The mobile app must not transmit error messages to any entity other than authorized audit logs, the MDM, or the device display.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-APP-000267-MAPP-000060 | SRG-APP-000267-MAPP-000060 | SRG-APP-000267-MAPP-000060_rule | Medium |
| Description |
|---|
| Error messages that are transmitted outside of the app environment reveal weaknesses in the app that will offer the potential for exposure to malicious users. By default many error messages contain data pertaining to the session, the ports, and user and in some instances, their authentication credentials. Through this control, any issues that an app may have are restricted to the user and the personnel who have access to audit logs. |
| STIG | Date |
|---|---|
| Mobile Application Security Requirements Guide | 2014-07-22 |
Details
| Check Text ( C-SRG-APP-000267-MAPP-000060_chk ) |
|---|
| Review the mobile app configuration, documentation, or code to determine if the app transmits any errors to any entity other than audit logs, the MDM, or user display. Do the following: - launch the app - create an error condition using incorrect input (fuzzing the input with automated tools is one method that could be applied) - observe any error messages that result on screen - observe where any log files containing error messages are stored. If the analysis reveals that error messages are sent to an entity other than audit logs, the MDM, or user display, this is a finding. |
| Fix Text (F-SRG-APP-000267-MAPP-000060_fix) |
|---|
| Configure or code the mobile app to send error messages to authorized audit logs, the MDM, or the device display. |