DHS Helps Secure First Responder Apps
A pilot project identifies vulnerabilities in public-safety apps.
A Department of Homeland Security Science pilot testing project helped identify and secure a variety of mobile apps used by first responders.
The project, Securing Mobile Applications for First Responders, discovered potential security and privacy concerns—such as access to the device camera, contacts or Short Message Service (SMS) messages—in 32 of 33 popular apps that were tested. Eighteen apps were discovered to have critical flaws such as hard-coded credentials stored in binary, issues with handling Secure Sockets Layer (SSL) certificates or susceptibility to “man-in-the-middle” attacks.
Pilot project leaders worked with each app developer to remediate identified vulnerabilities. So far, 10 developers successfully remediated their apps, and the security and privacy concerns of 14 mobile apps were addressed as a result of the pilot project.
The project was a joint effort by the Homeland Security Advanced Research Project Agency’s Cyber Security Division, the Science and Technology (S&T) Directorate’s First Responder Group, the Association of Public-Safety Communications Officials (APCO) and Kryptowire LLC, the developer of a leading mobile app-vetting platform that was funded by S&T.
The project’s dual goals were to improve mobile app security for the public safety community and determine the need for a sustainable model for testing the security and privacy protection capabilities of public safety apps. To these ends, the pilot sought to determine the degree to which the selected public safety apps are vulnerable to cyber attacks—malware, ransomware and spyware—or had coding vulnerabilities that could compromise the device’s security, expose personal data or allow for eavesdropping.
For the study, APCO selected 33 popular apps (iOS and Android versions counted separately) created by 20 developers that are offered through AppComm, its public safety application directory. The pilot was conducted over three months by the team using Kryptowire’s mobile app software testing platform integrated into APCO’s AppComm website. The testing scrutinized each app’s security, privacy and information and device access.