UCF STIG Viewer Logo

Mobile apps involved in the production, control, and distribution of asymmetric cryptographic keys must use approved PKI Class 3 certificates or prepositioned keying material.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-APP-000516-MAPP-000040 SRG-APP-000516-MAPP-000040 SRG-APP-000516-MAPP-000040_rule Medium
Description
Class 3 certificates are issued to individuals, organizations, servers, devices, and administrators for CAs and root authorities (RAs). Class 3 certificates undergo independent verification and checking of identity and authority which is performed by the issuing (CA). Networks and applications not using Class 3 Certificates are vulnerable to a multiple of malicious attacks that would essentially allow unauthorized access to and intrusion in a network. Similarly, using approved PKI class 3 certificates ensure malicious intruders do not take advantage of any network resource exposure that may occur as a result of non-standard practices and tools being applied. In applying this control, the use of approved PKI Class 3 certificates will assure authentication, message, data and content integrity, and confidentiality encryption.
STIG Date
Mobile Application Security Requirements Guide 2014-07-22

Details

Check Text ( C-SRG-APP-000516-MAPP-000040_chk )
For mobile apps that are involved in the production, control, and distribution of asymmetric cryptographic keys, perform a documentation review to assess if approved Class 3 certificates or prepositioned keying material are used by the app. The documentation review will also include assessing if there is a JITC certification of the key management technology's presence in the app. If the documentation review is inconclusive, perform a dynamic program analysis to assess if approved Class 3 certificates or prepositioned keying material are used by the app. If the dynamic program analysis could not be performed or the results were inconclusive, carry out a static program analysis to assess if the app supports functional code, able to execute routines and functions that enable the app use of approved, Class 3 certificates or prepositioned keying material. If the documentation review, dynamic program analysis and/or the static program analysis reveal that the app is unable to or does not use approved PKI Class 3 certificates or prepositioned keying material, this is a finding.
Fix Text (F-SRG-APP-000516-MAPP-000040_fix)
Modify the mobile app code to ensure it uses approved Class 3 certificates or prepositioned keying material.