UCF STIG Viewer Logo

The mobile app must not modify, request, or assign values for operating system parameters unless necessary to perform application functions.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-APP-000033-MAPP-000010 SRG-APP-000033-MAPP-000010 SRG-APP-000033-MAPP-000010_rule Medium
Description
A mobile app that operates with the privileges of its host OS is vulnerable to integrity issues and escalated privileges that would affect the entire platform and device. If the app is able to obtain OS privileges greater than necessary for proper operation, then an adversary is able to breach the app, has access to these additional privileges, and can perform unauthorized functions. These functions might include the ability to read sensitive data or execute unauthorized code. If the latter, then additional attacks on the system and DoD networks may be possible. Prohibiting an app from assigning itself unnecessary privileges greatly mitigates the risk of unauthorized use of those privileges.
STIG Date
Mobile Application Security Requirements Guide 2014-07-22

Details

Check Text ( C-SRG-APP-000033-MAPP-000010_chk )
Perform a review of the app's documentation to understand the app's operational requirements or the functionality of the app to establish the level of OS privilege required to operate. Based on the review, determine the appropriate OS permissions the app should have assigned during and at the time of installation. Next, conduct a static program analysis to assess the app's ability to restrict user OS privileges except where explicitly required for the app to operate. If the static program analysis reveals OS access privileges that exist, are modifiable or can be requested that are beyond requirements are granted to the application, this is a finding.
Fix Text (F-SRG-APP-000033-MAPP-000010_fix)
Modify the mobile app code so that the app does not modify, request, or assign values for operating system parameters unless necessary to perform application functions.