Thanks to a pilot project run by the Department of Homeland Security (DHS) Science and Technology Directorate (S&T), numerous cybersecurity vulnerabilities discovered in mobile apps used by first responders have been patched.
In emergency and disaster situations, mobile devices and apps enable public-safety professionals to receive and share critical information in real-time. The department’s S&T Directorate established the pilot projectin order to test how vulnerable smartphone apps used in the public safety sector are to cyberattack, including ransomware and spyware, and whether certain apps have coding vulnerabilities that could compromise device security, expose sensitive data, or allow for spying.
The pilot-testing project discovered potential security and privacy concerns — such as access to the device camera, contacts or SMS messages — in 32 of 33 popular apps that were tested. In all, 18 apps were discovered to have critical flaws such as hard-coded credentials stored in binary, issues with handling Secure Sockets Layer certificates or susceptibility to “man-in-the-middle” attacks.
“This pilot project illustrates the efficacy, benefits and value an ongoing app-testing program will provide to the public-safety community and the nation,” says Vincent Sritapan, S&T’s program manager for mobile security research and development. “During the testing phase, numerous cyber vulnerabilities were identified and remediated. This model can be used to ensure all apps used by the public-safety professionals are secured against cyberattacks and other security and privacy weaknesses.”
More about the pilot program:
The Securing Mobile Applications for First Responders report describes a mobile application (app) pilot testing program designed to serve a public safety purpose. The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) Cyber Security Division (CSD), the Association of Public-Safety Communications Officials (APCO) International, and Kryptowire LLC,a CSD performer, collaborated to identify security vulnerabilities and privacy issues important for public safety users and to recruit app developers to participate in testing and evaluation. This report describes findings from the testing, feedback from the developers who participated in the pilot, technical and program-level lessons learned, and recommended next steps.
For this pilot, S&T provided the funding and technical support through its funded research with Kryptowire. APCO selected a set of apps for testing, Kryptowire provided access to its testing platform, which was integrated with AppComm to streamline the testing process, and Kryptowire tested the apps based on security criteria identified by the pilot partners. To learn more about the S&T mobile app security project visit https://www.dhs.gov/science-and-technology/csd-mobile-app-security.