The mobile operating system must grant a downloaded application only the permissions that DoD has authorized for that application.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33167	SRG-OS-000177-MOS-000099	SV-43565r1_rule		Medium

Description
Mobile operating system applications that are able to perform unintended functions may be able to obtain sensitive information or otherwise compromise system security. The permissions that an application requires to perform its function may be delineated in a permissions manifest or in entitlements that are either bound to the application or embedded in its code. Enforcing these permissions limitations is necessary to ensure the application is not permitted to perform unintended functions.

Description

Mobile operating system applications that are able to perform unintended functions may be able to obtain sensitive information or otherwise compromise system security. The permissions that an application requires to perform its function may be delineated in a permissions manifest or in entitlements that are either bound to the application or embedded in its code. Enforcing these permissions limitations is necessary to ensure the application is not permitted to perform unintended functions.

STIG	Date
Mobile Operating System Security Requirements Guide	2013-07-03

Details

Check Text ( C-41427r1_chk )
Review IA information resources to determine if the operating system enforces privileges as advertised. Use an integrity tool to determine if an application is permitted to perform restricted functions. If it is determined that the authorized permissions are not enforced, this is a finding.

Fix Text (F-37066r1_fix)
Configure the mobile operating system to only grant an application those permissions that DoD has authorized for that application.