New NIST Tool Streamlines Government App Vetting

Developers who produce apps intended for use on internal networks at government agencies are getting a vetting process of their own called AppVet.

Apple and Google put developers’ apps through a relatively vigorous screening process before they make their way into their respective app stores. Now developers who produce apps intended for use on internal networks at government agencies can get a vetting process of their own.

The National Institute of Standards and Technology put out a new tool this week, AppVet, designed to help developers inspect mobile apps to ensure they’re safe, approved for and compatible with government networks.

Developers at NIST’s Computer Security Resource Center crafted the free tool – released Monday – to give IT groups the ability to submit and test apps, and assess their risk. The project stems from work the NIST was previously doing for the Defense Advanced Research Projects Agency (DARPA) to help vet apps before they were deployed on mobile devices for military field use.

“AppVet aims to simplify the complexity of manually testing apps through multiple test tools,” Steve Quirolgico, a NIST Computer Scientist in charge of developing AppVet said this week.

After developers upload their apps, they’re given an intuitive interface. The apps are then registered and its metadata extracted to verify that it conforms to specific requirements of the hosting organization. After this step, called pre-processing, the app is sent to a series of tools for testing and evaluation.

While AppVet doesn’t contain the actual testing tools – it relies on existing third party vendors for that – it does serve as a facilitator. Upon completion, AppVet delivers clients a report and risk assessment of the app.

AppVet doesn’t technically accept or reject applications but it does classify them with either a PASS, WARNING or FAIL risk assessment based on the vendors’ response.

According to a 40-page write-up of the tool, AppVet can leverage multiple third party applications and tools like antivirus software, analyzers, and vulnerability repositories to carry out its tests. The tool relies on communicating with these apps via a REST API, a set of operations (GET, POST, PUT and DELETE) that allows them to ping reports and assessments back and forth.

Quirolgico wrote the documentation (.PDF) for version 1.0 of AppVet alongside fellow computer scientist Jeffrey Voas, and Tom Karygiannis, a senior mobile security researcher, both also with NIST.

While the institute is already working with the Department of Homeland Security and Justice and the Defense Information Systems Agency on developing testing requirements, the developers are hoping other app developers and analysts will upload their applications and integration environments.

The open source tool is web-based but any interested parties can also download its source code distribution over at Quirolgico’s Github repository.

Suggested articles