Resources

The MDSE project aims to help organizations across business sectors develop a series of clear and repeatable reference mobile architectures that any organization can adapt and adopt to ease design, accelerate deployment, and build in security for their mobility program from the outset. All products incorporated into the reference design will be standards-based and commercially available products. Click here for more information.
The U.S. Department of Defense requires all managed mobile applications to meet the NIAP Protection Profile for Application Security Software requirements. The scope of this Protection Profile (PP) is to describe the security functionality of application software in terms of Common Criteria and to define functional and assurance requirements for such software. In recent years, software attacks have shifted from targeting operating systems to targeting applications. This has been the natural response to improvements in operating system security and development processes. As a result, it is paramount that the security of applications be improved to reduce the risk of compromise. Click here for more information.
This document outlines a catalogue of threats to mobile devices and associated mobile infrastructure to support development and implementation of mobile security capabilities, best practices, and security solutions to better protect enterprise information technology (IT). Threats are divided into broad categories, primarily focused upon mobile applications and software, the network stack and associated infrastructure, mobile device and software supply chain, and the greater mobile ecosystem. Each threat identified is catalogued alongside explanatory and vulnerability information where possible, and alongside applicable mitigation strategies. Background information on mobile systems and their attack surface is provided to assist readers in understanding threats contained within the Mobile Threat Catalogue (MTC). Click here for more information.
OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. OWASP has published the Mobile Security Testing Guide (MSTG), Mobile App Security Requirements and Verification, and Mobile App Security Checklist documents. Click here for more information.
Various use cases for enterprise vetting of mobile apps exist, including in-house developed apps for enterprise use, in-house developed apps for public distribution, commercially developed apps for enterprise use, and commercially developed apps for personal use on enterprise devices. Each of these approaches carries different risks. This report provides guidance to US Government and commercial enterprises alike, on how to assess the feasibility of applying automated app vetting tools. Government agencies can contact the authors for a copy of the report. Click here for more information.
The study found that the threats to the Federal government’s use of mobile devices—smartphones and tablet computers running mobile operating systems—exist across all elements of the mobile ecosystem. These threats require a security approach that differs substantially from the protections developed for desktop workstations largely because mobile devices are exposed to a distinct set of threats, frequently operate outside of enterprise protections and have evolved independently of desktop architectures. The Department of Homeland Security (DHS) has submitted a report to Congress that details current and emerging threats to the Federal government’s use of mobile devices and recommends security improvements to the mobile device ecosystem. The DHS Science and Technology Directorate (S&T) led the study in coordination with the National Institute of Standards and Technology and its National Cybersecurity Center of Excellence. Click here for more information.
The Securing Mobile Applications for First Responders report describes a mobile application (app) pilot testing program designed to serve a public safety purpose. The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) Cyber Security Division (CSD), the Association of Public-Safety Communications Officials (APCO) International, and Kryptowire LLC, collaborated to identify security vulnerabilities and privacy issues important for public safety users and to recruit app developers to participate in testing and evaluation. Click here for more information.
Federal agencies increasingly use mobile devices and mobile applications (apps) to meet their mission and business needs and improve productivity and efficiency. The ubiquity of mobile apps and the increased reliance on their use has a counter side, however. Mobile apps pose substantial risk to federal enterprises because of their potential for exploitable vulnerabilities, malicious code, or privacy-violating behaviors and should be deployed with care. Even apps from the Google Play or Apple App Stores are not free of these risks. Mobile app vetting solutions can automate security analysis of mobile apps to help enterprises determine whether apps are safe to deploy on mobile devices. This generally takes time to review and act upon the findings from these solutions. Enterprise mobility management (EMM) provides the centralized capability to manage an enterprise’s mobile devices, including provisioning security policies to the devices. Many EMM and mobile app vetting solutions advertise integration capabilities—the mobile app vetting solution can share an inventory of installed apps with the EMM, and the EMM can take action based on app vetting findings... Click here to read more.
Mobile applications have become an integral part of our everyday personal and professional lives. As both public and private organizations rely more on mobile applications, securing these mobile applications from vulnerabilities and defects becomes more important. This paper outlines and details a mobile application vetting process. This process can be used to ensure that mobile applications conform to an organization’s security requirements and are reasonably free from vulnerabilities. Click here to read more.
Corporate-Owned Personally-Enabled (COPE) Mobile devices can bring an increase in employee productivity; however, careful attention must be paid to the way that these devices store and transmit sensitive data. NIST’s National Cybersecurity Center of Excellence (NCCoE) released a cybersecurity practice guide, NIST SP 1800-21, Mobile Device Security: Corporate-Owned Personally-Enabled (COPE), to help organizations deploy or build-in security for their organization-owned mobile devices. Find out more about the project at Click here to read more.
To address the challenge of securing Corporate-Owned Personally-Enabled (COPE) devices within an enterprise, NIST built an example solution in a lab environment at the NCCoE to demonstrate mobile device security tools that enterprises can use to secure their networks. These technologies are configured to protect organizational assets and end user privacy, providing methodologies to enhance the security and privacy of the adopting organization. Click here for more information.