The mobile app must not include source code, unreferenced code or subroutines that are never invoked during operation, except for software components and libraries from approved third-party products.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-APP-000141-MAPP-000031 | SRG-APP-000141-MAPP-000031 | SRG-APP-000141-MAPP-000031_rule | Medium |
| Description |
|---|
| Unused software and libraries increase a program size without any benefits and furthermore, may contain malicious code that would be later executed, and compromise the app and all stored data. Typically, unknown code cannot be evaluated as it is never executed during run time and thus it is not fully known that it is present until malicious action takes place. Implementing this control mitigates the risk of dormant code executing at an opportune moment, allowing itself privileges and compromising the integrity and confidentiality of all stored data on the device. Please refer to CWEs: 398, 478, 561, 563, 570, and 571 for further information. The MAPP SRG Overview contains additional information on the use of CWEs. |
| STIG | Date |
|---|---|
| Mobile Application Security Requirements Guide | 2014-07-22 |
Details
| Check Text ( C-SRG-APP-000141-MAPP-000031_chk ) |
|---|
| Perform a static program analysis to search for code that is never executed. This analysis must also: - assess if there are any variables that are assigned values but are never used. - search for expressions that are hard coded as TRUE or FALSE. If the code analysis reveals that there is either unused code, unused variables with values or expressions that are hard coded as TRUE or FALSE, this is a finding. |
| Fix Text (F-SRG-APP-000141-MAPP-000031_fix) |
|---|
| Modify code to remove unused code, unused variables, and expressions whose logical state persists. |