Time to Require App Stores to implement NIST Labeling and Supply Chain Standards

[UPDATE March 2, 2023: The US National Cybersecurity Strategy published today calls for a re-balancing of cybersecurity risks; you can bet that app store operators will need to up their game to become ardent stewards of software supply chain security by providing trust scores for apps, similar to the restaurant analogy in today's video]

[UPDATE Feb 1] NTIA is also calling for changes to app stores.

“From finding directions to chatting with loved ones, apps are a critical tool for consumers and an essential part of doing business online,” said Alan Davidson, Assistant Secretary of Commerce for Communications and Information and NTIA Administrator. “It is more important than ever that the market for mobile apps remains competitive. NTIA's recommendations will make the app ecosystem more fair and innovative for everyone."

In a few months we will reach the two year anniversary of Executive Order (EO) 14028, the Cybersecurity Order that was issued in response to the Solarwinds software supply chain attack. EO 14028 contains several recommendations aimed at improving software supply chain transparency and improving cybersecurity protections in software for consumers to protect themselves. The order acknowledges the challenges we all face with software “the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is “.

There are a few misconceptions that people have when it comes to apps in app stores operated by Apple, Google, Microsoft, Amazon and others. Perhaps the most prevalent “myth” is that app store operators apply best practices with regard to software supply chain risk assessments. This is completely false; each app store operator specifies their own proprietary requirements to list a software product in their app store, which do not necessarily follow NIST Supply Chain Risk Management standards, such as SP 800-161 and secure coding standards, NIST SP 800-218.

The bottom line is, the “app store industry” is inconsistent in their evaluation of software supply chain risk which is leaving the consumer to bear all the risks when installing an app from an app store. App store operators are, collectively, the largest distributor of consumer software on the planet and they could benefit all software consumers by consistently applying NIST software supply chain risk management and secure coding standards and labeling recommendations on apps, before listing an app in an app store.  I’ve written about the risks posed by these software app stores in the past, and the mountain of evidence showing that apps in app stores should not be trusted blindly, continues to accumulate, with Tik Tok providing the latest proof. EO 14028 was clear in the need to provide more transparency into software supply chain risk, by recommending use of a “consumer label” to inform consumers as to the trustworthiness of apps, before installation; “The criteria shall reflect increasingly comprehensive levels of testing and assessment that a product may have undergone, and shall use or be compatible with existing labeling schemes that manufacturers use to inform consumers about the security of their products.”

NIST completed their work assignment from EO 14028 by producing consumer software labeling recommendations for IOT devices and other consumer software, such as apps in app stores. The White House has signaled an interest in applying these NIST labeling standards to help consumers gain visibility into software supply chain trustworthiness. NIST has also signaled a willingness to work with app store owners to apply NIST labeling recommendations to apps, but no progress is apparent in this area. App stores continue to be a source of risky software used in smart devices, which consumers install “blindly” without knowing the risks posed.

App store owners continue to ignore the protections which NIST has created and consumers will remain at risk until the US Government demands that all app store owners implement NIST standards for software supply chain risk management, secure coding and consumer labeling, before listing an app in an app store. The time has come for the US Government to require all app store operators to consistently implement NIST software supply chain risk assessment best practices and provide consumers with a label on each app in their app stores indicating the application of these NIST standards and practices, following NIST consumer software labeling recommendations.