The mobile app must not be vulnerable to race conditions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-APP-000516-MAPP-000071	SRG-APP-000516-MAPP-000071	SRG-APP-000516-MAPP-000071_rule		Medium

Description
A race condition occurs when an app receives two or more actions on the same resource in an unanticipated order which causes a conflict. Sometimes, the resource is locked by different users or functions within the app, creating a deadlock situation. Racing can occur when the design uses global variables in place of local variables, or a multi-threaded app does not use thread safe functions when threads are accessing the same object or data, as two examples. Applying this control, the DoD is protected against situations that would reduce the security posture of the app, device, data, and network as a result of security-related components not able to function as a result of the race condition. Furthermore, the user is also protected against access and availability issues that result from the app or certain components of the app from functioning correctly as a result of the race condition. Examples of race conditions vulnerabilities can be obtained from the OWASP website at https://www.owasp.org.

Description

A race condition occurs when an app receives two or more actions on the same resource in an unanticipated order which causes a conflict. Sometimes, the resource is locked by different users or functions within the app, creating a deadlock situation. Racing can occur when the design uses global variables in place of local variables, or a multi-threaded app does not use thread safe functions when threads are accessing the same object or data, as two examples. Applying this control, the DoD is protected against situations that would reduce the security posture of the app, device, data, and network as a result of security-related components not able to function as a result of the race condition. Furthermore, the user is also protected against access and availability issues that result from the app or certain components of the app from functioning correctly as a result of the race condition. Examples of race conditions vulnerabilities can be obtained from the OWASP website at https://www.owasp.org.

STIG	Date
Mobile Application Security Requirements Guide	2014-07-22

Details

Check Text ( C-SRG-APP-000516-MAPP-000071_chk )
If the app does not use multiple threads or if it runs on a MOS that does not support multiple threads, then this control is not applicable. If the operating system is not multi-threaded or never runs more than one app at a time, or effectively mitigates risk through some other mechanism, then the requirement is non-applicable. Perform a review of the documentation to understand how the app manages and is designed around the following items: - Race conditions - Using global variables when local variables could be used - Multi-threaded app uses thread safe functions - Global resources being locked before being accessed by the application Global objects and resources - Multiple threads or processes are accessing the same object - Resources created in common areas - Overly permissive ACLs If the documentation review cannot be carried out or is inconclusive, perform a static program analysis to assess how the app approaches each of the above items. Dynamic program analysis may also be useful to determine if race conditions are realized during operation. If the documentation and static program analysis reveal that the app design is reasonably likely to result in a race condition, this is a finding.

Check Text ( C-SRG-APP-000516-MAPP-000071_chk )

If the app does not use multiple threads or if it runs on a MOS that does not support multiple threads, then this control is not applicable. If the operating system is not multi-threaded or never runs more than one app at a time, or effectively mitigates risk through some other mechanism, then the requirement is non-applicable.

Perform a review of the documentation to understand how the app manages and is designed around the following items:
- Race conditions
- Using global variables when local variables could be used
- Multi-threaded app uses thread safe functions
- Global resources being locked before being accessed by the application Global objects and resources
- Multiple threads or processes are accessing the same object
- Resources created in common areas
- Overly permissive ACLs

If the documentation review cannot be carried out or is inconclusive, perform a static program analysis to assess how the app approaches each of the above items. Dynamic program analysis may also be useful to determine if race conditions are realized during operation. If the documentation and static program analysis reveal that the app design is reasonably likely to result in a race condition, this is a finding.

Fix Text (F-SRG-APP-000516-MAPP-000071_fix)
Remove any race conditions from the code.