The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) recently announced that a pilot project it launched remediated potential cybersecurity vulnerabilities in mobile applications used by public-safety professionals.
The pilot testing project, titled “Securing Mobile Applications for First Responders,” involved the Homeland Security Advanced Research Project Agency’s Cyber Security Division, S&T’s First Responder Group (FRG), the Association of Public-Safety Communications Officials (APCO) and Kryptowire, LLC, the developer of a mobile app-vetting platform that was funded by S&T.
The project aimed to improve the security of apps used by first responders and determine the need for a model for testing the security of public-safety apps. It sought to determine how vulnerable the selected apps are to cyberattacks and to identify any coding vulnerabilities that could impact the device’s security, expose personal data or enable eavesdropping.
“This pilot project illustrates the efficacy, benefits, and value an ongoing app-testing program will provide to the public-safety community and the nation,” Vincent Sritapan, S&T’s program manager for Mobile Security Research and Development, said. “During the testing phase, numerous cyber vulnerabilities were identified and remediated. This model can be used to ensure all apps used by the public-safety professionals are secured against cyberattacks and other security and privacy weaknesses.”
The pilot included 33 apps with iOS and Android versions counted separately created by 20 developers and offered through AppComm. The study took place over three months.
The project discovered security and privacy concerns in 32 of the 33 apps. 18 apps had “critical” flaws such as hard-coded credentials stored in binary and vulnerability to “man-in-the-middle” attacks.
Project leaders worked with the apps’ developers to fix the identified vulnerabilities. Ten developers have so fat successfully remediated their apps, and security and privacy concerns regarding 14 mobile apps were addressed.
Most developers who fixed the identified vulnerabilities in their app reported spending approximately one hour on remediation. Remediation steps included enabling built-in security provided by the operating system and removing old or unused code.
“As more apps are adopted for public-safety missions, it is critical that a formal, ongoing app-evaluation process with incentives for developer participation be adopted to ensure current and new mobile apps are free of vulnerabilities,” John Merrill, director of the S&T FRG Next Generation First Responder Apex program, said.