Android Security Symposium 2017

Assessing and improving mobile application security

About the speakers

Michael Peck

The MITRE Corporation, McLean, VA, USA
Michael Peck is a security engineer at The MITRE Corporation, where he primarily focuses on mobile device security, mobile application security, and network security protocols and standards. He holds an M.S. in Security Informatics from Johns Hopkins University and a B.S. in Computer Science from the University of Virginia.

Carlton Northern

The MITRE Corporation, McLean, VA, USA
Carlton Northern is a mobile security engineer at The MITRE Corporation. While at MITRE he has helped various U.S. DoD and other federal agencies deploy secure mobile solutions over a range of use cases. Carlton has also been an active member of the Trusted Computing Group where he contributed to the TPM Mobile specification. Currently, Carlton is working with the U.S. Army Training and Doctrine Command where he has helped deploy a training and educational app store for the Army, overcoming issues of application security and BYOD.


Many enterprises are seeking commercial solutions to perform security vetting of
mobile applications for exploitable vulnerabilities and suspicious behaviors. We
will discuss an analysis performed by MITRE in 2016 of the effectiveness of app
security vetting solutions, including discussion of their overall strengths and
weaknesses. As part of the analysis, we developed solution criteria based on
NIAP's Protection Profile for Application Software, and we created Android and iOS
applications with deliberately inserted vulnerabilities and suspicious behaviors.
Our work may help others faced with assessing the security of mobile applications.

Next, we'll discuss a MITRE research project into tools and techniques for improving
Android application security. We developed static analysis checks for the Android
Lint tool built in to Android Studio and the Android Software Development Kit (SDK).
The static analysis checks, accepted by the Android Open Source Project, enable app
developers and security analysts to identify and eliminate several common Android
app vulnerabilities up-front in the software development lifecycle. We'll also
discuss our attempt to propose changes to the Android operating system's SELinux
mandatory access control policies and other security architecture elements to
address application security vulnerabilities and misbehaviors.


Get the slides here.