DHS Targets Mobile Security Innovations
Aiming to accelerate the U.S. government’s use of secure mobile technologies, the Cyber Security Division (CSD) in the Department of Homeland Security (DHS) is pursuing several research and development (R&D) projects, among other efforts, that focus on two main areas: mobile device security and mobile application security. The projects and related vendors are working to improve device security:
San Antonio-based Def-Logix is preparing a Trusted User Module (TUM) that will provide software-based root-of-trust technology for mobile devices. TUM will secure multiple devices with a single sign-on from a wearable device using smart card-type security, encryption, multifactor authentication, access control and identity management, the DHS reports. “By leveraging this technology, a device can produce and use cryptography services and keys available only to that unique device,” states the DHS’ Mobile Security R&D Program Guide, Volume 2.
Reston, Virginia-based Intelligent Waves LLC is readying infrastructure that makes sensitive applications and data available on mobile devices virtually while maintaining appropriate security controls for the data on back-end servers, according to the DHS. Through “a virtual mobile smartphone that runs in a secure data center, users can rely on a simple thin-client mobile app to connect and stream data to the screen of the secure virtual smartphone,” according to the R&D program guide. The company is working to deploy the technology at production scale across government agencies.
Along with other technology partners, Metronome Software LLC, Laguna Hills, California, is creating the SENsor Secure Enterprise Infrastructure system, known as SENSEI, which will offer a complete security overlay for mobile and Internet of Things (IoT) devices and their applications. SENSEI employs a mobile device validation and profiling technology and combines that with application vetting and enterprise mobile device management (MDM) software. End users upload applications to SENSEI, which scans for exploitable vulnerabilities, the R&D guide says. Vetted applications are further security wrapped by the MDM before deployment, then all devices and wrapped applications are actively monitored and managed, the department reports.
A persistent implant finder that will give more visibility into the code running on mobile devices and help find malware embedded in a device’s firmware is being created by New York City’s Red Balloon Security Inc. The finder will use the company’s Firmware Reverse Analysis Konsole, called FRAK, which is a firmware manipulation framework that automates unpacking, modifying, analyzing and repacking firmware. The company is proving its capability to find malicious implants; it will then integrate and scale the technology into a comprehensive firmware analysis tool that generates detailed security posture reports, according to the DHS.
The University of Illinois and Kryptowire, Fairfax, Virginia, are developing an automated system for the detection of cyber threats in mobile applications, the IoT, embedded systems and critical infrastructure technologies. The framework will allow analysts to automatically determine possible threat vectors. It will apply to personally identifiable information, software backdoors, inconsistent validation checks, ineffective security checks and debugging modes for mobile operating systems.
To improve security across the application development life cycle, the CSD has several projects centering on mobile application security R&D.
Ashburn, Virginia-based Apcerto is creating an orchestration platform and correlation capability for mobile software assurance tools using the company’s Mobile Application Risk Rating Framework, developed at MIT Lincoln Laboratory under Defense Information Systems Agency (DISA) funding. Harnessing machine learning, the platform employs a Bayesian risk-detection algorithm for selective creation of logical groupings of attack vectors to assign an aggregated risk score, according to the DHS.
For mobile applications on iOS and Android devices, Lookout Inc. of San Francisco is developing new threat, risk, and vulnerability detection and protection capabilities. “These enhancements will strengthen the ability of government and enterprise to securely enable the use of mobile technologies for mission-critical activities,” the R&D guide states. The company also is developing a localized remediation solution to control a network connection if a threat is detected. The solution can deny access to corporate resources, lock applications or block all network traffic.
Using Microsoft’s Xamarin platform, Progeny Systems of Manassas, Virginia, is helping to develop the Android Security Toolkit, a secure mobile application framework that the DHS and other federal agencies can use for application development and operations. It will allow government agencies to write cross-platform, native mobile applications from a single code base for Apple, Android and Microsoft operating systems. Using Samsung KNOX, Progeny also developed a security-hardened, Security Technical Implementation Guide-compliant methodology for Samsung Android devices and is working to expand its use to iOS devices, according to the R&D program guide.
Kryptowire and Raleigh, North Carolina-based Red Hat Inc. are working to integrate into the mobile application development life cycle a code-scanning technology that will enforce end-to-end security. The companies will develop new capabilities, extend the Red Hat Mobile Application Platform and use Kryptowire’s mobile application information assurance software testing for iOS and Android platforms, the DHS indicates. The technology will be the first integrated commercial offering that enforces an end-to-end security model in the mobile application life cycle, according to the department.
San Diego’s Qualcomm Technologies Inc. is working on hardware-anchored continuous validation and threat protection of mobile applications. In a pilot program, the company will demonstrate the use of a hardware-anchored Mission-Critical-Grade Security Layer, an advance from using high-level operating system-based security, which is more vulnerable to attacks. The DHS will leverage Qualcomm’s Snapdragon Security Platform and other commercial capabilities to create a military-grade mobile application security-testing platform.
United Technologies Research Corp. in East Hartford, Connecticut, is providing a mobile application security system known as COMBAT (COntinuous Monitoring of Behavior to Protect Devices from Evolving Mobile Application Threats). Using artificial intelligence, COMBAT will detect malicious and vulnerable applications and prevent unauthorized access to sensitive information on mobile devices as well as produce detailed risk-assessment reports, the DHS indicates.
CSD also is pursuing additional R&D Projects, announced after publication of this article in SIGNAL.