What is AppVet?
AppVet is a web-based application for managing an app vetting workflow.
AppVet helps decision-makers approve or reject apps based on
risk assessments from multiple tools.
Is there a NIST AppVet service where I can
submit my app for testing?
No. NIST does not maintain an operational AppVet service.
Does NIST accredit or approve apps?
No. NIST does not accredit or approve apps.
What analytic capability does AppVet provide?
The power of AppVet lies in its ability to easily integrate tools to
provide tailored analytic capability. AppVet itself provides little
AppVet comes with one adapter for an example NIST tool service that verifies
the certificate of an Android app.
AppVet supports easy integration of tools by providing simple API specifications
and requirements including REST API requirements for tools. To facilitate
tool integration, AppVet requires that tools be available as online services.
For example, suppose that you want to use the Java
tool to verify the certificate of Android apps. First, you create an
online service using PHP, Java servlet, etc. to "wrap" the jarsigner
tool. After your service is set up and running, you can then create a
tool adapter that AppVet uses to connect to your tool service. A tool
adapter is a simple XML file that tells AppVet how to connect to your tool
service. The tool adapter for this jarsigner example is shown
. In addition,
the source code for the jarsigner tool service example is available
. This example code can be easily modified to
integrate just about any tool with AppVet.
Does AppVet provide a GUI for creating tool service
AppVet will support this capability in the near future.
Does AppVet support iOS, Windows Mobile, etc.
AppVet can support apps from different platforms so long as there are
tools available to analyze those apps. Currently, however, a single
AppVet deployment can only handle one mobile platform at a time. The
capability to support multiple platforms from a single AppVet system
will likely be available in a future version of AppVet.
The risk assessment of an app by a tool is dependent on the vendor or
developer of the tool. Here, it is strongly recommended that vendors or
tool developers adopt a standardized approach such as the Common
Vulnerability Scoring System (CVSS) to derive risk assessments.
AppVet requires that risk assessments by a tool be mapped to one of
three categories: PASS (low-risk), WARNING (moderate-risk), and FAIL
How does AppVet derive an overall risk assessment
for an app?
AppVet takes a simple approach to deriving an app's risk assessment
based on the risk assessments from multiple tools. If an app receives
low-risk assessments from all tools, then AppVet assigns an overall risk
assessment of PASS (low-risk). If an app receives a high-risk assessment
from at least one tool, then AppVet assigns an overall risk assessment
of FAIL (high-risk). If an app receives a moderate-risk assessment from
at least one tool, but does not receive any high-risk assessments,
AppVet assigns an overall risk assessment of WARNING (moderate-risk).
Does an overall risk assessment of PASS mean that
it is ok to use?
The decision to approve or reject an app is based on the policies and
requirements of the organization that owns and operates the instance of
AppVet, regardless of the overall risk assessment generated by AppVet.
Is AppVet free?
Yes, AppVet is freely available per the following
NIST Software Agreement
Is there an AppVet open source project?
Yes, the AppVet open source project is available at
What server OS should be used to host AppVet?
It is recommended that AppVet be installed under 64-bit Windows. Although AppVet is Java-based, some issues have been reported with installing and/or running AppVet under Linux.