Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
SRG-APP-000033-MAPP-000010 | SRG-APP-000033-MAPP-000010 | SRG-APP-000033-MAPP-000010_rule | Medium |
Description |
---|
A mobile app that operates with the privileges of its host OS is vulnerable to integrity issues and escalated privileges that would affect the entire platform and device. If the app is able to obtain OS privileges greater than necessary for proper operation, then an adversary is able to breach the app, has access to these additional privileges, and can perform unauthorized functions. These functions might include the ability to read sensitive data or execute unauthorized code. If the latter, then additional attacks on the system and DoD networks may be possible. Prohibiting an app from assigning itself unnecessary privileges greatly mitigates the risk of unauthorized use of those privileges. |
STIG | Date |
---|---|
Mobile Application Security Requirements Guide | 2014-07-22 |
Check Text ( C-SRG-APP-000033-MAPP-000010_chk ) |
---|
Perform a review of the app's documentation to understand the app's operational requirements or the functionality of the app to establish the level of OS privilege required to operate. Based on the review, determine the appropriate OS permissions the app should have assigned during and at the time of installation. Next, conduct a static program analysis to assess the app's ability to restrict user OS privileges except where explicitly required for the app to operate. If the static program analysis reveals OS access privileges that exist, are modifiable or can be requested that are beyond requirements are granted to the application, this is a finding. |
Fix Text (F-SRG-APP-000033-MAPP-000010_fix) |
---|
Modify the mobile app code so that the app does not modify, request, or assign values for operating system parameters unless necessary to perform application functions. |