One problem common to tactical environments is that software does not keep pace with changing missions. This is partly due to the time needed to develop new software capabilities and partly due to the time needed to ensure that the new software conforms to the security requirements of networks in tactical environments. The SEI's work on user-configured situational awareness mashups helps address the first problem. And the SEI's work on rapid validation of Android apps helps address the second problem.
Increased variability and tempo of missions leads to demands to field new apps quickly, which presents unique challenges to verification and validation of these apps. Traditional techniques require complicated development practices, involve large teams of testers, and can create bottlenecks in getting systems ready for deployment.
The SEI is developing an automated solution to help with rapid validation and verification of mobile apps, focusing on Android apps. The solution leverages existing expertise in developing coding rules for Java and in developing static analysis and software model-checking tools for C and Java. The coding rules will capture correct interaction with the network such that conformance to the rules improves confidence in the safe and secure operation of the app. We will develop a static analysis framework to check for violations of the coding rules, use our expertise to decide which rules are suitable for static analysis, and use well-established static analysis platforms for Java to write checkers for suitable rules.
Automated validation will increase confidence that apps deployed on mobile devices adhere to the security requirements of both the mobile devices and the networks with which they interact. It will also reduce the time lag between development and deployment, moving the apps faster into the field where they are needed.