Recognizing that mobile apps on smartphones and tablets can be just as big a hazard to an organization's data security and information system integrity as untrusted or malicious desktop computer programs, corporations and government agencies often develop lists of mobile apps that are approved for use on internal networks. But managing the software assurance workflow process involves manually testing apps using multiple tools, a complex and time-consuming process.
"AppVet aims to simplify the complexity of manually testing apps through multiple test tools," explained Steve Quirolgico, a computer scientist at NIST and a member of the team developing AppVet, in announcing the free tool.
AppVet does not do any testing itself, but rather manages third-party test programs. AppVet provides specifications, applications programming interfaces (API), and requirements that facilitate easy integration with third-party test tools as well as clients, including app stores. AppVet can support apps from different platforms, including Android, iOS and Windows.
After submitting apps to testing tools to check for, say, virus detection and reliability, AppVet will receive the reports and risk assessments from all tests and combines risk assessments from the tools into a single overview.
Human analysts from the organization can then review the reports and risk assessments and decide whether to approve or reject the app according the organization's requirements.
AppVet grew out of work NIST performed for the Defense Advanced Research Projects Agency (DARPA). That work used an early version of AppVet to vet apps before being deployed on mobile devices for military field use.
Although AppVet can be used by anyone for testing apps, NIST said that it was designed to support organizations that test a large number of apps, such as app stores.
NIST is working with a number of government agencies, including the departments of Homeland Security and Justice, the Defense Information Systems Agency and others, to develop testing requirements and processes to help with mobile app software assurance needs.