NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:
AppVet Logo

1.  Overview


Security vulnerabilities in mobile apps are on the rise and efforts are ongoing to develop tools that identify these vulnerabilities. Today, numerous tools are available for testing one or more known vulnerabilities. Unfortunately, however, no single tool has shown the ability to identify all potential vulnerabilities and thus, efforts have also been made to leverage multiple tools in order to provide sufficient vulnerability-detection coverage. These efforts have recently led to the development of systems for managing the testing of apps via multiple tools and for supporting the decision-making process for approving or rejecting apps based on results from these tools. We refer to such systems as app vetting systems.

An app vetting system comprises a number of actors and components and supports a workflow that entails (1) the submission of apps by clients including users and app stores, (2) the testing and analyses of apps via multiple tools including remote tool services and human analysts, (3) the combining of tool results into a single vulnerability risk assessment, and (4) the approval or rejection of apps by a decision maker.

In 2010, the National Institute of Standards and Technology on behalf of the Program Manager, Transformative Applications (TransApps) Program, Defense Advanced Research Projects Agency (DARPA), initiated work that focused on developing an app vetting system for the DARPA TransApps program. The TransApps program aimed to provide U.S. soldiers with secure mobile solutions intended for use in combat environments. Here, NIST developed an app vetting system for managing the vetting of apps before being deployed on secure mobile devices. We refer to the latest version of this app vetting system as AppVet.

AppVet is a simple, open-source web service and framework for vetting mobile applications. AppVet facilitates the app vetting workflow by providing an intuitive user interface for submitting and testing apps, accessing reports, and assessing risk. Through the specification of simple APIs and requirements, AppVet is designed to easily and seamlessly integrate with a wide variety of clients including apps stores and continuous integration environments as well as third-party analysis tools including static and dynamic analyzers, anti-virus scanners, and vulnerability repositories.