Unless the MOS manages app signing, the mobile app installation package must be digitally signed in accordance with FIPS 186-3 approved methods.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-APP-000516-MAPP-000078 | SRG-APP-000516-MAPP-000078 | SRG-APP-000516-MAPP-000078_rule | Medium |
| Description |
|---|
| One of the biggest risks on a mobile device is that it will execute malware that will compromise sensitive data on the device or enable subsequent attacks on other DoD information systems. One of the most effective means for preventing malware execution is to authenticate that software comes from a trusted source before it is installed. Digital signatures on software can be used to authenticate that the software comes from a trusted source. Signing the software in accordance with FIPS 186-3 provides additional assurance that the signature was affixed properly. |
| STIG | Date |
|---|---|
| Mobile Application Security Requirements Guide | 2014-07-22 |
Details
| Check Text ( C-SRG-APP-000516-MAPP-000078_chk ) |
|---|
| Perform a static program analysis to assess if the installation package uses digital signatures. If there is no digital signature, or if the signature was performed in a manner inconsistent with the guidance in FIPS 186-3, this is a finding. If the static program analysis reveals the installation package is not FIPS 186-3 compliant with regard to its digital signatures and the algorithms used, this is a finding. |
| Fix Text (F-SRG-APP-000516-MAPP-000078_fix) |
|---|
| Digitally sign the application package using FIPS 186-3 approved methods. |