The mobile operating system must give the user the option to deny acceptance of a certificate if the mobile operating system determines that the certificate is invalid.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-32991 | SRG-OS-000066-MOS-000039 | SV-43389r1_rule | Medium |
| Description |
|---|
| If the user is aware that a certificate is invalid, the user can opt not to proceed or, alternatively, is better prepared to identify suspicious behavior that indicates an IA incident is in progress. Failure to notify the user of this occurrence makes it more likely that an adversary can launch an attack from an untrusted system. If the mobile operating system accepts the use of invalid certificates, the potential exists the system presenting the certificate is malicious, and can compromise sensitive information or system integrity. Allowing the operating system or user to deny invalid certificates mitigates the risk associated with the acceptance of such certificates. |
| STIG | Date |
|---|---|
| Mobile Operating System Security Requirements Guide | 2013-07-03 |
Details
| Check Text ( C-41288r1_chk ) |
|---|
| Inspect the mobile operating system configuration for providing the user the option to deny acceptance of a certificate if the mobile operating system determines that the certificate is invalid. If the operating system does not give the user the option to reject the certificate when it is invalid, this is a finding. |
| Fix Text (F-36903r1_fix) |
|---|
| Configure the mobile operating system to give the user the option to deny acceptance of a certificate if the mobile operating system determines that the certificate is invalid. |