NIST recently published a draft on “Vetting the Security of Mobile Applications.” In general, the intention of the vetting process is to ensure users that mobile applications conform to both general requirements and an organization’s security requirements and that they are free of vulnerabilities.
In this tip, we’ll take a look at adding entropy sources to the vetting process.
NIST divides sources for general requirements into four areas, including the National Information Assurance Partnership (NIAP); OWASP Mobile Risks, Controls and App Testing Guidance; MITRE App Evaluation Criteria; and NIST SP 800-53 Rev 4. The general requirements should be expanded to include discussions and references to the efforts of NIAP, OWASP and MITRE on documenting, assessing and testing entropy sources.
The NIAP is responsible for U.S. implementation of the Common Criteria and coordinates with both NATO and the international standards bodies to share Common Criteria evaluation reports. The NIAP has provided clarification to the Entropy Documentation and Assessment Annex to its Protection Profile for Application Software on the requirements of the Entropy Assessment Report — known as Annex D.
OWASP’s Session Management Cheat Sheet briefly discusses Session ID Entropy — a vulnerability could result from insufficient Session ID length. Furthermore, the Guide to Cryptography covers the use of entropy sources to generate random numbers from human-intervention sources, such as mouse movements and keystrokes, and from operating systems that include random functions calling from .NET, Unix, PHP, Java and ColdFusion. OWASP also provides guidance on testing for weak encryption and insufficient entropy is included on its references list.
MITRE created criteria to evaluate the ability of mobile app vetting solutions to assess apps against requirements in the NIAP Protection Profiles and added criteria for broader application vetting solution capabilities, threats against the application vetting solution itself and other common mobile application vulnerabilities and malicious behaviors.
NIST SP 800-53 Rev 4 briefly discusses its relationship to other security control publications and should explicitly mention entropy when covering cryptography topics; however, this publication has not been updated since January 2015.
Organization-specific security requirements
Organization-specific security requirements define policies, regulations and guidance. NIST gives the example of banning social media apps from installation on the organization’s mobile devices. However, security requirements should be expanded to include examples on deterministic algorithms on entropy sources, such as the camera, the microphone input noise, audio fingerprints and the touchable screen of mobile devices. Discussions on battery charge levels and the relationship between optical sources and the noise on temperature as entropy sources should also be covered.
Players in the vetting systems
NIST should recommend an entropy source analyst or engineer to assist the security analyst in identifying security issues before deploying an app to a user’s mobile device.
A security analyst — often an enterprise system administrator — and an authorizing official are two traditional players who ensure that general and organization-specific requirements are met. NIST should recommend an entropy source analyst or engineer to assist the security analyst in identifying security issues before deploying an app to a user’s mobile device. The security analyst considers the vetting results and makes security recommendations to improve security and entropy posture of the apps while an authorizing official approves or disapproves the use of the app after it has been vetted.
App vetting limitations
NIST states that there is no guarantee that a thorough vetting process will uncover all potential vulnerabilities or malicious behavior. But to remove some limitations, NIST recommends having a security analyst take a major role in the vetting process and build a toolbox that includes multiple assessment tools. NIST should address the value of adding an entropy analyst or engineer to its own toolbox of entropy assessment and validation tools and MITRE should explicitly refer to entropy vulnerabilities in CWE (a classification system by research, developer and architectural concepts), CVS (a naming scheme for software vulnerabilities) and CVSS (a scoring system).
App threats and vulnerabilities
NIST maintains a list of common threats that includes ransomware, mobile billing fraud, hostile downloader, rooters and Trojan horses. NIST further divides Android and iOS vulnerabilities into six types: permissions, such as privacy for iOS; exposed communications; potentially dangerous functionality; app collusion; obfuscation and excessive power consumption. NIST should include entropy source vulnerabilities.
Adding entropy sources
In order to improve the vetting process, NIST should refer to entropy sources as part of the process and the general requirements should refer to the efforts of NIAP, OWASP, MITRE and NIST to expand them. Furthermore, organization-specific requirements should tailor their policies, procedures and regulations to allow entropy sources from mobile devices to be used to generate random numbers. The organizations should then coordinate with certified laboratories on extracting, testing and validating entropy sources.
The use of traditional entropy sources should focus on mouse movements and keystrokes, while the scope of entropy sources should be expanded to other aspects of mobile devices, such as cameras, microphone input noises, audio fingerprints, touchable screens, battery charge levels and temperature noises of optical sources. Application and iOS vulnerabilities should include what entropy sources could compromise mobile devices and apps.
Entropy sources to the NIST vetting process in order make mobile apps more secure, as new entropy sources from deterministic and non-deterministic technologies will emerge.