The mobile operating system must validate the integrity of a downloaded applications manifest before granting the application permissions on the device, if the operating system uses a manifest or similar mechanism external to application code to grant application permissions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-33168 | SRG-OS-000178-MOS-000100 | SV-43566r1_rule | Medium |
| Description |
|---|
| If an adversary can modify an application's manifest (when the mobile OS supports this approach), then the adversary can add additional permissions that would enable it to perform unauthorized functions. These functions could enable the adversary to obtain sensitive information or compromise other aspects of system security. Validating the integrity of the manifest or similar technology mitigates the risk that an adversary has modified its contents. The SHA-1, SHA-224, SHA-256, and SHA-512 secure hash algorithms are acceptable mechanisms for verifying integrity. |
| STIG | Date |
|---|---|
| Mobile Operating System Security Requirements Guide | 2013-07-03 |
Details
| Check Text ( C-41429r1_chk ) |
|---|
| Review system documentation, operating system configuration, and other IA information resources to determine if the operating system validates the integrity of any permissions related information that is associated with an application but not embedded in application code. The SHA-1, SHA-224, SHA-256, and SHA-512 secure hash algorithms are acceptable mechanisms for verifying integrity. If it is determined that the integrity check is not occurring, this is a finding. |
| Fix Text (F-37068r1_fix) |
|---|
| Configure the mobile operating system to validate the integrity of mechanisms to grant application permissions to applications. |