NIAP mobile app vetting requirements: A security baseline for the federal government

Government agencies continue to rally around the “Requirements for Vetting Mobile Applications from the Protection Profile for Application Software” developed by the National Information Assurance Partnership (NIAP). Late last month, in response to increasing demand for mobile apps, the Department of Defense (DOD) unveiled plans to adopt the NIAP requirements as a standard for mobile app security requirements and the vetting of mobile apps used by DOD staff. The NIAP requirements for vetting mobile apps challenge many government agencies and developers that create mobile apps for government use. Read on for an explanation of the requirements and tips on making sure mobile apps comply with what’s becoming a standard for vetting apps for government use.

What are the NIAP “Requirements for Vetting Mobile Applications”?

NIAP is a collaboration between the National Institute for Standards and Technology (NIST) and the National Security Agency (NSA). NIAP oversees the Common Criteria evaluation and certification guidelines used to evaluate whether commercial IT products meet security standards for government deployments. The NIAP mobile app vetting requirements grew out of the Protection Profile for Application Software. The profile explains the security standards against which an application will be assessed before it’s approved for deployment within a government environment.

Similarly, the NIAP mobile app vetting requirements establish a security baseline specifically for mobile apps. Mobile app vetting cannot receive an official Common Criteria certificate at this time. However, the NIAP requirements establish a practical security baseline for mobile apps and requirements for technology that automates mobile app vetting — essential aspects of vetting third-party mobile apps for government use.

The purpose of the NIAP mobile app vetting requirements is to establish a security baseline for mobile apps and help government agencies, and others, make good, informed decisions about what mobile apps can be used within their environments. For example, the document prescribes security requirements for credential storage, access to platform resources (e.g., camera and microphone), use of third-party libraries, the encryption of sensitive app data, and more.

As a whole, the NIAP “Requirements for Vetting Mobile Applications from the Protection Profile for Application Software” include:

• 25 Security Functional Requirements
• 4 Security Assurance Requirements (security-relevant requirements not directly related to functionality)
• 29 Selection-Based Security Functional Requirements (that come into play depending on selections made in the base requirements)
• 3 Objective Security Functional Requirements (highly desired, but not yet widely available)
• 2 Optional Security Functional Requirements

Example of a NIAP Security Functional Requirement for mobile apps

One of the NIAP requirements for “Secure by Default Configuration,” FMT_CFG_EXT.1.2, reads:

The application shall be configured by default with file permissions which protect it and its data from unauthorized access.

Part of applying this requirement to the evaluation of a mobile app includes checking whether an app creates files with world-readable or world-writable permissions. A world-readable file can expose sensitive app data (e.g., stored log-in information), and a world-writable file can allow an attacker to overwrite data the app reads from storage.

You can read the “Requirements for Vetting Mobile Applications” in full on the NIAP website.

Who needs to be familiar with the NIAP mobile app vetting requirements?

As more agencies — such as DOD and the Department of Homeland Security — embrace the NIAP requirements, government employees with any responsibility for mobile app security will need to be familiar with them. The requirements will determine what tools and processes are appropriate for assessing the security of third-party mobile apps for deployment within government environments. In addition, anyone involved in the development of mobile apps within the government will need to ensure their apps abide by the requirements.

Outside of government circles, developers and marketers of mobile apps for use by the federal government will need to ensure compliance with the NIAP requirements or their apps won’t be adopted. IT administrators and security teams in the private sector might also consider adopting the NIAP requirements for vetting mobile apps for corporate use.

How to evaluate mobile apps against NIAP mobile app vetting requirements

To keep up with the ever increasing volumes of mobile apps developed, released, and updated each day, aspects of mobile app vetting must be automated to be at all practical. Anyone responsible for vetting mobile apps will need to evaluate vetting tools based on their ability to automate tests and checks that align with the NIAP mobile app vetting requirements.

NowSecure is a mobile app security expert, and our mobile app penetration testing and automated mobile app security testing products map assessment findings to relevant NIAP requirements. Learn more about NowSecure mobile app security solutions for government on our website or contact us to learn more about how we make security teams more productive by allowing them to test and vet mobile apps more quickly and perform deeper analysis than ever before.

Photo credit: “The Pentagon” by mindfrieze (CC BY-SA 2.0)