it is im port an t to under stand and quanti f y what each to ol and process can do, and to use tha t k now le dg e to cha ra cte riz e w ha t the co mpl ete e v alua tio n pr oc ess do es or do es no t pr ovide. In most case s, or gan iza tion s w ill ne ed to use m ultip le au tom ated to ol s to meet the ir te sti ng req uir em en ts .

U sing m ultipl e t oo ls can prov ide im pr ov ed covera g e of s o ft w are vul ne ra b il ity de tec tion as we ll a s p rov ide v alida tion of t e st r e su lts fo r t hose t oo ls that p rov ide ov erlapp ing t e st s (i.e., if t w o or m or e tool s te st f or t h e s a m e vul ne ra b ility ).

3.3 S haring Res u lt s T he s ha ring of an or gan ization' s fi nd in gs for an a pp can g reatly red uce th e dupli cation and cost o f app v etting e fforts for o ther organ iz a tions . Inf or mation sharing withi n th e so ftw are a ssu ra nce co mmunity is v ital and can he lp an alyz ers bene fit from the co lle ctiv e e ffo rts of s e cu rity pr ofessiona ls a round th e w or ld.

T he N ationa l V ul nera b ili ty Datab ase (N V D) [36 ] is the U .S. g ov ern m ent rep osit or y of stan dard s-ba sed v ul ne ra b ility mana gem ent da ta r ep re se n te d us ing the Secu rity Cont en t A utom ation Pro to col ( S CA P) [ 37 ].

T his d ata en abl es a u tom ation of v ul nera b ili ty mana gem en t, se cu rity measu re m en t, and com pliance. The N V D in clud es da taba ses of secu rity chec klis ts, s ecu rity -r e la ted so ftw are fl aw s, m is c onf ig ur ations , pr oduc t na mes, and im pact m etri cs. SCA P is a su it e of sp ecif ic atio ns th at sta n da rd iz e the fo rm at and nom encla tu re by whi ch s e cur ity so ftw are p rodu cts c o m muni cate s o ft w are f law a nd se cu rity con fig ur ati on i nf orm ation. SCA P is a m ul ti pu rpo se pr otoc ol th at suppor ts a u tom ated v ul ne ra bi lity ch ec k ing , tech nic al con tr ol co mpl i ance activ itie s, and se cu rity measu re m en t. G oa ls fo r the de velop ment of S CA P inc lude s tan dard iz ing s y stem s e cu rity m ana gem en t, pr om oting int erop era b ili ty of s e cur ity pr oduc ts, and fos te ring t he us e of sta n da rd expressions of se cur ity cont ent . The C WE [38 ] and Com mon Attack Pa tte rn Enu mera tio n and Classif ic a tion (CA PEC ) [3 9] co llec tion s c an p rov ide a u se ful list of w eak nesses and a ttack appr oaches to dri ve a b in ary or liv e s y stem pene tr a ti on te st. C la ssif y ing and expre ssing so ftw are v ul ne ra b ilit ie s is an ong oing and develop ing e ffor t in the so ft w are a ssu ra n ce c om munit y, as is h ow to pri oriti ze am ong the v ari ou s w eak nesses tha t can be i n an app [40 ] so th at an or gan iz a tion can k now tha t those tha t pos e th e m ost dang er to the app, giv en its int ended use /m is si on, are a ddr ess e d by the v etting ac tiv ity giv en the di ffe re nce in th e e ffe ctiv eness and co vera g e o f th e v arious a v aila b le too ls a n d t ech niqu es. 20 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions 4 App A ppr ova l/Re jec tion A fter an app has be en tes ted by an an alyz er, th e ana lyz er gene ra tes a re po rt tha t id en tif ies dete cted so ftw are vul ne rab ilit ies an d a risk a ss e ss m ent th at e x pr ess e s the e stim ated le v el of risk assoc ia ted w ith us ing th e app. The rep ort and risk a sse ssm ent a re th en m ade a v aila ble to one or m or e au ditor s of th e or gan iz a tion. In thi s s e cti o n, we de sc ribe is s ues su rro undi ng the au diti ng of re p or t and risk a ss e ssm en ts by an audi tor , th e or gan iz a tion -sp ecif ic v etting c rit e ria us ed by audi to rs to de te rm ine if an app meet s t h e or gan iz a tion’ s co nte x t-s e ns itiv e r eq uir e m en ts, a n d is su es su rro und ing the fi nal de cis ion by an app rov er to appr ove or r e je ct an app. Reco mmenda tions r e la ted to the a p p ap prov al/r e je cti on ac tiv ity a re d esc ri bed in A ppendi x A.3 4.1 R ep ort a n d R isk Audit ing A n aud ito r in sp ec ts r e por ts and risk a ss e ss m en ts f r om one or m or e an alyz ers to ensur e th at the app m eet s t he or gan iz a tion' s gene ral se cu rity req uir em en ts. To acco mplish th is, the au dito r m ust be intim ate ly f a m ilia r w it h the org an iz a tion' s gene ral secu rity requ ir e m en ts as w ell as wi th the rep orts and risk a sse ssm en ts fr om ana lyz ers. A fter inspe cti ng an alyz ers' repor ts and risk a sse ssm en ts a g ains t g ene ra l ap p s e cu rity req uir e m en ts, the aud itor also a sse sses the app with re sp ect to con tex t-s e ns itiv e req uir e m en ts us ing o rg an iza tion -sp ecif ic vetti ng c rite ri a. After ass essing the app' s sa tis fa cti on or vio la tion of bo th g ene ral and con tex t-sp ecif ic sec urity req uir em en ts , the au dit or then gene ra tes a re co mmenda tion for appr oving or re je c ting the app f o r de ploy ment ba se d on t he app' s s e cu rity pos tu re a n d mak es t hi s a v aila ble t o the o rg an iz a ti o n 's a ppr over. O ne of th e m ain is su es rela ted to rep ort and risk aud iting ste m s from the di ffi cu lty in colla ting and i nt erp re ting d if f e re n t rep orts and risk a sse ss m en ts from m ultipl e an aly zers due to the wi de v ari ety of s e cu rity- re la ted de finit ion s, s em an tic s, no men cla tur e, and metri cs. For e x am pl e, an an alyz er m ay c la ssif y t he e stim ated r isk for us ing an app as low , m ode ra te , high, or s e ve re r isk while a n ot he r an alyz er c la ssif ies e stim ated risk as pass, warni ng, or fa il . Not e th at it is in th e be st in te re st of an alyz ers to prov id e a sse ssm en ts th at a re re la tiv ely int uitiv e and easy to int erpr et by audi tor s. Ot herw is e , or gan iz a tio ns wil l lik ely se le ct o the r an alyz ers tha t g ene ra te re p or ts an d asse ssm en ts th at th eir audi tor s can unde rs tand.

Wh ile so me sta n da rds ex ist fo r ex pre ss ing risk asse ssm ent (e. g., the C om mon V ul nerab ili ty Sco ring S ystem [41] ) and vul ne ra bi lity re p orts (e. g., Comm on Vul nera b ili ty Repo rti n g Fr am ework [42]), th e cu rrent ado ption of th ese s tanda rds by ana lyz ers is lo w . T o ad dre ss th is is su e, it is re co mmended tha t an or gan iz a tion ide nti f y an alyz ers that le v era g e v ul ne ra b ili ty rep orting and risk a ss e ss m ent s tand ards. If thi s i s no t pos sibl e, it is re co mmended that the or gan iz a tion prov ide suffic ient tr a in ing to audi tor s on bot h th e s e cu rity requi re m en ts of the or gan iz a tion as w ell as the in te rp re ta tion of rep ort s and risk a sse ss m en ts g ene ra ted by an alyz ers. The methods u se d by an au dito r to de rive a re co mmenda ti on for ap prov ing or re je c ting an app is ba sed o n a num ber of fa c to rs inc lu ding the au dito r's confi den ce in th e an alyz ers' a sse ss m en ts and th e pe rc eiv ed l e v el o f r isk from one or m or e risk a sse ssm en ts as well a s the au dito r's unde rs tan ding of the org an iz a tion' s ri sk thr esh old, the o rg an iz a tion' s g ene ra l and conte x t-s e ns iti ve s e cu rity r e qu ir e m en ts, and th e rep orts a nd ri sk ass e ss m en ts fr om an alyz ers. In some case s, an or gan iz a tion will no t hav e any co nte x t-s e ns itiv e r eq uir em en ts a n d thus, aud ito rs w ill e v alua te th e s e c u rity pos tur e o f the app bas ed so le ly on repor ts and ri sk asse ssm en ts fr om ana lyz ers. In su ch case s, if risk asse ssm en ts fr om a ll ana lyz ers ind ic ate a lo w s e cu rity ri sk a sso cia ted w ith us ing an app, an a uditor m ay adequa te ly j u stif y t he appr oval o f the app ba sed on tho se risk asse ssm en ts (a ssu ming that the au ditor ha s co nf ide nce in the ana lyz ers' a sse ss m en ts ).

C onv ers el y, if o ne or m or e ana lyz ers ind ica te a hi gh se cu rity risk w ith using an app, an aud ito r m ay adequa te ly jus tif y the r e je ction of th e app ba se d on th ose risk a sse ssm en ts. C ases w he re m ode ra te, but no hi gh, le v els o f ri sk a re a sses sed f o r an app by one or mor e ana lyz ers w ill r eq uir e ad dit iona l e v alua ti on by t he au ditor in orde r to ad equa te ly ju stif y a re co mm enda tion for ap prov ing or re ject ing the app. To 21 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions inc reas e the lik elih ood of an a p pr op ria te reco mm endation, it is reco mm ended that the o rg an iz a tion use m ultipl e au dito rs. 4.2 O rgan iza tion- Specif ic V et ting Crit eria A s de sc ri bed in Sec ti on 2.3.1, a co nte x t- s e ns itiv e r eq uir em ent is an a p p s e cu rity r eq uir em ent th at sp ecif ies how ap ps shou ld be us ed by the or gan iz a tion to en su re th at o rg an iz a tio n 's s e cu rity pos tur e. F or an app, the s a tis fa cti on or v iol ation of co nte x t-s e ns itiv e requir em en ts c anno t be de te rm ined by ana lyz ers but in stead m ust be d eter mined by an audito r us ing or gan iz a tion -sp ecif ic v etting c rit eria. Such c rite ria i nc lude :

 R equirem en ts : The p erti nent re q uir e m en ts, se cur it y polic ie s, priv acy polic ie s, acce pta b le use pol ic ie s, a nd s ocia l m edia g uide lin es tha t a re ap plicab le t o the o rg an iz a tion.

 Pro venan ce: Ident ity of the develop er, dev elop er’s organ iz a tion, de velo per’s reput ation, date r ece iv ed, m ark etpl ac e /app s tor e co nsu mer rev iews, etc .

 D ata Sen sit iv it y: T he r e la tiv e s ensit iv ity of t he d ata c ol lec ted, s to red, a nd/or tr an sm itted by t h e app.  A pp Crit ic a li t y: H ow c ritical the app is t o t he o rg an iz a tion’ s bus ine ss p roc ess e s.  T arget Users : T he i n ten ded s et of use rs o f t he app.  T arget H ar dw ar e: The in ten ded h ardw are p la tf or m and config ur ati on on w hi ch th e ap p wi ll b e depl oyed.

 T arget E nvir o nm en t: T he in tend ed op era tion al en vir on ment of the app ( e. g., gene ra l pub lic u se v s.

s e ns it iv e m ilita ry en vir on men t) .

 D igi tal S ign atur e: D ig ital s ig na tu res appli ed t o the a p p bi naries or pa ck ag es. 10  A pp Documen tat ion: o Use r G ui de: When av ail a bl e, the ap p’s u se r g ui de assis ts te sting by sp ecif ying the ex pected f unc tion ality and expe cte d beha vior s. T his is simp ly a sta te m ent from the d ev eloper d esc ri bing w hat they c la im t he ir app does and how i t do es it. o Test P lan s: R ev iew ing the de velope r’s te st p lans m ay he lp fo cus app v etting by ide ntif y ing any a re as tha t h av e not be en te sted or w ere te sted ina dequa te ly . A d ev elope r cou ld op t to subm it a te st or acle i n certa in s ituations t o de mons trate i ts i nte rna l t e st e ffo rt. o Test ing R esu lt s: C ode r ev iew r e su lts a nd o the r te sting r esu lts wi ll i n di ca te whi ch s e cu rity s tan dard s w ere f o llow ed. F or e xa mpl e, if an ap pli cation thr eat m odel w as cre ate d, th is sh oul d be subm itted. This wi ll li st w eak nesse s tha t w ere ide ntif ied and shou ld ha ve been a ddr ess e d du ring de sign and coding of the ap p. 10 The le ve l o f a ssu ra nce p ro vid ed b y d ig ita l sig n atu re s va ries w id ely . Fo r exa mple, one o rga niz atio n m ig h t h av e stri nge nt d ig ita l si gn atu re re quire ments th at p ro vid e a h ig h d eg ree o f tr ust, w hile anot her orga niz atio n mig h t allo w se lf -si gn ed cert if ic ates to b e use d , w hich d o n o t p ro vid e an y le vel o f tr ust. 22 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions o Serv ic e-L ev el A gr ee m en t: If an app was de velope d for an org an iz a tion by a th ir d party , a Se rv ic e -Le vel A gree ment (S LA ) m ay ha ve been inc luded as pa rt o f th e v end or co ntr ac t. This con tr a ct s houl d re q u ir e the app t o be c ompatib le w it h the or gan iza tion ’s s e cu rity pol ic y . So me inf or mation can be g lean ed f rom app docum enta tion in so me case s, but e v en if do cumen ta tion doe s ex is t, it m ig ht lack te chn ic al c la rity an d/or use ja rg on sp ecif ic to th e c ir c le o f us ers w ho w ou ld no rm ally pur ch ase the app. S ince the docum enta tion fo r di ff e re nt apps wi ll be s tr uc tur ed in dif fe rent w ay s, it m ay a lso be tim e-cons um ing to fi nd th e inf orm ation for ev alua tion. T he re fo re, a sta nda rd iz ed que stio nnair e m ig ht be ap prop ria te fo r d ete rm ini ng the s of tw are ’s pur pose a n d ass e ss ing an a pp develop er’s e ffo rts to addr ess se c u rity w eak nesse s. Su ch que stionn air es aim to ident ify so ft w are qua lity is s ues and se cu rity w eak nesse s by he lp ing de velope rs add re ss qu estio ns from end users/ad opte rs abou t the ir so ft w are de velopm ent pr oc esse s. F or e x am pl e, de velop ers c an use t he D epa rtm ent o f H om eland Security (DH S) C us tom Sof tw are Que stion nair e [ 43] t o an swer que stions s uch as D oes your s o ftw are v al ida te inpu ts from unt ru sted re sou rces? and What thr ea t as sum ptions were m ade w hen de sig nin g pro te cti on s for your so ft w ar e? A not her u se ful que sti on (no t inc lud ed in the DHS que stio nnair e) is D oes yo ur app acc ess a ne tw or k app lic a tion pro gra mmi ng in te rface (A PI)? Not e th at s u ch que stionna ir es are f ea sib le to us e onl y i n c erta in cir cu msta n ces ( e .g., w hen source co de is a vaila ble and wh en de velop ers can an swer que stions ).

K now n flaws in app desig n and coding m ay be re po rted in pu bli c ly a cce ss ib le v ul ne ra b ility da ta b ase s, su ch as NV D. 11 Befor e con duc ting the fu ll v etting p roc ess for a pu blic ly a v aila b le app, audito rs s hou ld check one o r m or e v ul ne rab il it y da ta b ase s to dete rm ine if the re a re k now n fla w s in the c o rre spo ndi ng v ers ion of the app. If one or m or e seri ous flaw s h av e alr eady been di sc ov ere d, thi s alon e m ig ht be su ffic ie n t g rounds to re je ct the v ers ion of the app for or gan iz a tio nal u se , thus a llow ing the re st o f th e v etting p roc ess to be s k ipp ed. How ev er, in most cas es su ch flaws w il l not b e k now n, and the f u ll v etting pr oc ess will b e nee ded. This is so b eca use t he re a re m any for ms of v ul ne ra b ilit ies othe r th an know n flaws i n app desig n and coding . Identif ying the se w ea k ne sses neces sita tes fir st de fin in g the a pp req uir e m en ts, so t hat d ev ia tions f rom t he se r eq uir e m en ts c an be f la g ged as w ea k ne sse s. 4.3 Final A ppro val /R eje cti on U ltim ate ly , an or gan iz a tion 's dec is ion to app rov e or re je ct a n app for de ploy ment r e sts on the de cis ion of t he o rg an iz a tion' s appr over. A fter an app rov er re cei ves re com menda tions fr om one or m or e a u di to rs th at de sc ri be th e s e cu rity pos tur e of the app, the app rov er w ill con side r th is in fo rm ation as well as add ition al non- se cu rity- re la ted crite ri a inc lud ing budg eta ry , po licy, and mis si on -sp ecifi c cri te ria to rende r th e or gan iz a tion’ s of ficia l de cis ion to ap prov e or r e je ct th e app. After th is de cis ion is m ade, the or gan iz a tio n shou ld the n fo llow p roc edu res for ha nd ling t he a ppr ov al or r e je ctio n of t he a pp. These proc edu res must be sp ecif ied by th e org an iz a ti on pri or to im pl em en ting an app vetti ng pr oc ess. If an app is ap prov ed, pr oc edur es must be de fin ed tha t sp ecif y how the appr oved app shou ld be p rocess ed an d ultim ate ly depl oyed on to the o rg an iz a tion' s de vices. For exa mpl e, a p roce dur e m ay sp ecif y the ste p s need ed to di gita lly s ig n an app befor e be ing subm itted to the a dm ini str a to r fo r dep loy ment ont o th e or gan iz a ti on' s de vices. Si mila rly, if an a pp i s reje cted, a p roc ed ur e m ay sp ecif y t he s te p s ne eded t o iden tif y a n a lte rn ativ e app o r to re sol ve de te cted v ul ne ra b il it ie s with the a pp develo pe r. P roced ures tha t de fine the s te p s a sso cia ted wi th ap provi ng or re je cting an app shou ld be in clud ed in th e o rg an iz a tion' s app se cu rity pol ic ie s. 11 V uln era bility d ata base s ge nera ll y re fe re nce v u ln era bilities b y th eir C om mon V uln era bili ties a n d E xpos ure s (C VE) id en tif ier. Fo r m ore i nfo rma tio n o n C V E, se e [ 44] . 23 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions Appen dix A —R ecommend atio ns T his ap pen dix desc ribe s reco mm enda tions for vett ing the se cur ity of m obile ap pli c ation s. The se r eco mm enda tions are des cri bed wi thi n the co ntex t of th e pl anni ng of an app vetting p roc ess i m pl em en ta tio n as well as the app te sti ng and app approv al/r eje cti on a ctiv it ie s.

A .1 Pla n ning  Pe rform a r isk an aly sis [ 10 ] t o und ers ta n d an d do cument the po te n tia l s e cu rity i m pact of m obi le a pp s on t he or gan iz a tion ’s c om puting , netw or king , and d ata r e so ur ce s) . R ev iew and docum ent th e m obile de vice ha rd w are and ope ra ting s y stem s ecu rity cont ro ls, f or exa mpl e an en cry pt ed file sy ste m , and iden tif y whi ch se cu rity and priv acy requ ir e m en ts can be addr esse d by t he m obile d evice i ts e lf .

R ev iew and docum ent m obi le e n te rpr is e secu rity te chnol ogie s, su ch as Mo bile Dev ice Mana gem ent ( MD M) so lu tions, and ide ntif y whi ch se c u rity and p ri vacy requi re m en ts c an be add re ss e d by the se t ech nol og ie s. R ev iew the or gan iz a tio n’s m obile se cu rity a rc h it ec tu re and unde rs tand w hat thr eats are m itig ate d t hr oug h the tech nic al a nd ope ra ti ona l co ntr ols. Identi fy pot en tia l sec urity and pri vacy ri sk s that a re not mitigated t hrou gh t hese t ech nical and op era tiona l c ontr ols. D ev elop organ iz a tiona l app se cu rity requ ir emen ts by ident if y ing gene ral and co nte x t-s e ns itiv e r eq uir em en ts .

 Educa te or gan iz a tion al s ta ff on the li m ita tion s of app vetting and the v alue o f hu man in vol vem ent in an app v etti ng pr oce ss.  Pro cu re an ade qua te bud get for perfor ming an app v etting pr ocess .

 H ire p ers onne l, pa rtic u la rl y audi to rs, w it h a ppr op ria te expe rti s e .

A .2 App T esti ng R ev iew lice nsing a greem ents assoc ia ted wi th an aly ze rs and unders tand th e secu rit y im plic ation s su rround ing the in te g rity , int elle ctu al p rope rty, and licen sing is sue s w hen su bm itting an app to an ana lyz er.

Ensu re tha t apps tr an sm itte d ov er the ne tw or k use an enc ry pt ed chan nel (e .g ., SS L) and tha t apps ar e s tor ed o n a s e cur e m ach in e at th e a na lyz er's loc ation . In addi tion, ens ure tha t o nl y au tho rized us ers ha ve acce ss to th at m ach ine .

 I dentif y g ene ral app s ecurit y r equi re m en ts n eeded by t he or gan iza tion.

Se le ct ap pr op ria te te sting tool s and method olog ie s for de te rm ini ng the sa tis faction or viol ation of g ene ral app s ecurity r eq uir em en ts.  Ensu re t h at app upd ate s a re t e sted.  Le vera g e ex is ting t e sting re su lts wh ere p ossib le. 24 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions A.3 App A ppro val /R eje cti on U se analyz ers th at le v era g e a stan dard iz ed rep orting for mat or risk a sse ssm ent m ethodol ogy, or tha t pr ov ides i n tu itiv e an d easy- to -int erp re t r epo rts and risk a sse ssm en ts.  Ensu re su ffic ie nt tr a in ing of au dit or s on bo th th e or gan iz a tion 's se c u rity req uir em en ts and i nt erp re ta tion of a na lyz er r epo rts and r isk a sse ssm en ts . U se multipl e a u dito rs to inc re a se lik eli hood o f appr opria te r eco mmenda tions.  Identif y org an iz a tion -sp ecifi c vetting crite ria nec essa ry for vetting co nte x t-s e ns itiv e ap p secu rity r eq uir em en ts .

Mon ito r pub lic da ta b ase s, m ailing lis ts , and other pu blic ly a vailab le secu rity vu lne rab ility re p or ting r epos it or ies to keep ab re ast of new de velopm ents tha t m ay im pact the s e cu rit y of m obile de vices an d m obile apps . 25 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions Appen dix B —A ndroid App Vulnerabi li t y T yp es This a ppen dix ide ntif ies vu lne rab ilit ies sp ecif ic to app s r unn ing on Andr oid mobi le de vic e s. T he s c ope o f t hi s appen dix in clud es app vul ne ra b ilit ie s f or A ndr oid -ba sed m obile de vic es r un ning apps w ritte n in Ja v a.

T he s c op e do es not inc lude v ul ne rab ilit ies in th e m obile pl atf orm ha rdw are and co mmuni cations ne tw or ks. A lthoug h some of the vul ne ra b ili tie s de sc ri bed be low a re co mmon acr oss m obile de vice en vir on men ts, t hi s a ppendix f ocuses onl y on A ndroid -sp ecif ic v ulne ra b ilit ie s. The v ul ne ra b ilit ie s in th is a ppend ix are br ok en int o thr ee hiera rch ic al le v els, A , B , and C. T he A le v el is r e fe rr ed to as th e v ul nera b il ity c la ss and is the b ro ad est de sc rip tion fo r the vul ne rab iliti es s p eci fie d und er t ha t le v el. The B le v el is re fe rred to as the su b-c la ss and atte m pt s to narrow dow n the sc ope of the v ul ne ra b ility c la ss in to a s m alle r, co mmon group of v ul ne ra b ilit ie s. T he C le v el sp ecif ies the ind iv idua l v ul ne ra b ilit ie s th at ha ve be en id en tif ie d . T he p ur po se of th is h ie ra rchy is to gui de the re ader to findi ng th e t y pe of vul ne ra b ility t h ey a re l ook ing f or as q uick ly as pos sib le. The A lev el gen era l c ate g or ies o f A nd roi d app v ulnera bi lit ies are lis ted b elow :

T ab le 1 . A ndroid Vu lne ra b iliti es, A L eve l Type De sc ript ion Ne ga tive Co nse quence Incorr ect Pe rmissi ons Pe rmissi ons allo w acce ssin g cont rol le d f unc tio nali ty s u ch a s th e ca mera o r GPS an d are reque ste d in t he pro gra m. P ermi ssion s ca n b e imp lic it ly grant ed to a n app w it hou t th e u se r’s c o nsent. An app w ith to o m an y perm is sio ns m ay perf o rm unint ende d fu nctio ns out side t he sco pe of th e app’ s inte nded fu nc tio nali ty . A dditio nall y, th e perm is sio ns a re v ulner able to h ija ckin g b y anot her app . If to o fe w perm issi ons a re g rant ed , th e app w ill not be abl e to p erf orm th e fu nctio n s requi red. Exposed Co mmu nica tion s In te rn al co m mu nica tio ns prot ocol s are t h e mean s b y whic h a n app pa sse s m essage s in te rn all y w it hi n th e dev ic e , e it her to it sel f o r to o th er apps . Ex te rnal co mmu nica tion s allo w in fo rma tio n to leav e th e dev ice. E xposed in te rn al co m m uni cations a llo w apps to gather uninte nded in fo rma tio n and inject ne w in fo rma tion. E xposed exte rn a l co mmu nic a tio n (data net work , W i- F i, Blu etoot h, NFC, e tc. ) leav e in fo rma tio n open to dis cl osu re or ma n-in -the- mid dle a tta ck s. Po tent iall y Da ngero us F unc tio nali ty Co ntr olle d fu nc tio nali ty t ha t acce sse s sys te m -c ri tic a l resour ce s or t he user’ s pers onal info rm atio n . T hi s fu nc tional ity ca n b e in vo ke d th rough API ca lls o r hard c ode d in to a n a pp. Uninte nded fu nc tio ns co uld b e perf orm ed out sid e t h e s co pe o f th e app ’s func tionali ty . Ap p C ol lu sio n T w o or mo re ap ps passin g info rma tio n t o eac h other in order to inc reas e th e capa bili t ie s o f o n e o r bot h a pps bey ond th ei r dec la re d s c ope. Collusio n ca n al lo w apps to o b tai n data that w a s unint ended such as a gam ing ap p obt ain in g ac ce ss to th e user ’s co ntac t lis t. O bfus ca tio n F unc tio nali ty o r co n tr ol flo w s that a re h idde n o r obs cured fr o m th e u se r. F or t he purp ose s o f th is a ppend ix , obf usca tio n was def ined a s th re e c rite ria: exte rnal lib ra ry cal ls , re fle ctio n , a n d n ativ e code u sa ge. 1. E xte rnal libraries ca n cont ain une xpec te d and/ or m alic ious fu nc tio nali ty .

2 . Re flectiv e ca ll s c a n ob scu re th e contr ol flo w o f an a pp a nd /o r subv ert per missions w it hi n a n a pp .

3 . Na tiv e c ode (c od e w ritte n in la ngu ages o the r t han Ja va in Andro id) ca n pe rf orm unex pec te d and/ or m alic ious fu nc tio nali ty . E xces siv e Po wer Co nsump tio n E xces siv e fu nctions or uni ntend ed ap p s runni ng on a dev ic e w hic h in tent iona lly o r unint entiona lly d ra in th e b atte ry. Short ene d b a tte ry life c o ul d a ffe ct th e a bili ty to perf orm m is sio n-c rit ic a l func tio ns . 26 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions Type Descript ion Negative Co nse qu en ce T radi tiona l So ftw are Vulnera bili t ie s Al l vu lnera bili tie s a sso cia te d with tr adi tio na l Ja va code in cl udi ng : Au th en tic a tio n an d Acce ss Co ntr ol , Bu ffe r Ha ndling , Co ntr o l Flo w Management, Encry p tio n an d Random ness, Erro r Ha ndl ing, F ile Ha ndl ing , I n fo rm atio n Lea ks, In it ial iz a tio n an d Shutdown, In jec tion , Malicio us Logi c , Number Handl ing, and P ointer an d Re fere nce H andl ing. Commo n conse quen ce s in clu de une xpec te d out puts, res ou rc e exhaus tion, denial o f se rv ice , etc . T he t a bl e be low shows t he hi era rchy of A ndr oid app v ulne ra b il it ies f rom A lev el to C lev el.

T ab le 2 . A ndroid Vu lne ra b iliti es b y L eve l L eve l A Leve l B Leve l C Pe rmissi ons Over Gra ntin g Over Gra ntin g in C ode Ov er Gra ntin g in API Under Gra ntin g Under Gra ntin g in C od e Un der Gra ntin g in API Developer Cr ea te d Pe rmis si on s Developer Cr ea te d in C od e De veloper Cr ea te d in API Imp lic it Pe rmi ssio n Grant ed th roug h API Grant ed th roug h Oth er P erm is sio ns G rant ed th roug h G rand fa th erin g E xposed C om muni catio ns Exte rnal C ommu nica tions Bluetooth GPS Ne tw ork /D ata C om muni ca tion s NFC A ccess In te rn al C ommu nica tion s Unpro te cte d In te nts Un pro te cte d Ac tiv it ie s Un pro te cte d Se rvices Un pro te cte d C ont ent Pro vid e rs Un pro te cte d Broad ca st R ecei ve rs De bug F la g 27 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions Potent iall y D angero us F unc tio nali ty Dir ect A ddre ssing Memory Acce ss In te rn et Ac ce ss Po tent iall y D angero us API Cost Se nsi tiv e APIs Perso na l In fo rma tio n API s De vic e M anagem ent API s Pri vileg e Escal atio n Alte ring F il e Pri vile ge s Acce ssin g S uper Use r/R oo t Ap p C ol lu sio n Content Pr ovider/ In te nts Unpro te cte d C ont ent Pro vid e rs Pe rmissi on Pro te cte d C on te nt Pro viders Pendi ng In tent s Broadc ast R ec eiv e r Broadcast R ec eiv e r fo r Cr it ic a l M essages Data Cr eat ion/C hang es/Dele tio n Creatio n/C han ges/Delet ion to F ile R eso urc es Cre atio n/C han ges/Delet ion to Da tab ase Re sour ces Nu mber of Se rvice s Exces siv e C hec ks fo r Se rvic e St ate Obfus ca tio n Library C all s Use o f P ote ntia ll y D anger ous Libra rie s Po tent iall y M alicio us Libr aries Packa ge d but Not U se d Na tive C ode D ete ctio n Re flectio n Pac ke d C ode E xces siv e Po wer C ons ump tio n CPU Usage I/O 28 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions Appen dix C —iOS App Vulnera bili t y T yp es This app endi x ide nti fi es a n d de fines the v ari ous ty pes of v ul ne rab il iti es th at a re sp ecif ic to ap ps runn ing on mobile de vic es u tiliz ing the A pp le iO S op era ti ng s y ste m . T he s c op e do es not inc lude v ul ne rab ili ti es in t he m obile pl atf or m ha rd w are an d communi cation s ne tw ork s. A ltho ugh some of the vul nera b ili tie s de sc ri bed b elow a re co mm on acros s m obi le d ev ice env iron men ts, thi s a ppen dix focus es on iO S-sp ecif ic v ul ne ra b ilit ie s. T he v ul ne ra b iliti e s in th is a ppend ix are br ok en int o thr ee hiera rch ic al le v els, A , B , and C. T he A le v el is r e fe rr ed to as th e v ul nera b il ity c la ss and is the br oad est de sc rip ti on fo r the vul ne rab iliti es s p ec if ied u nde r t ha t le v el. The B le v el is re fe rred to as the su b-c la ss and atte m pt s to narrow dow n the sc ope of the v ul ne ra b ility c la ss in to a s m alle r, co mmon group of v ul ne ra b il it ie s. T he C le v el sp ecif ies the ind iv idua l v ul ne ra b ilit ie s th at ha ve be en id en tif ied. The p ur po se of th is h ie r archy is to gui de the re ader to findi ng th e t y pe of vul ne ra b ility t h ey a re l ook ing f or as q uick ly as pos sib le. The A lev el gen era l c ate g or ies of i O S app v ulne ra b ili ties a re lis ted be low :

T ab le 3 . iOS V uln era bilit y D escript io ns, A Le ve l Type De sc ript ion Ne ga tive Co nse quence Pri vac y Simil ar to An dro id Pe rm issi ons, iO S privac y se ttin gs a llo w f or use r-cont rol le d a pp a cce s s to sensi tiv e info rma tio n . Thi s in clude s : cont acts , Cale ndar info rm atio n, ta sk s , remi nder s, p ho to s, a n d Bl uet oo th a cce ss . iO S lacks t he a bi li ty to cre ate share d in fo rma tio n and p ro te ct it. A ll pat hs o f in fo rma tio n s har in g a r e cont roll ed by th e iO S app fr amew ork and ma y not be extended. Unlik e A ndroid , th es e perm is sio ns ma y b e m odi fie d la te r fo r in di vid ua l perm is sio ns a nd a pp s. E xposed Co mmu nica tio n - I n te rn al a nd E xte rnal In te rn al c ommu nica tions p ro to col s a llo w apps to pro ce ss info rma tio n an d co mmu nic a te with oth er apps . E xte rna l co mmu nic a tio n s allo w info rm atio n to leav e t h e dev ice . E xposed in te rn al co m m uni cations a llo w apps to gather uninte nded in fo rma tio n and inject ne w in fo rma tion. E xposed exte rn a l co mmu nic a tio n (data ne tw ork , Wi- F i, Blue toot h, etc. ) leav e info rma tio n open to dis cl osu re or ma n-in -the- mid dle a tta ck s. Po tent iall y Da ngero us F unc tio nali ty Co ntr olle d fu nc tio nali ty t ha t acce sse s sys te m -c ri tic a l resour ce s or t he user’ s pers onal info rm atio n . T hi s fu nc tional ity ca n b e in vo ke d th rough API ca lls o r hard c ode d in to a n a pp. Uninte nded fu nc tio ns co uld b e perf orm ed out sid e t h e s co pe o f th e app ’s func tionali ty . Ap p C ol lu sio n T w o or mo re ap ps pass in g info rma tio n t o eac h other in order to inc reas e th e capa bili t ie s o f o n e o r bot h a p ps b e yo nd th ei r dec la re d s c ope. Collusio n ca n al lo w apps to o b tai n data that w a s unint ende d such as a gam ing ap p obt ain in g ac ce ss to th e user ’s co ntac t lis t. O bfus ca tio n F unc tio nali ty o r co ntr ol flo w t hat is hi dden o r obs cured fr om t he user . F or th e pur pos es o f thi s appe ndix, obf usca tio n w as def ined a s th re e c rite ria: exte rnal lib ra ry cal ls , re fle ctio n , a n d p acke d co de . 1 . Ex te rnal lib raries ca n cont ain unex pecte d and/ or m alic ious fu nc tio nali ty .

2 . Re flectiv e ca lls c a n ob scu re th e contr ol flo w o f a n a pp a nd /o r subv ert per missions w it hi n a n a pp .

3 . Pac ke d co d e pre vent s code reve rs e engi neeri ng a nd ca n b e u se d to hi de m alware . E xces siv e Po wer Co nsump tio n E xces siv e fu nctions or uni ntend ed ap p s runni ng on a dev ic e w hic h in tent iona lly o r unint entiona lly d ra in th e b atte ry . Short ene d b a tte ry li fe c o ul d a ffe ct th e a bili ty to perf orm m is sio n-c rit ic a l func tio ns . 29 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions Type Descript ion Negative Co nse qu en ce T radi tiona l So ftw are Vulnera bili t ie s Al l vul ne ra bilit ie s asso cia te d w ith O bjec tiv e C and o ther s. T his inc lude s: A uthent ic a tio n and A cce ss Co ntr ol , B uffe r Ha ndli n g , Co ntr ol F lo w Managemen t, Enc ryptio n an d Ra ndom ness, Erro r Ha ndl ing, F ile Ha ndl ing , I n fo rm atio n Lea ks, In it ial iz a tio n an d Shutdown, In jec tion, Malicio us Logi c , Number Ha ndlin g an d P ointer a n d Refere nce H andl ing. Commo n conse quen ce s in clu de une xpec te d out puts, res ou rc e exhaus tion, denial o f se rv ice , etc . T he t a bl e be low shows t he hi era rchy of i O S a pp v ulner abil itie s from A lev el to C l e v el.

T ab le 4 . iOS V uln era bilit ie s b y L eve l Level A Level B Level C Pri vac y Sensit iv e In fo rm atio n Conta cts Ca lend ar In fo rm atio n T ask s Re minders Phot os Bluet ooth A cce ss E xposed C om muni catio ns Exte rnal C ommu nica tions Telephony Bluetooth GPS SM S/ MMS Ne tw ork /D ata C om muni ca tion s In te rn al C ommu nica tion s Abusin g Pro to co l H andler s Po tent iall y D angero us F unctio nali ty Direct M emory M apping Memory Acce ss F ile Sy ste m A cce ss Po tent iall y D angero us API Cost Se nsi tiv e APIs Devic e M anagem ent API s Pe rso na l In fo rma tio n API s Ap p C ol lu sio n Data C han ge Change s to Share d F il e R eso u rc es Ch ange s to Share d D ata ba se Re sour ces Ch ange s to Share d C ont ent P ro viders Data Cr eat ion/D ele tio n Creatio n/D eletio n to Sh are d F il e R esourc es O bfus ca tio n Number of Se rvice s Exces siv e C hec ks fo r Se rvic e St ate Na tive C ode Potent iall y M alicio us Libr aries Packa ge d but not U se d U se o f P ote ntia ll y D anger ous Libra rie s Re flectio n Id en tif ic atio n Cl as s In tr os pec tio n Libra ry C all s Constructo r In tr osp ectio n F iel d In tr os pec tio n M ethod In trospec tio n 30 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions Packe d C ode E xces siv e Po wer C ons ump tio n CPU Usage I/O 31 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions Appen dix D —Glo ssary Sele cted t e rm s u sed i n t his publ ic atio n a re d efi ned be lo w . A dm in is tr ator A m em ber o f th e or gan izat io n w ho is res pons ib le fo r d ep lo yin g, m ain ta in ing , an d s e cu rin g th e or gan ization 's mobile d ev ices as w ell as e n su rin g th at d ep lo yed d ev ices a n d t h eir i ns talled a pps c on for m to t h e or gan izatio n's s e c u rit y r e q uir em en ts .

An aly zer A s e rv ice, t ool, o r h u m an t h at tes ts a n a p p f o r s p ecif ic s of twa re vul nera b ilit ies.

App Secur ity Requir em ent A re q uir em en t th at e n su res th e se cu rit y o f a n a pp. A g en eral re q uir em en t is a n a p p s e cu rit y r e q uir em en t th at d efin es s o ftw are ch ara c te ris tic s o r b eh av io r th at a n a p p mus t e xhi bit to b e co ns id ered se c u re. A co nte xt-s e n siti ve re q uir em en t is an ap p se cu rit y r e q uir em en t th at is sp ecif ic to th e or gan iza tio n. A n org an iza tion 's a pp se c u rit y r e q uir em en ts c o m pr is e a su b set o f g en eral a n d c o nte x t-s e ns iti ve r e q uir em en ts .

App Vetting Pr ocess T he pro cess o f v erif yin g t h at an a pp m eets a n or gan izatio n's s e cu rit y r e q uir em en ts . An a p p v etti ng pro cess c o m pr is es a p p tes tin g a n d a p p a ppr oval/r eje ctio n a cti vitie s.

Appr over A m em ber o f th e or gan iz atio n th at d ete rm in es th e or gan iz ation' s of ficial approv al o r r e je ctio n o f an a pp. Audi tor A m em ber o f th e or gan izatio n w ho in sp ects r e por ts a n d r is k as se ss m en ts fr o m o ne o r m or e a n aly zer s as w ell as orga nizatio n-s p ecif ic c rite ria to e n su re th at an a p p m eets th e s e cu rit y r e q uir em en ts o f t h e or gan iz atio n.

D yn am ic A naly sis Det ecti ng s o ftw are v uln era b il ities b y e x ecu ting a n a p p us in g a s et o f in p ut u se c ases a n d a n aly zi ng t h e a pp’ s ru nti m e b eh av ior .

F ault I nj ectio n T esting A tte mpti n g to a rti f iciall y c a u se an e rro r w it h a n a p p d urin g e x ecu tio n b y for cing it to e x p erie nce corr up t d ata o r c o rr u p t in te rn al s tates to s ee ho w rob ust it is a g ai nst th ese s imu lated f ai lu res. Fu nctio n ality T esting Ve rif yin g th at a n a pp’ s us er in te rfa ce, c o nte n t, a n d fe atu res p erfo rm a n d d is p la y as d esig ned .

Pe rso n ally I denti fia ble I nf orm at io n A ny in fo rm atio n abou t an in d iv id ual th at can be used to dis ti nguis h o r tra ce an i n d iv id ual's i den ti f y an d an y oth er in fo rm atio n th at is linked or link ab le to an i n d iv id ual [ 45]. Risk A ss ess ment A v al ue th at d efin es a n a n aly zer 's est im ated le vel o f se cur it y ris k fo r us in g an a pp.

R is k a ss ess m en ts a re ty p ica ll y b ased o n th e li keli hood th at a d ete cted v uln era b ili ty w il l b e e x p lo ited a n d th e i m pact t h at t h e d ete cted v uln era b ilit y m ay h av e o n t h e a p p o r its r elat ed d ev ice o r n etw or k. R is k a ss ess m en ts a re ty p ica ll y r e pr ese n ted as c ate g or ies ( e .g ., lo w -, m ode rat e-, a n d h ig h-r isk ).

St atic An aly sis Det ecti ng s o ftw are v uln era b ilit ies b y e x am in in g th e a p p s o urce code a n d b in ary a n d atte mpti n g to r e aso n o ver all possi ble b eh av ior s t h at migh t a ris e at r u nti m e.

Softw are Assur an ce T he le vel o f c onf id en ce th at s o ftw are is fr ee fr o m v uln era b ilit ies, eit her in te n ti onal ly d esig ned i n to th e s o ftw are o r a cci den tall y i ns erted at a n y ti m e d urin g i t s l if e c ycle a n d t h at t h e s o ftw are f unc tio ns i n t h e i n te n d ed m ann er.

S oftw are Correct ne ss T esting T he pro cess o f e x ec u ti n g a p ro gra m w it h th e in te n t o f find in g e rror s a n d is a im ed pr im aril y at im pro vin g qualit y as su ra n ce, verif y in g an d valid ating desc rib ed f u ncti onalit y, o r est im atin g r e lia bilit y.

S oftw are Vul nera bility A se c u rit y fla w , g litc h, o r we akne ss fo und in so ftw are th at c an b e e x p lo ited b y a n atta ck er.

32 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions Appen dix E —A cro nyms a n d A bbre viat io ns Se le cted a crony ms a nd abb re v ia tions us ed i n th is p ublica tion a re d efined be low .

3G 3rd Ge neration API App licati on Programm ing Interface CA PEC Comm on Attack Patte rn Enumeration and Classificati on CMVP Cryptographic Modu le Vali dati on Program CPU Central Processing Unit CVE Comm on Vulnerabilities and Expo sures CWE Comm on Weakness Enu meration DHS De partment of Homeland Se curity DoD De partment of De fense DOJ De partment of Justice EULA End User License Agreement FIPS Federal Information Processing Standard FISMA Federal Information Security Management Act GPS Glob al Positio ning System I/O Input/Outpu t IT Information Technolog y ITL Information Technolog y Labor atory JVM Java Virtual Machine LTE Lon g-Term Evolution MDM Mobile De vice Management NFC Ne ar Field Comm unica tions NI ST Nati onal Institute of Standards and Technolog y NVD Nati onal Vulnerability Dat abase OMB Office of Management and Bud get OS Operating System PII Personally Identifiable Information QoS Quality of Service SA MATE Software Assurance Metrics And Too l Evaluation SCAP Sec urity Con tent Automation Protocol SD Sec ure Digital SDK Software Development Kit SLA Service-Level Agreement SMS Short Message Service SP Special Publicati on UI User Interface VPN Virtual Private Ne twork Wi -Fi Wireless Fideli ty 33 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions Appen dix F— Referenc es R efe ren ces f or t h is pu bli ca ti on a re lis te d be lo w .

[ 1] Com mittee on Natio nal Se cur ity S yste m s (CN SS) I ns truc tion 400 9, Nation al I nf or mation Assu ran ce Gl ossa ry , A pril 2010. http s://www .cnss.gov /CN SS/is su anc es/I ns tructions.c fm (acc essed 12 /4 /14 ). [ 2] Nation al A eron auti cs and S pace Ad mini str a tion (NA SA ) NAS A-S T D -8739.8 w /C hang e 1, St anda rd for So ftware A ss u ranc e, Ju ly 28, 2 004 ( re v ise d M ay 5, 2005 ).

http :// www.hq.na sa .g ov /of fic e/co deq /d oc tr e e /87 398.h tm (access ed 12 /4/ 14) .

[ 3] Rad io Tech nic al C om mis sion f or A ero na utic s (RTCA ), R TCA /DO- 178B , Softw are C ons id era ti on s in Ai rbor ne Sy stems and Equ ipm ent Certifica tion , D ecem ber 1, 19 92 (erra ta i s su ed M arc h 26, 1 999).

[4] Int erna tion al E lec tr o tec hni cal C om mis si on (IE C ), IEC 61508, Fu ncti ona l Sa fe ty o f El ectr ic a l/ E le ctro nic /Pro grammabl e Ele ctro nic S afety -r el ated Sy stems , ed it ion 2.0 ( 7 pa rts ), A pri l 2010. [5] Int erna tion al O rg an iz a tion for Standa rdi za tion (IS O ), ISO 26262, Road ve hic les -- Func ti ona l sa fe ty ( 10 p arts ), 2011. [6] M. Soupp ay a and K . Sc arfo ne, Gui delines for M anag in g t he S ecurity o f M obile D ev ic es in th e Ent erp ris e , N IST Spe cia l P ubl ic ation (S P ) 800 -124 R ev is ion 1, June 2013.

http :// dx. doi .org /10.60 28/NIS T .S P.800 -124r 1.

[7] Nation al Inf or matio n A ssur ance P artne rsh ip, Prote cti o n Pro fil e f or M ob ile D ev ic e Fundam en ta ls V ersion 2.0, S epte m ber 17, 2014. http s://www .nia p -ccev s.or g/pp/ PP_MD_ v2.0/ (acces se d 12/ 4/14) .

[8] Jo in t T ask Fo rce Tran sfor mation I nitia tive, Se cu rit y a nd Pr iv acy Con tr o ls f or Fe deral I nf orma ti on S ystems and O rganiza tion s, N IST Spe cial Publ ic ati on (S P) 800 -53 R ev is ion 4 , April 2013 ( upda ted J a nua ry 15, 2014) . http ://d x.do i.or g/10. 6028/ NIS T .S P.800 -53r 4. [ 9] NIS T , App Vet M obi le App Ve tting S ystem [Web s ite ], http :// c src .n is t.g ov /pr oje cts /appv et/ ( acc essed 12 /4 /14 ). [ 10] Jo in t T ask Fo rce Tran sfor mation I nitia tive, G uide f or C onduc ting Ris k A ss e ssm en ts , N IST Spec ial P ublic ati on ( SP) 80 0-30 R ev is ion 1, Septe m ber 2012.

http :// c src .n is t.g ov /publ ic ati ons /n is tp ub s/800 -30 -r e v 1/ sp800_30 _r1.pdf (acces se d 12/ 4/14) .

[ 11] G. M cG raw, S oft w are Sec urity: B uil d ing Secur ity I n , U pper Saddle R iv er, N ew J er se y : A dd iso n- Wes ley Pro fe ssiona l, 20 06.

[12] M. D owd, J. M cD ona ld a nd J. Sch uh, The A rt o f So ftw are Security A sse ssm en t - I de nti fy ing and Preven ti ng S oftw are V uln er abi liti e s, U ppe r Sad dle R iv er, N ew J er se y : A ddi son- Wesl ey Pro fe ss iona l, 200 6. 34 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions [13] H.G . R ice, “ Cla ss e s of R ecursiv ely Enu mera b le S ets a nd The ir D ecis ion P rob le m s,” Tra nsa ctio ns of the A merican Mathem atical So cie ty 74, pp. 358- 366, 1953. h ttp:/ /dx .doi .org /10. 1090/ S000 2- 9947- 1953-0053041- 6. [ 14] J.H . A ll en, S. Barnum , R.J. El li son, G. M cG raw, and N.R . M ead, Soft w are Sec urity E nginee ring: a G uide f or P roje ct M anag ers , U pper S add le Ri ver, N ew J e rs e y : A dd iso n-Wesl ey , 2008. [15] Mic ros oft C or po ra tio n, The ST RID E T hreat M ode l [W eb s it e ], h ttp :/ /m sdn.m ic ros oft .co m/e n - us /lib ra ry /e e8238 78%28v =cs.20 %29.a spx, 2 005 ( accessed 1 2/4/14 ). [ 16] Trike - open sour ce t hreat m ode ling methodo log y and t ool [ W eb s ite ], h ttp :// w ww .oc to tr ik e.or g (acc essed 12 /4 /14 ). [ 17] K. S carfone, M . Sou ppa ya, A. C ody and A. O rebau gh, Techn ical G ui de t o In form ation Security Tes ting an d Asse ssm en t, N IST S pec ial P ub lic ati on (S P) 800 -115, Sept em ber 2008 .

http :// c src .n is t.g ov /publ ic ati ons /n is tp ub s/800 -115/ SP800 -115.pdf ( acc essed 12 /4 /14) .

[18] D. C . G ause an d G. M. Weinbe rg , Exp lor ing Re qui rement s: Q ua li ty B efor e De sig n, N ew Y ork:

D or se t H ouse Publi s h ing , 1 989. [ 19] B. N useibeh and S. Easte rb rook , “Requ ir e m en ts en gin eer ing : a roadm ap,” Pr ocee dings of the C onf erence on The Fut ure of So ftware En gine ering (I CSE '00) , Limeri ck , Ir e lan d, June 7-9, 2000, N ew Y ork: AC M, pp. 35- 46. http ://d x.do i.o rg /10. 1145 /33651 2.33652 3.

[ 20] NIS T , C ry p togr aphi c M odule V alid ation P rogram ( CM VP) [ W eb s ite], http :// c src .n is t.g ov /g roups /S T M /c m vp/ ( acc essed 1 2/4 /14) .

[ 21] E. B ark er and Q. D ang, Re commenda tion for K ey M anagement, Par t 3: App lic a ti o n- Spe cific K ey M anag ement Guidan ce , N IST S pec ial P ub lic ati on ( SP) 800 -57 Pa rt 3 Rev is io n 1 (DRAF T), M ay 2014. h ttp:/ /c src. nis t.g ov /publ ic ation s/d ra fts /80 0-57pt 3_r1/sp800 _57_p t3_ r1_ dra ft .pd f ( ac ce ssed 12/ 4/14) .

[22] M. Pe zzè and M. You ng, So ftware T esti ng an d Analy sis: P ro ce ss , P rin cip le s and Techn iques , H obok en, New J e rs e y : J oh n W iley & Sons, I nc., 2008 .

[23] G.G . Schul mey er, ed., H andbook o f So ftware Q ua li ty Assu ran ce , 4 th Edi tion, N orwood, M assach use tts : A rte ch H ouse , I nc., 2008. [24] B.B . A garw al, S. P. T ay al and M. Gup ta, S oftw are Engine ering and T esti ng, S udbury, M assach use tts : Jone s and B artle tt P ubli sh ers , 2010. [25] J.R . M ax im off, M.D. Trela, D .R . K uhn and R. Kack er, A M ethod for A nal yzin g Sy stem S ta te - spac e Covera ge w ithi n a t- W ise Tes ting Fram ework, 4 th Annual IE EE I n te rn ation al Sy ste m s C onf erenc e, A pril 5- 8, 201 0, San Di eg o, C ali f or nia, p p. 598- 603.

http :// dx. doi .org /10.11 09/SY ST EMS .2010.54 82481. [ 26] G.J. M yers, T he A rt of So ftware Testi ng, second ed itio n, H obok en, New J e rs e y : John W iley & Sons, I nc., 2004.

[ 27] OW2 Cons orti um , ASM - J a v a b ytecode m anipu la tion and a naly sis f ra m ework [ Web site ], http :// a sm .ow 2.or g/ ( acc essed 12 /4/ 14 ). 35 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions [28] H. C hen, T. Z ou and D. Wang , “Data -fl ow base d v ulne rab ility an aly sis a nd ja v a b ytecod e,” 7t h W SE AS I nterna tio nal Conf eren ce on A pplied Co mpu te r S cien ce ( AC S’ 07) , V en ic e, Ita ly , N ov em ber 21-23, 2007, pp. 201 -207. http ://www.w se as.us /e - lib ra ry /c onf ere nce s/20 07ven ic e/pa pers /57 0-602.pdf (acces se d 1 2/4 /14 ). [ 29] Uni vers ity of M ary land, F indBugs: Find Bugs i n J ava Programs - S ta tic an aly sis t o l ook f or bug s i n Ja v a co de [Web s ite ], http: //f indbug s.so ur ce fo rg e.ne t/ ( acce ss e d 12 /4 /14) .

[ 30] R.A . Shah, Vu lne ra bili ty A ss e ssment of Java B yte code , Maste r’s The sis, Au bur n Uni vers ity , D ecem ber 16, 200 5. http ://hdl .handle.n et/1 041 5/203. [ 31] G. Z hao, H. C hen and D . Wan g, “ Data -Flow B ased A na ly sis o f J a v a B ytecode V ul ne rab ili ty ,” I n Procee ding s o f t he Ni nth In te rna ti ona l C on fe re n ce on W eb -Age In fo rma ti on M an agement ( W AIM '08), Zhanjia jie, Ch ina, Ju ly 20 -22, 2008, Was hing ton, DC: I E EE C om put er Soc ie ty , pp. 647 -653.

http :// do i.i ee eco mput erso cie ty .or g/10.1109 /WA IM.2008.99 . [ 32] G. B ala k ri shnan, W YSIN W YX: W hat You See I s N ot W hat Y ou eXec ute , P h.D . diss. [ and Tech. Rep. TR -1603] , Com put er Sc ie n ces D epa rtm en t, U nivers ity of W is con sin -M adi so n, M ad iso n, W is con sin, A ugust 2007. htt p: // r e sea rch.c s.wi sc.ed u/w pi s/pape rs /ba la k rishna n_t he sis .p df (acc essed 12 /4 /14 ). [ 33] NIS T , SAMATE : So ftware Assu ran ce M etr ics A nd To ol Ev alua tion [ Web s it e ], http :// s a m ate.n is t.g ov /M ain _Pa ge.ht ml ( acc essed 12 /4 /14) .

[34] The M IT R E Cor po ra ti on , C ommon W eakness Enu mera tion CW E-190: Int eger Over flow or W rapar ound [ Web s it e ], htt p: //cwe. mitr e.org /da ta /d efin ition s/190. html ( a cces se d 1 2/4/14) . [ 35] The M IT R E Cor po ra ti on , C ommon W eakness Enu mera ti on C WE-77: Im prope r N eu tr a li za tion of Spec ial E leme nts u se d in a Command ( 'C ommand I nje c tion') [ Web s ite ], http :// cwe. mitr e. org /da ta /de finitions /77. html ( a cces se d 12/ 4/14) .

[ 36] NIS T , N ationa l Vul nerab ilit y Da tabas e (NVD ) [ Web s it e ], h ttp :// nv d.ni st.g ov / ( acc esse d 12 /4/ 14 ).

[ 37] NIS T , Sec urity Co nte n t A utom atio n Pr otoc ol ( SC AP) [ Web s ite ], h ttp :// s c a p .n is t.g ov / ( acc essed 12/ 4/14) . [ 38] The M IT R E Cor po ra ti on , C ommon W eakness Enu mera tion [ Web s ite ], ht tp :// c w e.m itr e.org / ( acc essed 12 /4 /14 ). [ 39] The M IT R E Cor po ra ti on , C ommon At ta ck P att ern E num era tion a nd Cla ss if ic a tion [W eb s it e ], http s:// cap ec. m itr e.or g/ ( a cces sed 12 /4 /14 ).

[ 40] R.A . M artin and S .M. Ch ris te y , “ The S oftw are I ndus try ’s ‘ Cle an W ate r A ct’ Al ter na tiv e,” IE E E Secu rit y & Pr ivac y10( 3), p p. 24- 31, M ay- June 20 12. http://dx.d oi.org /10.110 9/M SP.2012. 3.

[ 41] Forum of I nc ident Respon se and S ecu rity T eam s (FIR ST ), C ommon Vu lne rab ili ty Scor ing S ystem (C VSS -SI G) [ W eb s ite ], http: //www.f ir s t.o rg /c v ss ( acce sse d 12 /4/ 14 ). [ 42] Indus try C onsor tium f or A dv ancem ent of Secu rity on the I ntern et (ICA SI) , The C ommon Vulnerab ili ty R epo rti ng F ram ework (C VRF) [ Web s it e], http ://www .ica si .or g/c vr f ( a cce ssed 12/ 4/14) . 36 NIST SP 80 0-163 Vetting the Security of Mob ile App lica tions [43] U.S. D epartm ent of Hom eland Se cu rity , Sof tw are & S uppl y Chain A ssu ranc e – Community Resou rces a nd Informa ti on Clea ringh ouse (C RIC ): Q uestionn air es [ Web s ite ], http s://b uilds ecu rity in. us -cert .gov/swa /f or um s-an d-w or king -g roups /acq uis it ion- and- out so ur cing /reso urc es#qu es ( acc essed 12 /4 /14 ). [ 44] The M IT R E Cor po ra ti on , C ommon Vulne rabili ti es and Expos ure s (C VE) [ W eb s ite ], http s:// c v e. m itr e.or g/ ( acces se d 12 /4 /14) .

[ 45] E. McC alli s te r, T . G ra n ce a nd K . Scar fon e, G ui de to Pro te cting the Co nfi de ntia lity of Person ally I de nti fia ble I n form ati on (P II) , N IST Spe cia l Pu blic atio n ( SP) 8 00 -122, A pril 2010 .

http :// c src .n is t.g ov /publ ic ati ons /n is tp ub s/800 -122/ sp80 0-122.pdf (acc essed 1 2/4 /1 4) . 37

Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!