A mobile app must not call APIs or otherwise invoke resources external to the mobile app unless such activity serves the documented purposes of the mobile app.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-APP-000033-MAPP-000012	SRG-APP-000033-MAPP-000012	SRG-APP-000033-MAPP-000012_rule		Medium

Description
A mobile app that does not operate within what should be appropriate limits will expose the device and all stored data inadvertently to non-secure domains, as well as provide a path for a malicious intruder to access the device and the data stored in it. If the mobile app calls APIs outside of its purpose, it could potentially perform unauthorized functions. These might include revealing the location of the user, obtaining data from the user's contact database, or other unauthorized functions. This control limits the API set and mitigates the risk that unauthorized actions are taking place with the app that could compromise the data’s confidentiality, as well as the user's safety and mission.

Description

A mobile app that does not operate within what should be appropriate limits will expose the device and all stored data inadvertently to non-secure domains, as well as provide a path for a malicious intruder to access the device and the data stored in it. If the mobile app calls APIs outside of its purpose, it could potentially perform unauthorized functions. These might include revealing the location of the user, obtaining data from the user's contact database, or other unauthorized functions. This control limits the API set and mitigates the risk that unauthorized actions are taking place with the app that could compromise the data’s confidentiality, as well as the user's safety and mission.

STIG	Date
Mobile Application Security Requirements Guide	2014-07-22

Details

Check Text ( C-SRG-APP-000033-MAPP-000012_chk )
Review the requirements for the app design, and assess which external resources it will require to address for normal operation. Perform a document review to evaluate the functional requirements to understand which APIs require addressing in order to meet these requirements. Next, perform a static program analysis and assess which APIs are addressed, i.e., camera, microphone, Bluetooth, address book, GPS, etc., and which apps, as well as other resources external to the app that are addressed. If the design/functional requirements documentation and static program analysis reveal that APIs and resources addressed or available are beyond those which the functional and operational requirements demand, this is a finding.

Check Text ( C-SRG-APP-000033-MAPP-000012_chk )

Review the requirements for the app design, and assess which external resources it will require to address for normal operation. Perform a document review to evaluate the functional requirements to understand which APIs require addressing in order to meet these requirements. Next, perform a static program analysis and assess which APIs are addressed, i.e., camera, microphone, Bluetooth, address book, GPS, etc., and which apps, as well as other resources external to the app that are addressed. If the design/functional requirements documentation and static program analysis reveal that APIs and resources addressed or available are beyond those which the functional and operational requirements demand, this is a finding.

Fix Text (F-SRG-APP-000033-MAPP-000012_fix)
Modify mobile app code and architecture to create a sandbox environment for the app to prevent it from controlling APIs and accessing other resources that do not relate to the app's functional and operational requirements.