The mobile app must not enable other applications or non-privileged processes to modify software libraries.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-APP-000133-MAPP-000030	SRG-APP-000133-MAPP-000030	SRG-APP-000133-MAPP-000030_rule		Medium

Description
Many apps leverage software libraries to perform app functions. If the app makes these library files world writeable or otherwise allows unauthorized changes, then other processes on the device could modify the library to give the app capabilities it did not have originally. These capabilities might enable the app to exfiltrate sensitive DoD information or permit privilege escalation, possibly leading to attacks on additional systems. Libraries could be modified through enabling other apps to do so or through the app itself allowing the user to do so. Implementing this control prevents apps from acquiring capabilities for which they were not originally authorized. Please refer to CWEs: 250, 265, 272, and 284. The MAPP SRG Overview contains additional information on the use of CWEs.

Description

Many apps leverage software libraries to perform app functions. If the app makes these library files world writeable or otherwise allows unauthorized changes, then other processes on the device could modify the library to give the app capabilities it did not have originally. These capabilities might enable the app to exfiltrate sensitive DoD information or permit privilege escalation, possibly leading to attacks on additional systems. Libraries could be modified through enabling other apps to do so or through the app itself allowing the user to do so. Implementing this control prevents apps from acquiring capabilities for which they were not originally authorized. Please refer to CWEs: 250, 265, 272, and 284. The MAPP SRG Overview contains additional information on the use of CWEs.

STIG	Date
Mobile Application Security Requirements Guide	2014-07-22

Details

Check Text ( C-SRG-APP-000133-MAPP-000030_chk )
Perform a documentation review to assess if the app supports other apps or non-privileged processes that enable the app to modify software libraries. If the app functional requirements review cannot be carried out or is inconclusive, perform a static program analysis to assess if code exists that invokes other apps or other non-privileged processes that enables them the ability to modify software libraries. If the app's functional requirements review and/or the static program analysis reveals the app can enable other apps, as well as permit privileged processes the ability to modify software libraries, this is a finding.

Check Text ( C-SRG-APP-000133-MAPP-000030_chk )

Perform a documentation review to assess if the app supports other apps or non-privileged processes that enable the app to modify software libraries. If the app functional requirements review cannot be carried out or is inconclusive, perform a static program analysis to assess if code exists that invokes other apps or other non-privileged processes that enables them the ability to modify software libraries. If the app's functional requirements review and/or the static program analysis reveals the app can enable other apps, as well as permit privileged processes the ability to modify software libraries, this is a finding.

Fix Text (F-SRG-APP-000133-MAPP-000030_fix)
Configure or code the mobile app to limit access to the app's software libraries to the app only.