Mobile application vetting is a process that app developers take to verify the compliance of mobile applications with a specified security requirement or standard. Mobile application vetting is a more specialized type of application vetting, a step in supply chain security for organizations to ensure deployable applications meet security requirements.
Mobile application vetting should be implemented by organizations that use applications on mobile devices, such as smartphones or tablets. Without application vetting, these applications may be open to security issues that leave the organization vulnerable to attacks. Mobile application vetting allows an organization to develop their own security requirements as a process for evaluating the level of security for their mobile applications. These security requirements may include how the data used by an application is secured, acceptable levels of risk or in what circumstances an application can be deployed.
Application testing and approval/rejection are the two main steps which make up mobile application vetting. However, an organization should follow a process of developing and evaluating security policies for vetting mobile applications.
Security Policies and Process
An organization must first construct a policy for mobile security. For example, a security policy could be that mobile devices must use a virtual private network (VPN) to connect to an organizations network or other mobile devices. An organization can construct their own policies or adopt previously used policies, such as the NIST Guidelines.
The mobile application process is the sequence which confirms whether or not an application conforms to an organization's security policies. The process includes testing the application in question using app vetting tools, having analysts review the vulnerability reports that come from those tests and accepting or rejecting the application for deployment based on the results of those tests. If an application passes, it can be distributed to the organization's mobile devices.
Mobile Application Vetting Tools
Mobile application vetting tools help developers add security to their mobile applications and test against the applications to ensure security.
Red Hat Mobile Application Platform allows developers to create, integrate, deploy and manage mobile apps. The software allows for developers to encrypt application platform interfaces (APIs), use Node.js to provide an additional layer between mobile devices and back-end systems (which can be secured using VPNs) and manage user authentication (which uses platform credentials or LDAP/Active Directory system).
AppVet and Appium Web tools allow for developers to test against an application to ensure its security. Both tools are open source and can be used to manage and automate the app vetting process. The Appium Web tool allows for automated testing of web, native and hybrid apps. Additionally, the Appium Web tool can test both IOS and Android operating systems (OSs).