The mobile app must fail to an initial state when the application unexpectedly terminates, unless it maintains a secure state at all times.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-APP-000225-MAPP-000047	SRG-APP-000225-MAPP-000047	SRG-APP-000225-MAPP-000047_rule		Medium

Description
An app maintains a secure state when there is strong assurance that each of its state transitions is consistent with the app's security policy. For many mobile apps, the only state for which the state is known to be compliant is the initial state because it does not have a documented security policy regarding state transitions. An app could be compromised, providing an attack vector to the app and OS if initialization, shutdown, and aborts are not designed to keep the app in a secure state. If the app fails without closing or shutting down processes or open sessions; authentication and validation mechanisms are considered weak and do not provide sufficient protection against unauthorized access to the application and all stored data. In applying this control, the app can be secured to its initial level of security in the event the app crashes or terminates. This will mitigate the threat of an unauthorized user taking control of the device and accessing the app and stored data, compromising its integrity and confidentiality.

Description

An app maintains a secure state when there is strong assurance that each of its state transitions is consistent with the app's security policy. For many mobile apps, the only state for which the state is known to be compliant is the initial state because it does not have a documented security policy regarding state transitions. An app could be compromised, providing an attack vector to the app and OS if initialization, shutdown, and aborts are not designed to keep the app in a secure state. If the app fails without closing or shutting down processes or open sessions; authentication and validation mechanisms are considered weak and do not provide sufficient protection against unauthorized access to the application and all stored data. In applying this control, the app can be secured to its initial level of security in the event the app crashes or terminates. This will mitigate the threat of an unauthorized user taking control of the device and accessing the app and stored data, compromising its integrity and confidentiality.

STIG	Date
Mobile Application Security Requirements Guide	2014-07-22

Details

Check Text ( C-SRG-APP-000225-MAPP-000047_chk )
For apps that do not maintain a secure state at all times, perform a dynamic program analysis and perform transactions, so the app is in a state other than its initial state. Use OS controls to terminate the app or to create conditions that would force the app to terminate or crash. Restart the app and examine the app to determine if it is in its initial state. If it is not in its initial state, this is a finding.

Check Text ( C-SRG-APP-000225-MAPP-000047_chk )

For apps that do not maintain a secure state at all times, perform a dynamic program analysis and perform transactions, so the app is in a state other than its initial state. Use OS controls to terminate the app or to create conditions that would force the app to terminate or crash. Restart the app and examine the app to determine if it is in its initial state. If it is not in its initial state, this is a finding.

Fix Text (F-SRG-APP-000225-MAPP-000047_fix)
Modify the code to ensure the app returns to a secure, initial state upon unexpected termination.