Government Mobile Apps Security Assessment & Strategy

Introduction

The Federal Government sponsors numerous mobile applications that can improve the quality of daily lives by providing relevant and valuable information. These apps provide a wide variety of information that can be used in different situations in one’s life. These applications are valued for the high reliability of included information and privacy protection.

There are at least five examples of mobile applications that can bring important information provided by the government to any smartphone. For instance, Smart Traveler, the official State Department app for US travelers, provides frequently updated official country information, travel advisories, and US embassy locations (USA Government, 2016). Food Keeper is another valuable application created by the US Department of Agriculture, which helps to find resources on food safety, provide information on when food is at its peak quality, and even give food preparation tips (WAEPA, 2019). FEMA application can also be useful for many citizens, as it provides valuable information about the response to disaster and survival tips (WAEPA, 2019). IRS2GO is a crucial application during the tax season, as it helps to check refund statuses, make payments, and receive tax preparation assistance (USA Government, 2016).

It is also crucial to mention that the government attempted to use mobile applications to address the COVID-19 pandemic. One of the best attempts to address the pandemic was a contact tracing application named Combat COVID Mobile App. This application was awarded the title of the Best Government Mobile Application (Mobile Web Awards, 2021). Unlike other contact tracing applications, Combat COVID did not use any personal or GPS data, which allowed the application to score high in terms of data protection (Mobile Web Awards, 2021). The security concerns did not limit the usefulness of the application, which made Combat COVID Mobile App a perfect example of contact tracing application design.

Government’s Requirements and Recommendations for Mobile App Security

Mobile application security is a crucial matter in today’s world of increased smartphone use. A security breach in mobile applications may lead to a disclosure of baking information, current location, and personal information (Basatwar, 2020). Additionally, breaches in mobile applications may lead to hackers receiving full information about the personal life of the phone owner in real-time (Basatwar, 2020). Therefore, the Federal Government has developed a mobile security reference architecture (MSRA). The purpose of MSRA is to provide guidance to Federal agencies implementing mobile security (Federal CIO Council, 2013). The framework is visualized in Figure 1 below.

This architecture serves as the baseline to create policies that help to implement mobile security infrastructures. However, the architecture may be modified to address the risks of every agency. Apart from developing the architecture for data security purposes, the government also provides a list of security recommendations that can be used when developing mobile applications. An adapted list of recommendations is provided below (Federal Trade Commission, 2017):

1. Appoint a responsible employee. At least one person in the team needs to have personal responsibility for security at all stages of the development process.
2. Be aware of the data retained. It is crucial to assess the collected data for its usefulness and delete all the unnecessary information as soon as possible.
3. Acknowledge the benefits and drawbacks of platforms. The peculiarities of every platform should be researched, and optimal configurations need to be used.
4. Do not reply entirely on the platform. Even though platforms provide useful security features, additional measures are required to maximize the effectiveness of data protection.
5. Generate secure credentials. If the application generates usernames and/or passwords, best practices need to be utilized to generate them securely.
6. Never store passwords in plain text. The iterated cryptographic hash function should be used for password storage.
7. Use transit encryption. Whenever the application needs to transfer sensitive information using the internet, the data needs to be encrypted.
8. Don’t trust third-party code. Whenever third-party code is used, it should be checked with due diligence to avoid security problems.
9. Protect the data on users’ devices. If the application stores sensitive information on users’ phones, it should be protected or encrypted.
10. Protect the servers. Implement the needed practices to protect the designated servers used for communication with the application or assess the practices utilized by cloud providers.
11. Continue security assessment after the release. Be sure to communicate with users after the application is released and make necessary security updates, as new vulnerabilities may be found frequently.
12. Ensure that all the relevant standards are enforced. If the application deals with financial data, health data, or kids’ data, the application needs to be guided by principles described in children privacy legislations, Gramm-Leach-Bliley Act, HIPAA Security Rule, and Health Breach Notification Rule.

The twelve recommendations provided above can be visualized in a step-by-step diagram provided below.

Among common security threats, web threats are growing in concern for mobile devices. The three central threats are mobile code, drive-by downloads, and exploitation of vulnerable browsers. The mobile code threats can be mitigated by selecting the most resistant platforms and operating systems and disabling JavaScript (CIO Council, 2013). Drive-by downloads can be mitigated using certificates, tokens, or other means of signature checks (CIO Council, 2013). Finally, browser vulnerability can be addressed by enforcing policies that require the user to use the latest browser (CIO Council, 2013). All the web-based threats are visualized in Figure 3 below.

Industry’s Recommendations for Security Architectures and Risk Reduction

While the government provides valuable reformations for mobile application security, non-government organizations have also contributed to the development of security standards. One of the most famous is the OWASP Mobile Security Project, which is designed “to give developers and security teams the resources they need to build and maintain secure mobile applications” (OWASP, n.d., para. 1). The project provides a wide variety of resources, including Mobile Security Testing Guide, Mobile Application Security Verification Standard, and Mobile Security Checklist. One of the most valuable pieces of information provided by the project is the list of top ten mobile risks. The most recent list of risks includes improper platform usage, insecure data storage, insecure communication, insecure authentication, insufficient cryptography, insecure authorization, client code quality, code tampering, reverse engineering, and extraneous functionality (OWASP, 2016). Thus, it is recommended to assess the risks of a mobile application by addressing the risks in the order of their importance, according to Figure 4 below.

One of the most useful and easy-to-understand tools provided by the OWASP (n.d.) is a checklist for mobile application security. The checklist is adapted for every mobile OS and includes more than 70 items that should be checked before the app is to be released. The checklist is subdivided into seven sections, demonstrated in Figure 5 below.

Gallagher (2013) also provides a series of recommendations to improve the security of mobile applications. In particular, Gallagher (2013) recommends being patient when developing a mobile application and considering all the security concerns before marketing the application. Additionally, it is suggested that the client application does minimum processing, as the client is the most vulnerable party (Gallagher, 2013). Finally, it is recommended to use a reliable authentication flow that ensures that no transactions are recorded and re-sent later (Gallagher, 2013). An excellent example of such authentication flow is OAuth 2.0, which is visualized in Figure 6 below.

Recommendations for Risk Reduction in Government Mobile Applications

The analysis of best practices and frameworks provided by the government and industry leaders led to a list of five recommendations that can help to improve the security of mobile government applications.

1. The development team needs to have a designated security officer responsible for all the security flaws in the application. The security officer should be required to ensure that security is considered on all steps of development and the application is not marketed unless the officer recommends doing so.
2. All the possible risks should be tested and retested according to the top ten risks of mobile security provided in Figure 4.
3. The application should be marketed after the checklist provided by OWASP (2020) is completed with satisfactory results on all seven aspects.
4. The processing on the client-side should be minimized, as it is the least controlled part of the information flow.
5. The authentication flow should follow the OAuth 2.0 or later versions.

Summary

The present paper demonstrated that the federal government often uses mobile applications to share information with citizens. However, mobile applications are extremely vulnerable to security breaches. Thus, both government and non-government agencies create frameworks and provide recommendations for improving the security of mobile applications. The present paper provided an overview of such recommendations and generated a list of five central strategies that can help to address possible problems with confidentiality, integrity, availability, authenticity, and non-repudiation of mobile applications.

References

Basatwar, G. (2020). Mobile App Security: A Comprehensive Guide to Secure Your Apps. Appealing.

Gallagher, S. (2013). Mobile app security: Always keep the back door locked. ArsTechnica.

Federal CIO Council. (2013). Mobile Security Reference Architecture. 

Federal Trade Commission. (2017). App developers: Start with Security. 

Mobile Web Awards. (2021). The best government mobile awards! 

OWASP. (2016). OWASP Mobile Top 10.

OWASP. (2020). OWASP Mobile security checklist. Web.

OWASP. (n.d.). OWASP Mobile Security Project. 

US Government. (2016). Discover six of the government’s best mobile apps. PR Newswire.

WAEPA. (2019). 7 essential mobile apps for federal employees.