NIAP Enables Stronger Mobile App Security for Federal Government

Just as mobile apps have become incredibly helpful in daily lives, they enable federal government agencies to more effectively meet their missions. Multiple federal standards for mobile app security such as National Information Assurance Partnership (NIAP) v.1.3 mobile app vetting requirements help offer a path forward to protect agencies.

Mobile app security vulnerabilities are real, not hypothetical, and they put people and missions at risk. For example, consider these recent mobile app security issues that put the U.S. Navy and Marines, the Ukrainian military, and military bases and installations around the world in harm’s way. In all of these cases, hackers and nation states could learn the locations of troops using the mobile apps, and in some cases could also access other highly sensitive operational information.

A search of the federal government’s National Vulnerability Database (NVD) shows hundreds of vulnerabilities in mobile operating systems and mobile apps are publicly reported each year. Many more may be unreported or perhaps the software vendor doesn’t even know about them. These mobile app vulnerabilities reflect security mistakes made throughout the software development lifecycle, from missing app security requirements to making app design errors to not following best practices for secure coding.

Let’s examine an example of a serious mobile app vulnerability that wasn’t discovered until after deployment: CVE-2019-9493. This mobile app allows a vehicle with the corresponding hardware to be remotely started, stopped, locked, unlocked, and tracked. As explained in the CERT Coordination Center Vulnerability Note, the mobile app uses hard-coded administrative credentials. Hackers can reuse these credentials to access and tamper with vehicles or to learn where vehicles are currently located.

Having hard-coded credentials in mobile apps doesn’t follow best practices for mobile app security. In fact, it violates multiple federal security requirements and guidelines:

• DISA Application Security and Development STIG, Finding ID APSC-DV-003280, “Default passwords must be changed”
• NIST SP 800-53, IA-5, Authenticator Management, “Changing default content of authenticators prior to information system installation”
• NIST Secure Software Development Framework (SSDF), PW.1, “Design Software to Meet Security Requirements and Mitigate Security Risks”
• NIAP Requirements for Vetting Mobile Apps from the Protection Profile for Application Software, FMT_CFG_EXT.1.1, “The application shall provide only enough functionality to set new credentials when configured with default credentials or no credentials.”

Automated mobile app security testing enables agencies to catch vulnerabilities in mobile apps during development and/or acceptance testing before they’re put into operational use, thus reducing risk to federal missions. U.S. federal government agencies such as the Department of Defense, Department of Homeland Security, Drug Enforcement Agency and the State Department leverage NowSecure for automated mobile application security analysis to safeguard the mobile apps they build and use.

In 2017, the DoD CIO required unclassified mobile apps to comply with NIAP. Evaluating a mobile app against NIAP v1.3 mobile app vetting requirements can help agencies spot hard-coded credentials, weak or improper cryptology, third-party libraries that route data to China or Russia, and dozens of other types of security vulnerabilities.

Download the NowSecure white paper, “How to Ensure NIAP Mobile Application Compliance,” to discover what NIAP Mobile App Vetting is and how it helps get critical mobile apps to the field faster.