UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The mobile operating system must validate the integrity of a downloaded applications manifest before granting the application permissions on the device, if the operating system uses a manifest or similar mechanism external to application code to grant application permissions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-33168 SRG-OS-000178-MOS-000100 SV-43566r1_rule Medium
Description
If an adversary can modify an application's manifest (when the mobile OS supports this approach), then the adversary can add additional permissions that would enable it to perform unauthorized functions. These functions could enable the adversary to obtain sensitive information or compromise other aspects of system security. Validating the integrity of the manifest or similar technology mitigates the risk that an adversary has modified its contents. The SHA-1, SHA-224, SHA-256, and SHA-512 secure hash algorithms are acceptable mechanisms for verifying integrity.
STIG Date
Mobile Operating System Security Requirements Guide 2013-07-03

Details

Check Text ( C-41429r1_chk )
Review system documentation, operating system configuration, and other IA information resources to determine if the operating system validates the integrity of any permissions related information that is associated with an application but not embedded in application code. The SHA-1, SHA-224, SHA-256, and SHA-512 secure hash algorithms are acceptable mechanisms for verifying integrity. If it is determined that the integrity check is not occurring, this is a finding.
Fix Text (F-37068r1_fix)
Configure the mobile operating system to validate the integrity of mechanisms to grant application permissions to applications.