NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:
AppVet Logo

FAQ


What is AppVet?

AppVet is a web-based application for managing an app vetting workflow. AppVet helps decision-makers approve or reject apps based on risk assessments from multiple tools.

Is there a NIST AppVet service where I can submit my app for testing?

No. NIST does not maintain an operational AppVet service.

Does NIST accredit or approve apps?

No. NIST does not accredit or approve apps.

What analytic capability does AppVet provide?

The power of AppVet lies in its ability to easily integrate tools to provide tailored analytic capability. AppVet itself provides little analytic capability.

What tools does AppVet come with?

AppVet comes with one adapter for an example NIST tool service that verifies the certificate of an Android app.

How do I integrate my tool with AppVet?

AppVet supports easy integration of tools by providing simple API specifications and requirements including REST API requirements for tools. To facilitate tool integration, AppVet requires that tools be available as online services. For example, suppose that you want to use the Java jarsigner tool to verify the certificate of Android apps. First, you create an online service using PHP, Java servlet, etc. to "wrap" the jarsigner tool. After your service is set up and running, you can then create a tool adapter that AppVet uses to connect to your tool service. A tool adapter is a simple XML file that tells AppVet how to connect to your tool service. The tool adapter for this jarsigner example is shown here. In addition, the source code for the jarsigner tool service example is available here. This example code can be easily modified to integrate just about any tool with AppVet.

Does AppVet provide a GUI for creating tool service adapters?

AppVet will support this capability in the near future.

Does AppVet support iOS, Windows Mobile, etc. apps?

AppVet can support apps from different platforms so long as there are tools available to analyze those apps. Currently, however, a single AppVet deployment can only handle one mobile platform at a time. The capability to support multiple platforms from a single AppVet system will likely be available in a future version of AppVet.

How is risk assessment derived by a tool?

The risk assessment of an app by a tool is dependent on the vendor or developer of the tool. Here, it is strongly recommended that vendors or tool developers adopt a standardized approach such as the Common Vulnerability Scoring System (CVSS) to derive risk assessments. AppVet requires that risk assessments by a tool be mapped to one of three categories: PASS (low-risk), WARNING (moderate-risk), and FAIL (high-risk).

How does AppVet derive an overall risk assessment for an app?

AppVet takes a simple approach to deriving an app's risk assessment based on the risk assessments from multiple tools. If an app receives low-risk assessments from all tools, then AppVet assigns an overall risk assessment of PASS (low-risk). If an app receives a high-risk assessment from at least one tool, then AppVet assigns an overall risk assessment of FAIL (high-risk). If an app receives a moderate-risk assessment from at least one tool, but does not receive any high-risk assessments, AppVet assigns an overall risk assessment of WARNING (moderate-risk).

Does an overall risk assessment of PASS mean that it is ok to use?

The decision to approve or reject an app is based on the policies and requirements of the organization that owns and operates the instance of AppVet, regardless of the overall risk assessment generated by AppVet.

Is AppVet free?

Yes, AppVet is freely available per the following agreement.

Is there an AppVet open source project?

Yes, the AppVet open source project is available at GitHub.