Mobile apps demand collides with security concerns

Mobile apps are embedded in the lives of service members, on and off duty, driving a demand for mission and third-party apps -- and increasing security exposure across government.

Tom Karygiannis, the product VP for Kryptowire, said the company has evaluated the top 100 third-party apps for Apple and Android devices, such as Twitter and Uber, and found that most enterprises use the same 200 or 300 apps -- which can present vulnerabilities.

"We've found apps where we can access their entire Amazon cloud infrastructure, apps that aren't encrypting data in transit, that are exposing [personally identifying information]. This is in the top 100, so these are apps that are well funded and from pretty mature software developers. And we find these all the time," Karygiannis said during a mobile security panel at the Armed Forces Communications and Electronics Association Mobile Tech Summit Nov. 29.

Karygiannis said the company hasn't detected malware during these sweeps but has often found vulnerabilities in new releases and updates.

With consumer tech flooding the workplace from fitness trackers to gym equipment, managing those vulnerabilities and patches could also hinder security efforts.

When asked whether agencies are overwhelmed with Android security patches for unclassified apps that ultimately cause them to fail, DOD's deputy chief information security officer Therese Firmin said those apps need to be evaluated.

"If it turns out that [the patches] are causing applications to break then we need to think about what applications that we're putting on those devices. I would hate to leave them unpatched, I think that introduces other concerns," she said during the event.

That issue persists when dealing with legacy IT as well, she said, and it ultimately becomes a mission call: Is the app vital or is it a liability?

"You need to make a mission as the owner of that Android device. Is the mission that they're doing too important that you need to allow [those apps] to continue to operate? And that's going to have to be a decision that's made. We're trying to encourage senior decision-makers to be aware of the risks so that they know what they're accepting."

DOD is still "trying to get a handle on what the threat is and what the vulnerabilities of the devices are," when it comes to the internet of things, Firmin said, adding that DOD allows FitBits in some locations.  The department is also expanding the Defense Information Systems Agency's Purebred pilot program, which pushes security credentials to Android and iPhone devices, to be the default for newly issued devices.

But an Oct. 6 memo on mobile application security requirements will be the North Star for future application development, allowing users to use their DOD-issued devices "as they would their own personal devices in some sense," Firmin said.

The memo distinguishes between managed applications, supported by DOD, and unmanaged applications, "primarily for personal use, which do not reside on the managed side of the device" and which are "typically obtained from the device's native mobile application store."

The Department of Homeland Security has also seen a growing appetite for mobile apps tuned to mission and worker needs.

Vincent Sritapan, a cybersecurity program manager for DHS' Science and Technology Directorate said requests for commercial-device-ready internal and external applications are in high demand.

"Now we're looking at applications that actually can substitute [those devices] so now I can use a commodity phone to do the same types of features," he told FCW. "Before we couldn't do that, you're talking about the coordination of the cameras, checking in the people coming in and alerting to an application that's there -- and it's available to verify that type of stuff. Before it has been single-purpose devices," think fingerprint readers, "and a lot of it is run on Windows CE from back in the day and we still have them and are still trying to secure them."

But even as DHS and DOD increasingly embrace mobile, device security and traffic will remain top issues.

"We need to know if the applications are vulnerable or have malware of some sort. Endpoint protection should also be a part of that, and we don't have that today as a requirement in government. We have it for a laptop but not for the phone," Sritapan said.

"And then there are other things like what do we do about network traffic on mobile devices? On our laptops, we're required to have all data go through the TIC, the trusted internet connection -- that's a requirement. But for mobile we don't necessarily have that or see that. If we tried to capture all mobile traffic and put it through the TIC, the TIC would die. It can't handle the sheer bandwidth of it. Whether it's the architecture that needs to change, we need to figure that out," he said.