The mobile operating system must enforce a mandatory access control (MAC) policy that prohibits any application from accessing the data or code of another application unless such data or code has been expressly allowed by the policy to be a shared resource.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-32916 | SRG-OS-000007-MOS-000003 | SV-43314r1_rule | Medium |
| Description |
|---|
| When an application has the ability to access the data and code of another application, it may use that access improperly to obtain sensitive DoD data or perform unauthorized functions, including attacks on the mobile device and possibly remote systems as well. Most malware depends on this type of unauthorized access to carry out its malicious objectives. MAC-based application sandboxing or isolation greatly reduces the ability of malware to compromise system security. |
| STIG | Date |
|---|---|
| Mobile Operating System Security Requirements Guide | 2013-07-03 |
Details
| Check Text ( C-41225r1_chk ) |
|---|
| Review OS documentation to determine if the OS supports MAC related to application sandboxing or isolation. Review the MAC policy to ascertain whether programs have the potential to access the data or code of another application. If the OS does not support MAC, or it is possible for an application to access the data or code of other non-shared applications, this is a finding. |
| Fix Text (F-36835r1_fix) |
|---|
| Configure the mobile operating system to enforce mandatory access controls (MAC) prohibiting any application from accessing the data or code of another application unless such data or code has been expressly allowed by the policy to be a shared resource. |