The U.S. National Institute of Standards and Technology (NIST) has published two data-security-focused documents in as many months.
In June 2018, NIST published guidance on assessing requirements for securing unclassified information (NIST Special Publication 800-171A Assessing Security Requirements for Controlled Unclassified Information).
In July 2018, SPECIAL PUBLICATION 1800-1, Securing Electronic Health Records on Mobile Devices, was published. It offers a practical guide to meeting the specialized security and privacy obligations associated with managing health records on mobile devices.
Not surprisingly, both include increasingly prescriptive obligations for application developers. In particular, the recommendations and guidelines continue to stress the importance of including anti-tamper and rooted device detection and response controls—core features of application hardening solutions (like PreEmptive’s Dotfuscator and DashO). A few trends are worth noting.
The referenced NIST documents are long—and even longer if you review all the supporting documents. For illustration, here are some excerpts highlighting these trends (italics are my added comments).
800-171A Assessing Security Requirement
3.13.13 SECURITY REQUIREMENT Control and monitor the use of mobile code. (downloading unauthorized code or running tampered code)
ASSESSMENT OBJECTIVE Determine if:
3.13.13[a] use of mobile code is controlled.
3.13.13[b] use of mobile code is monitored.
3.14.4 SECURITY REQUIREMENT Update malicious code protection mechanisms when new releases are available. (bad actors invest in evading root detection and other detective controls—continuous improvement is required here in much the same fashion as anti-virus software)
ASSESSMENT OBJECTIVE Determine if malicious code protection mechanisms are updated when new releases are available. (included later is the obligation to respond—both in real-time and in logging when detected)
1800 1a Executive Summary: Securing Electronic Health Records on Mobile Devices
Our risk assessments focused on identifying threats that might lead to: (they focus on exploits that lead to operational, financial, and legal jeopardy)
Based on our risk assessment, the major threats to confidentiality, integrity, and availability concerning EHRs using mobility are:
Do not be lulled into complacency. Protect and secure your Applications. Even if you don’t do business with the US federal government, don’t need to meet HIPAA requirements, or aren’t focused on mobile apps. With each passing day, these obligations are crystallizing across the financial, supply chain, and general risk frameworks. Every development organization must have a well-documented set of controls and processes to prevent, detect, and respond to runtime attacks and environmental compromises. Are you prepared to demonstrate your viability to business owners, regulators, investors, or customers?
Our implementation of anti-tamper, anti-debug, rooted devices, and other real-time checks have been focused on these exact demands. Want to know more? Contact us or review the following resources.
Resources
Other NIST Publications