IRS Faulted on Smartphone App Development Process

The Internal Revenue Service’s IRS2Go smartphone application has been judged to be secure, but a new government report criticizes the agency for using a non-approved programming development language and skirting the traditional approval process.

The IRS released its IRS2Go mobile app for the Apple iPhone and Google Android smartphones in January (see IRS Launches App for iPhones and Droids). The app allows taxpayers to check on the status of their tax refunds and receive daily tax tips from the IRS. Since its release, 147,205 iPhone users and 178,773 Android users have downloaded the mobile app.

In a new government report, the Treasury Inspector General for Tax Administration found that the IRS2Go app adequately secures data communications and does not store sensitive or personally identifiable information such as Social Security numbers on the phones.  However, according to the report, the IRS did not follow the appropriate procedures for using a programming language that had not been approved by IRS information technology management and open-source software during the software development process. 

The IRS told TIGTA that it made a risk-based decision not to pursue the waivers because of the time constraints under which the project operated. However, the IRS could not provide any documentation of that risk-based decision, and the agency informed TIGTA’s inspectors that it was a verbal decision.
TIGTA also found that the IRS did not comply with Office of Management and Budget Circular A-130 regulations, which require senior officials to approve the application before its public release. While the IRS2Go app did not have any significant security issues when it was released to the public, using a system development approach that does not comply with the OMB regulations increases the risk that applications released to the public may contain security or privacy weaknesses, the report noted.

“The IRS is to be commended for using technology to make tax information more accessible to taxpayers,” TIGTA Inspector General J. Russell George said in a statement. “However, I am troubled that the IRS took some shortcuts in developing the application. While no significant security problems were identified, development of future smartphone applications should follow approved processes to avoid introducing unnecessary risk into the development process.”

TIGTA recommended that the IRS follow software development processes and comply with policies when developing new smartphone apps.  IRS officials agreed with the recommendations. 

“As this is the first mobile application developed by the Internal Revenue Service we recognize we have more work to do to ensure we fully document our work and receive necessary waivers on a more timely basis under our rapid development process,” wrote IRS chief technology officer Terence V. Mulholland in response to the report.”