One of the central tenants of the FirstNet proposition was not just a nationwide LTE network for public safety, but an ecosystem of applications that were public-safety grade. There are currently more than 50 iOS and Android applications available in the FirstNet catalog, representing more than 30 unique applications.
Even more promising is the fact that more than 1,500 app developers — a large portion of whom are first responders themselves — have signed on, according to Scott Agnew, AVP of product development for FirstNet-AT&T. AT&T has held several hackathons, beginning last spring, as part of its engagement with app developers. Agnew also said that additional APIs are in the works that will help developers create apps that work better on the FirstNet network and to expect additional announcements in this area soon.
“Anything we can do to give developers those tools to make apps more capable, more secure, and more aware of the intelligence that’s going on in the network, makes them better for public safety,” Agnew said.
So what does it take to be a FirstNet app? The requirements laid out for developers broadly fall into seven categories:
-Apps are required to be relevant to public safety users.
-Scalability requirements, so that apps continue to work well as the FirstNet user base grows.
-Data privacy, including minimizing collection of users’ data.
-Resource usage: FirstNet-AT&T says that apps “should be designed to make the least negative impact on an end user’s device” — with battery, storage and network usage optimized.
-Demonstrated evidence of security, ranging from encryption on the device to penetration testing of the service.
FirstNet has noted that a Department of Homeland Security study in 2017 reported that 55% of mobile apps that the public safety community commonly uses have high-risk vulnerabilities; it aims to avoid such vulnerabilities in its own app ecosystem.
Apps that are part of the FIrstNet app catalog fall into two categories: FirstNet Listed and FirstNet Certified. The FirstNet Listed category was established last fall, in an effort to provide an easier and less expensive option for apps to be part of the catalog. FirstNet Listed apps still have to meet certain conditions around security, relevance and data privacy, but instead of requiring the developers to submit a source code security scan, FirstNet conducts the scan as part of its review process at no cost to the developer. Developers are then notified of any issues and must fix them and re-submit the app for additional review.
For FirstNet Certified apps, developers “are required to submit documentation and performance tests to ascertain the applications scalability, resiliency and resource usage.” In terms of security, FirstNet’s fundamental requirement in this area is a source-code scan that identifies and reports 14 categories of vulnerabilities, from possible backdoors and malware to compliance with health data regulations. Both developers of FirstNet Certified and FirstNet Listed apps each have detailed checklists of information they must also submit as part of the app review or certification process. FirstNet has made it clear to developers that while they may choose their own test tools, they are expected to have “mature testing processes to validate quality in functional effectiveness, usability, stability, performance, and load testing.” FirstNet recently outlined some of the most prominent risks that developers should address, and recommended tools to do so, in a blog entry on its developers site.
During a session at the International Wireless Communications Expo, Steve Fallin, NetMotion Mobility product manager for NetMotion Software, who also handles the company’s government and regulatory affairs issues, said that his company approaches the app vetting process as a cost of doing business. NetMotion was a store launch partner with FirstNet-AT&T’s app ecosystem and its secure VPN app is FirstNet Certified and has been through about 20 approvals since launch, he added — because not only do the apps have to pass the FirstNet certification process when they are initially submitted, but that every new update has to be re-certified.
“Every time we do a new release, we start the certification process over again, in some abbreviated form,” he said.
Fallin said the company has chosen to make source-code scanning an integrated part of its in-house build process, so that at the end of a release cycle when scan information has to be presented for certification (as is required by FirstNet), the binary has been regularly scanned throughout the lifetime of its development. Building in security from the beginning as part of the development regime, he added, is much less expensive than adding it later. Each exception noted by the scanning tool has to be addressed with a comment, he said, and recommended doing that as they arise rather than waiting until the end and going back through to add them all in.
Fallin also said that the app approval process is “very much an evolving process within AT&T” as it stands up this new ecosystem with specific and more stringent requirements than publicly available app stores. “It’s just been really obvious to me that they’re going the best they can and everyone’s learning as we go,” Fallin added.
FirstNet has said that submitted apps fall into a broad range of categories, including communications tools, device security, cloud solutions, computer–aided dispatch solutions, video surveillance, secure connections, in-building coverage and mapping, situational awareness and public safety community apps, among others.