S&T awards $8.6 million for enhancing security of mobile apps for the government

— Qualcomm Technologies, Inc. of San Diego, California, was awarded $1,842,739 to utilize and integrate its commercial technology to demonstrate a platform on which mobile application security can be anchored in the hardware of a device. The effort will include the demonstration of a Mission-Critical-Grade Security Layer (MCGSL). The MCGSL will extend continuous observations from the mobile device through Application Programming Interfaces to third-party applications and services across the commercial mobile ecosystem. The MCGSL framework will be engineered to continuously validate and secure third-party apps and services, helping to protect their integrity on the mobile device. This approach is designed to offer broad coverage against a wide-range of threats due to device utilization context, application and user behavioral profile information that can be utilized to reduce false-positive identification of security incidents, and uncover previously unseen advanced persistent threats. The project is intended to demonstrate the potential for broad use across devices with Qualcomm® Snapdragon™ platforms.

— Lookout, based in San Francisco, California,was awarded $1,800,000 to add new app-threat, -risk and -vulnerability detection and protection capabilities and enhance existing capabilities in its cloud-based Mobile Endpoint Security platform. These enhancements will strengthen the government’s ability to securely enable the use of mobile technologies for mission-critical activities. The work will enhance visibility into risky applications; detection of side-loaded applications and advanced network-based threats such as man-in-the-middle attacks; mobile device and application vulnerability detection and management; and its platform’s Certificate Authority reputation system. The enhanced platform will be applicable to iOS and Android operating systems.

— United Technologies Researcher Center (UTRC), located in East Hartford, Connecticut, was awarded $1,453,655 to develop and implement a mobile app security system that will be run on a hybrid mobile-device-cloud environment called COMBAT (COntinuous Monitoring of Behavior to protect devices from evolving mobile Application Threats). COMBAT will process diverse sources of information along with artificial intelligence to accurately and efficiently detect malicious and vulnerable apps of varying risk severity levels. COMBAT also will evaluate the risk of an app for a given operational environment and produce a detailed risk-assessment report that includes an explanation of why an app is considered malicious. UTRC will build an in-device-based behavior monitoring service to dynamically track the behavior of vetted apps in real time to enforce desirable policies (e.g., provide protection from app masquerading and other obfuscation attacks). COMBAT will be demonstrated on Android devices.

— Apcerto, Inc.of Ashburn, Virginia, was awarded $1,643,419 to research and develop solutions for normalizing and rating mobile apps based on predefined standards as well as a framework for orchestrating the entire mobile app security process. The first solution will provide a testbed for mobile app security orchestration and the normalization of results to standards, including the National Information Assurance Partnership, Open Web Application Security Project, Health Insurance Portability and Accountability Act, and Sarbanes-Oxley Act. Apcerto’s platform will integrate with security tool vendors and translate their respective outputs to a scoring system. The platform will provide a sustainable model of “security analysis as a service” that enables the public and private sectors to vet mobile apps and create secure mobile solutions.

— Red Hat, Inc., of Raleigh, North Carolinaand Kryptowire, LLC of Fairfax, Virginia jointly were awarded $1,902,750 to integrate security throughout the entire mobile app development lifecycle. They will develop an extension of the Red Hat Mobile Application Platform (RHMAP) that will enable security templates for developers and integrate automated mobile app security testing. This effort will adhere to appropriate U.S. government mobile security standards (e.g., National Information Assurance Partnership—Software Protection Profile). The goal is to automatically enforce checks to ensure developed app code and third-party libraries comply with security standards throughout the mobile app lifecycle development process. The mobile security technology will be optimized for iOS and Android apps.