{
    "version" : "https://jsonfeed.org/version/1",
    "content" : "news",
    "type" : "single",
    "title" : "Mobile Product Security and Privacy Testing Resources |Digital.gov",
    "description": "Mobile Product Security and Privacy Testing Resources",
    "home_page_url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/","feed_url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/2013/08/05/mobile-product-security-and-privacy-testing-resources/index.json","item" : [
    {"title" :"Mobile Product Security and Privacy Testing Resources","summary" : "Security testing is used to ensure that a mobile product does not pose a threat to agency IT systems and databases. In addition, privacy testing ensures that an app does not put the user’s personally identifiable information into a compromisable position. This article was developed as part of the Mobile Application Development Program. See our","date" : "2013-08-05T15:01:32-04:00","date_modified" : "2025-01-27T19:42:55-05:00","authors" : {"jparcell" : "Jacob Parcell"},"topics" : {
        
            "content-strategy" : "Content strategy",
            "mobile" : "Mobile",
            "privacy" : "Privacy",
            "research" : "Research",
            "security" : "Security",
            "software-engineering" : "Software engineering"
            },"branch" : "bc-archive-content-3",
      "filename" :"2013-08-05-mobile-product-security-and-privacy-testing-resources.md",
      
      "filepath" :"news/2013/08/2013-08-05-mobile-product-security-and-privacy-testing-resources.md",
      "filepathURL" :"https://github.com/GSA/digitalgov.gov/blob/bc-archive-content-3/content/news/2013/08/2013-08-05-mobile-product-security-and-privacy-testing-resources.md",
      "editpathURL" :"https://github.com/GSA/digitalgov.gov/edit/bc-archive-content-3/content/news/2013/08/2013-08-05-mobile-product-security-and-privacy-testing-resources.md","slug" : "mobile-product-security-and-privacy-testing-resources","url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/2013/08/05/mobile-product-security-and-privacy-testing-resources/","content" :"\u003cp\u003eSecurity testing is used to ensure that a mobile product does not pose a threat to agency IT systems and databases. In addition, privacy testing ensures that an app does not put the user’s personally identifiable information into a compromisable position.\u003c/p\u003e\n\u003cp\u003eThis article was developed as part of the \u003ca href=\"https://digital.gov/resources/mobile-application-development-program/\" title=\"Mobile Application Development Program\"\u003eMobile Application Development Program\u003c/a\u003e. See our \u003ca href=\"https://digital.gov/2013/08/22/mobile-product-testing-guidelines/\" title=\"Mobile Product Testing Guidelines and Resources\"\u003egeneral guidelines to testing\u003c/a\u003e article for more resources on mobile product testing.\u003c/p\u003e\n\u003ch2 id=\"toc0\"\u003e\u003ca name=\"x-Government Guidance\"\u003e\u003c/a\u003eGovernment Guidance\u003c/h2\u003e\n\u003cp\u003ePlease coordinate with your ISSO when creating mobile or digital products.\u003c/p\u003e\n\u003ch2 id=\"toc2\"\u003e\u003ca name=\"x-Resources Available\"\u003e\u003c/a\u003eResources Available\u003c/h2\u003e\n\u003cp\u003eListed below are resources available that further describe and conduct security and privacy testing. These services/companies or websites are offered as a sample of what is currently available for security and do not indicate an endorsement of them or their products and/or services.\u003c/p\u003e\n\u003ch3 id=\"toc4\"\u003e\u003ca name=\"x-Resources Available-Web Resources\"\u003e\u003c/a\u003eWeb Resources\u003c/h3\u003e\n\u003cp\u003e\u003cem\u003eSecurity\u003c/em\u003e\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"http://www.makeuseof.com/tag/app-permissions-work-care-android/\" target=\"_blank\" rel=\"nofollow\"\u003eApplication Permissions and Platform Security\u003c/a\u003e – Link explains concept for Android\u003c/li\u003e\n\u003cli\u003eAuthentication and Authorization\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"http://csrc.nist.gov/groups/SNS/mobile_security/index.html\" target=\"_blank\" rel=\"nofollow\"\u003eNIST Mobile Security \u0026amp; Forensics Page\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://www.owasp.org/index.php/OWASP_Mobile_Security_Project\" target=\"_blank\" rel=\"nofollow\"\u003eOpen Web Application Security Mobile Security Project\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"http://www.makeuseof.com/tag/app-permissions-work-care-android/\" target=\"_blank\" rel=\"nofollow\"\u003eTimeouts and Session Management\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet\" target=\"_blank\" rel=\"nofollow\"\u003eWeb Application Security\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eGPS, IMEI, device numbers, and customer personal information all have privacy implications that must be noted. At a minimum, the security assessment should be accomplished through a data sensitivity impact level process and/or privacy impact assessment requirement. Agencies should:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eHandle Web history/caching\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eSecurely transmit login data\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAvoid “man-in-the-middle” attacks\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eSecurely transmit sensitive data\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eProtect from session hijacking\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003ePermanently deletes data\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eSecurely handle interruptions\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eProperly secure data in backups_Privacy_\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"http://www.mobileapptesting.com/important-mobile-app-privacy-recommendations/2013/02/\" rel=\"nofollow\"\u003eImportant Mobile App Privacy Recommendations\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eOther issues to consider:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eIs private data kept private?\u003c/li\u003e\n\u003cli\u003eStored personal data is password protected and/or encrypted.\u003c/li\u003e\n\u003cli\u003eTransmission of personal data from device to device is encrypted.\u003c/li\u003e\n\u003cli\u003eLimit user privileges (i.e. limiting access to certain files).\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 id=\"toc5\"\u003e\u003ca name=\"x-Resources Available-Testing Services\"\u003e\u003c/a\u003eTesting Services\u003c/h3\u003e\n\u003cp\u003eThese services/companies or web sites are offered as a sample of what is currently available and do not indicate an endorsement of them or their products and/or services.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"http://www8.hp.com/us/en/software-solutions/software.html?compURI=1338812#.UYGuF6LP3nN\" target=\"_blank\" rel=\"nofollow\"\u003eFortify\u003c/a\u003e – Identifies security problems and prioritizes results\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"http://www-03.ibm.com/software/products/us/en/appscan\" target=\"_blank\" rel=\"nofollow\"\u003eIBM AppScan\u003c/a\u003e – Software designed to automate application security testing\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"http://www.kryptowire.com/\" target=\"_blank\" rel=\"nofollow\"\u003ekryptowire\u003c/a\u003e – Provides static and dynamic analysis of Android applications\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"http://developer.android.com/tools/help/lint.html\" target=\"_blank\" rel=\"nofollow\"\u003eLint\u003c/a\u003e – Android tool that checks for for potential bugs and security optimization\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"http://www.tenable.com/solutions/mobile-device-security\" target=\"_blank\" rel=\"nofollow\"\u003eNessus\u003c/a\u003e – Software identifies security and compliance exposure\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"http://docs.seleniumhq.org/\" target=\"_blank\" rel=\"nofollow\"\u003eSelenium\u003c/a\u003e – Tools for automating web applications for testing purposes\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"http://www.veracode.com/\" target=\"_blank\" rel=\"nofollow\"\u003eVeracode\u003c/a\u003e – Provides automated static and dynamic application security testing\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"toc6\"\u003e\u003ca name=\"x-Test Plans/Checklists available on GitHub\"\u003e\u003c/a\u003eTest Plans/Checklists available on GitHub\u003c/h2\u003e\n\u003cp\u003eThe \u003ca href=\"http://gsa.github.io/Mobile-Code-Catalog/index.html\"\u003eMobile Code Sharing Catalog\u003c/a\u003e has \u003ca href=\"http://gsa.github.io/Mobile-Code-Catalog/testing.html\"\u003etest plans or cases or checklists\u003c/a\u003e that have been uploaded to GitHub and are available as samples and/or for use._ Coqui Aspiazu, GSA; Ben Weaver and Lisa Wilcox, USDA, contributed to this post._\u003c/p\u003e\n"}
  ]
}