The mobile app must clear or overwrite memory blocks used to process potentially sensitive data. Sensitive data may include PII, a user's location, or authentication credentials.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-APP-000516-MAPP-000067	SRG-APP-000516-MAPP-000067	SRG-APP-000516-MAPP-000067_rule		Medium

Description
Sensitive data in memory should be cleared or overwritten to protect data that may be available to an attacker seeking ways to gain access to data that otherwise appears erased. Unless an app can overwrite memory blocks, the possibility exists for an attacker to cause the app to crash and analyze a memory dump of the app for sensitive information. Clearing memory will ensure the DoD the app can operate more securely, with greater protection applied to sensitive data that will be properly removed when no longer required. Additional overwriting requirements may be applicable to classified apps. Please refer to CWEs: 14, 226, 244, and 591 for further information. The MAPP SRG Overview contains additional information on the use of CWEs.

Description

Sensitive data in memory should be cleared or overwritten to protect data that may be available to an attacker seeking ways to gain access to data that otherwise appears erased. Unless an app can overwrite memory blocks, the possibility exists for an attacker to cause the app to crash and analyze a memory dump of the app for sensitive information. Clearing memory will ensure the DoD the app can operate more securely, with greater protection applied to sensitive data that will be properly removed when no longer required. Additional overwriting requirements may be applicable to classified apps. Please refer to CWEs: 14, 226, 244, and 591 for further information. The MAPP SRG Overview contains additional information on the use of CWEs.

STIG	Date
Mobile Application Security Requirements Guide	2014-07-22

Details

Check Text ( C-SRG-APP-000516-MAPP-000067_chk )
If the app does not contain sensitive data, this check is not applicable. Furthermore, if the MOS on which the app runs clears memory whenever an app releases memory, this check is not applicable. Otherwise, perform a dynamic program analysis of the app and assess how memory blocks are cleared of sensitive data. This will likely require the use of a MOS emulator. If the app releases memory blocks before clearing them, this is a finding.

Check Text ( C-SRG-APP-000516-MAPP-000067_chk )

If the app does not contain sensitive data, this check is not applicable. Furthermore, if the MOS on which the app runs clears memory whenever an app releases memory, this check is not applicable. Otherwise, perform a dynamic program analysis of the app and assess how memory blocks are cleared of sensitive data. This will likely require the use of a MOS emulator. If the app releases memory blocks before clearing them, this is a finding.

Fix Text (F-SRG-APP-000516-MAPP-000067_fix)
Configure or code the mobile app to clear memory blocks used for storing sensitive data before the memory is released to other processes.