The mobile app must not execute as a privileged operating system process unless necessary to perform any app functions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-APP-000033-MAPP-000011	SRG-APP-000033-MAPP-000011	SRG-APP-000033-MAPP-000011_rule		Medium

Description
A mobile app that operates with the privileges of its host OS will make the OS, device, and other apps vulnerable to such issues as escalated privileges that would affect the entire platform and device. If the app is able to obtain OS privileges greater than necessary for proper operation, then an adversary able to breach the app has access to these additional privileges and can perform unauthorized functions. These functions might include the ability to read sensitive data, or execute unauthorized code. If the latter, then additional attacks on the system and DoD networks may be possible. In applying this control, the device and data are protected against attacks that would be easily executed by a malicious user who has gained numerous privileges.

Description

A mobile app that operates with the privileges of its host OS will make the OS, device, and other apps vulnerable to such issues as escalated privileges that would affect the entire platform and device. If the app is able to obtain OS privileges greater than necessary for proper operation, then an adversary able to breach the app has access to these additional privileges and can perform unauthorized functions. These functions might include the ability to read sensitive data, or execute unauthorized code. If the latter, then additional attacks on the system and DoD networks may be possible. In applying this control, the device and data are protected against attacks that would be easily executed by a malicious user who has gained numerous privileges.

STIG	Date
Mobile Application Security Requirements Guide	2014-07-22

Details

Check Text ( C-SRG-APP-000033-MAPP-000011_chk )
Perform a review of the app's documentation to understand the app's operational requirements or the functionality of the app to establish the level of OS privilege required to operate. Based on the review, determine the appropriate OS permissions the app should have assigned for normal app operations during and at the time of installation. Next, conduct a static program analysis to assess the app's ability to restrict user OS privileges except where explicitly required for the app to operate. If the static program analysis reveals OS access privileges that are beyond requirements are granted to the application, this is a finding.

Check Text ( C-SRG-APP-000033-MAPP-000011_chk )

Perform a review of the app's documentation to understand the app's operational requirements or the functionality of the app to establish the level of OS privilege required to operate. Based on the review, determine the appropriate OS permissions the app should have assigned for normal app operations during and at the time of installation. Next, conduct a static program analysis to assess the app's ability to restrict user OS privileges except where explicitly required for the app to operate. If the static program analysis reveals OS access privileges that are beyond requirements are granted to the application, this is a finding.

Fix Text (F-SRG-APP-000033-MAPP-000011_fix)
Modify the mobile app code so that the app does not execute as a privileged operating system process unless necessary to perform any app functions.