Analyzing the Effectiveness of App Vetting Tools in the Enterprise

Enterprises invest significant resources in mobile application vetting to determine whether apps are safe to deploy on mobile devices. Application vetting seeks to identify security vulnerabilities and malicious or privacy violating behaviors in applications. It generally involves a time- and labor-intensive effort, resulting in high costs and delays in approving apps for use. Additionally, mobile application developers often operate on a rapid development cycle, where manual vetting approaches cannot keep up with the releases of new application versions.

Mobile application vetting solutions exist that can help enterprises automate the mobile application vetting process. This report provides guidance to enterprises on how to assess the feasibility of applying these solutions, including MITRE’s methodology, evaluation criteria, test applications, and overall results from MITRE’s analysis performed in 2016 of available solutions.

MITRE created criteria to evaluate the ability of these solutions to assess apps against requirements in the NIAP Protection Profile for Application Software, as well as additional criteria for broader application vetting solution capabilities, threats against the application vetting solution itself, and other common mobile application vulnerabilities and malicious behaviors.

Using the criteria, MITRE developed or obtained multiple vulnerable and malicious-appearing applications for use in assessing mobile application vetting solutions. The results from testing these applications with the solutions provides a high-level baseline of application vetting solution capabilities. The applications have been made available on MITRE’s GitHub site: https://mitre.github.io/vulnerable-mobile-apps/