The SAMATE Project

Mobile Application Tool Testing

Introduction

Mobile applications play an important role in today's business and government, as well as becoming ever more entrenched in our personal daily lives. Mobile applications differ from the traditional world of computing not only because they are 'always on' but also they are 'always on us.' Whether they are accessing our bank accounts or using a GPS location to find a nearby restaurant, their unprecedented access to data greatly affects our lives. Vulnerabilities in mobile applications stand to expose, damage, or destroy this vital data. The Mobile Application Tool Testing project seeks to understand and evaluate tools and services that identify vulnerabilities in mobile applications.

Project Motivation

As mobile application increase in use in the public and private sector, processes for evaluating mobile applications for software vulnerabilities are becoming more commonplace. NIST defines the work flow for this process in NIST SP 800-163 Vetting the Security of Mobile Applications.

The mobile application vetting process

A key part of this process relies on the quality of the tools being used to detect vulnerabilities. This project seeks to further the state of these technologies by studying their capabilities and competencies.

Mobile Applications and Public Safety

In 2012, the US Government established the First Responder Network Authority (FirstNet), with the goal of establishing and maintaining the nations' first public safety broadband network. FirstNet began its network roll-out in 2017. FirstNet will foster the adoption of mobile applications for use by public safety officials. These applications will have higher requirements for security that applications utilized by the general public. The Mobile Application Tool Testing project works closely with another NIST research group, Public Safety Communications Research (PSCR) to identify how mobile application vetting technologies can be used to help secure public safety mobile applications

Project Publications

Mobile Application Security Exercise (MASE): Final Report

The goal of the Mobile Application Security Exercise (MASE) Project is to gain a better understanding of the state-of-the-art in mobile application vetting tools. To achieve this goal, the following activities were undertaken:
  • Identify a list of mobile application vetting service features (capabilities) that can be used to describe the analysis capabilities of vetting services.
  • Perform a preliminary and informal analysis of the mobile application analysis conducted by participating tools to gain a better understanding of the uniformity and/or cohesiveness of mobile application vetting service features among the participants.
A process diagram describing the MASE

Relevant Resources