The mobile operating system must validate the digital signature on signed software components or applications.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-33202 | SRG-OS-000209-MOS-000112 | SV-43602r1_rule | Medium |
| Description |
|---|
| Digital signatures on software components and applications are primary means to determine that the code comes from a trusted source and has not been modified. If the operating system does not validate these digital signatures, then there is the potential for malware to infiltrate the device. Validating digital signatures assures that the digital signature control properly mitigates the risk that malware will be installed or execute on the system. |
| STIG | Date |
|---|---|
| Mobile Operating System Security Requirements Guide | 2013-07-03 |
Details
| Check Text ( C-41465r1_chk ) |
|---|
| Review system documentation and operating system configuration to determine if the digital signatures on software components and applications are being validated. If higher assurance is required, provide the operating system with a software application that has an invalid signature to verify the operating system can detect the invalid signature. If the system fails this test or documentation or configuration shows that the capability is not present, this is a finding. |
| Fix Text (F-37105r1_fix) |
|---|
| Configure the operating system to validate the digital signature on signed software components or applications. |