NIST vetting commercial Android apps for security, battery use


Commercial Android apps are undergoing tests at the National Institute of Standards and Technology so the agency can learn how to systematically find security flaws and battery issues.

"We've built a huge kind of an internal laboratory for vetting" the apps, said Jeff Voas, a NIST computer scientist, at the AFCEA Homeland Security conference in Washington on Feb. 26.

The team has learned, for instance, that certain pixel colors deplete battery power more so than others. "Everybody knows the display on a smartphone sucks up most of your battery," Voas said, but the tests have found that "red's the hog."

So when battery life is crucial, as with a soldier's device, NIST might recommend that the military avoid apps with too much red color in their displays.

"We can't send them out on a mission where some application, because it's got a really red screen, sucks the battery dry and the phone's only good for a couple of hours as opposed to a 16-hour mission," Voas said.

As part of a Defense Advanced Research Projects Agency program, the military has thousands of Android devices in the field in Afghanistan. NIST's Android app testing lab has vetted apps for DARPA to find a variety of problems, Voas said.

App developers have "taught us how to find out more things about malware than we ever wanted, because they send us all this code, all these apps with malware, and we have to build new testing tools to try to ferret it out and get it out," he said.

Within a few months, NIST plans to release a draft version of a special publication to describe those testing tools and help developers improve apps. "I know there are a lot of federal agencies that are really wanting to get their hands on that" document, he said.

The NIST team has developed tools to test apps for reliability and performance in addition to security and battery life. And it isn't just focused on Android issues.

"We look for all kinds of security problems, whether they're Android specific or not," Voas said.

Related Articles:
DARPA, NIST seek Android app security tool
NIST: Mobile devices inherently insecure
DHS to publish mobile security playbook in May