Government Mobile Apps: Users need protection!

Like it or not, government agencies now offer mobile apps for a large range of citizen needs, wants, and interests. The apps are part of the digital government plan started by the previous administration to build “a 21st century platform to better serve the American people.”  

This objective sounds great, but there may be more hiding behind these helpful apps than meets the eye.

The point about mobile apps is their anytime, anywhere access for end-users. While websites also contribute to meeting this objective, their usefulness depends on a network connection and may lead to extra connection or traffic charges. Mobile apps on the other hand are downloaded once (apart from occasional updates) for access to most of their functions and information locally on the end-user’s mobile device, without needing a connection.

Many federal and state government agencies have therefore been producing app versions of their mobile websites. Other agencies perhaps less keen on the idea have also had to play along: part of the digital government plan was an injunction for each federal agency to begin making at least two apps – like it or not.

Consequently, there is now a rich array of government apps available. For example, on the usa.gov site, the list of apps for the Department of the Interior (DOI) alone already totals 16. Just one of these is a mobile website, the other 15 being mobile apps for Android or iOS.

So, what about mobile app safety and security? Government agencies do not necessarily build their own apps. With other workloads and pressures to manage, they may even outsource to the lowest bidder simply to have apps in place to meet their obligations. Third party developers may themselves use software components from other sources to keep costs down and accelerate delivery dates. Even integrated development environments (IDEs) may contain binary code that cannot be checked manually by developers for security.

Yet citizens need to be safe. Government agencies must check their mobile apps properly, however they have been built and by whomever, before releasing them to the public. After all, the government represents protection and security. Neither its reputation nor the confidence of its citizens can be compromised by vulnerabilities or security threats hiding in the mobile apps that are there to serve the public.

Agency developers, quality assurance, and risk officers then need actionable risk intelligence to effectively and efficiently detect and mitigate threats to government mobile apps before launch, whatever the source of apps and their components. Mi3 Security’s RECON Platform lets agencies rapidly and fully understand their mobile app threat posture, while there is still time to react.

Besides depth and speed of analysis, Mi3 RECON also ensures that apps are systematically tested against the latest set of vulnerabilities, by repeatedly scanning the app over time and notifying agencies of any new vulnerabilities found. Tests cover internal app vulnerabilities, third party code, and vulnerabilities at communication endpoints for the app. In short, Mi3 RECON enables government mobile apps to offer their advantages to US citizens securely, fulfilling obligations for improving at the same time both service and protection.