Mobile App Testing Workflow Program Used by Military Now Available as Open Source

The National Institute of Standards and Technology (NIST) has released AppVet, a free and open source web application for managing the mobile app vetting process. 

"AppVet aims to simplify the complexity of manually testing apps through multiple test tools," explains Steve Quirolgico, a computer scientist at NIST and a member of the team developing AppVet.

AppVet manages app vetting workflow that involves submitting apps to testing tools (for virus-detection and reliability, for example), receiving reports and risk assessments from tools, and combining risk assessments from these tools into a single risk assessment. Analysts from an organization can review the reports and risk assessments and decide whether to approve or reject the app according the organization's requirements.

AppVet does not do any testing itself; instead it manages third-party test programs. One advantage of AppVet is that it provides specifications, Applications Programming Interfaces, and requirements that facilitate easy integration with third-party test tools as well as clients, including app stores. For example, AppVet defines a simple API and requirements for submitting apps to, and receiving reports from, third-party test tools.

AppVet grew out of work NIST performed for the Defense Advanced Research Projects Agency (DARPA). That work used an early version of AppVet to vet mobile apps before being deployed on mobile devices for military field use.

Although AppVet can be used by anyone for testing apps, it was designed to support organizations that test a large number of apps. AppVet can support apps from different platforms, including Android, iOS and Windows, depending on tool availability for those platforms. NIST does not provide the testing tools; instead it provides an interface to manage the test results of multiple commercial and open source testing tools.

An AppVet system comprises an AppVet web application and its related tools and clients. In an AppVet system, the app vetting workflow begins when a client submits an app to AppVet. When AppVet receives an app, it registers the app and performs some pre-processing of the app. Preprocessing is used to extract meta-data about an app and possibly provide additional functionality such as ensuring that the app conforms to specific requirements of the hosting organization. After preprocessing an app, AppVet sends the app and related information to one or more tools for testing and evaluation. When a tool completes its analysis, it returns a report and risk assessment to AppVet which, in turn, makes them available to clients. In addition, AppVet generates an overall risk assessment based on risk assessments from all tools.