| Version | Date | Finding Count (37) | Downloads | ||||
|---|---|---|---|---|---|---|---|
| 2 | 2014-07-22 | ||||||
| STIG Description |
|---|
| The Mobile Application Security Requirements Guide (SRG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil. |
| Classified | Public | Sensitive | ||||||
|---|---|---|---|---|---|---|---|---|
| I - Mission Critical Classified | I - Mission Critical Public | I - Mission Critical Sensitive | II - Mission Support Classified | II - Mission Support Public | II - Mission Support Sensitive | III - Administrative Classified | III - Administrative Public | III - Administrative Sensitive |
| Finding ID | Severity | Title | Description |
|---|---|---|---|
| SRG-APP-000057-MAPP-000017 | Medium | The mobile app must enforce organization-defined limitations on the embedding of data types within other data types. | Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and. |
| SRG-APP-000393-MAPP-000100 | Medium | The mobile app must implement organization-defined out-of-band authentication under organization-defined conditions. | Out-of-band authentication uses two separate networks or channels to communicate between two parties or devices. For example, a user can access a site through a network connection, and a one-time. |
| SRG-APP-000439-MAPP-000100 | Medium | The mobile app must protect the confidentiality and integrity of transmitted information. | Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered. Communication. |
| SRG-APP-000141-MAPP-000031 | Medium | The mobile app must not include source code, unreferenced code or subroutines that are never invoked during operation, except for software components and libraries from approved third-party products. | Unused software and libraries increase a program size without any benefits and furthermore, may contain malicious code that would be later executed, and compromise the app and all stored data. |
| SRG-APP-000033-MAPP-000010 | Medium | The mobile app must not modify, request, or assign values for operating system parameters unless necessary to perform application functions. | A mobile app that operates with the privileges of its host OS is vulnerable to integrity issues and escalated privileges that would affect the entire platform and device. If the app is able to. |
| SRG-APP-000033-MAPP-000011 | Medium | The mobile app must not execute as a privileged operating system process unless necessary to perform any app functions. | A mobile app that operates with the privileges of its host OS will make the OS, device, and other apps vulnerable to such issues as escalated privileges that would affect the entire platform and. |
| SRG-APP-000133-MAPP-000030 | Medium | The mobile app must not enable other applications or non-privileged processes to modify software libraries. | Many apps leverage software libraries to perform app functions. If the app makes these library files world writeable or otherwise allows unauthorized changes, then other processes on the device. |
| SRG-APP-000342-MAPP-000100 | Medium | The mobile app must prevent organization-defined software from executing at higher privilege levels than users executing the software. | In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher. |
| SRG-APP-000516-MAPP-000069 | Medium | The mobile app must not call functions vulnerable to buffer overflows. | Buffer overflow attacks occur when improperly validated input is passed to an app overwriting memory. Buffer overflow errors stop execution of the app causing a minimum of denial of service and. |
| SRG-APP-000516-MAPP-000068 | Medium | The mobile app must not be vulnerable to integer arithmetic vulnerabilities. | Integer overflows occur when an integer has not been properly checked and is used in memory allocation, copying, and concatenation. Also, when incrementing integers past their maximum possible. |
| SRG-APP-000516-MAPP-000041 | Medium | Mobile apps involved in the production, control, and distribution of asymmetric cryptographic keys must use approved PKI Class 3 or class 4 certificates and hardware tokens that protect the user's private key. | Class 3 and 4 certificates are issued by individuals, organizations, servers, devices, and administrators for CAs and root authorities (RAs). A hardware token offers an additional layer of. |
| SRG-APP-000516-MAPP-000040 | Medium | Mobile apps involved in the production, control, and distribution of asymmetric cryptographic keys must use approved PKI Class 3 certificates or prepositioned keying material. | Class 3 certificates are issued to individuals, organizations, servers, devices, and administrators for CAs and root authorities (RAs). Class 3 certificates undergo independent verification and. |
| SRG-APP-000516-MAPP-000065 | Medium | The mobile app must remove temporary files when it terminates. | Temporary files left on the system after an app has terminated may contain sensitive information. Such sensitive information includes authentication credentials or session identifiers that would. |
| SRG-APP-000516-MAPP-000064 | Medium | The mobile app code must not contain hardcoded references to resources external to the app. | Hardcoded resources include URLs and path references to files outside of the app environment. An adversary who is aware of such references can attack the app by breaching the external resource it. |
| SRG-APP-000516-MAPP-000067 | Medium | The mobile app must clear or overwrite memory blocks used to process potentially sensitive data. Sensitive data may include PII, a user's location, or authentication credentials. | Sensitive data in memory should be cleared or overwritten to protect data that may be available to an attacker seeking ways to gain access to data that otherwise appears erased. Unless an app can. |
| SRG-APP-000516-MAPP-000066 | Medium | The mobile app must remove cookies or information used to track a users identity when it terminates. | If the app does not remove temporary data, such as authentication data, temporary files containing sensitive data, and cookies, the data can be used again if the device is lost or stolen. Such. |
| SRG-APP-000033-MAPP-000012 | Medium | A mobile app must not call APIs or otherwise invoke resources external to the mobile app unless such activity serves the documented purposes of the mobile app. | A mobile app that does not operate within what should be appropriate limits will expose the device and all stored data inadvertently to non-secure domains, as well as provide a path for a. |
| SRG-APP-000388-MAPP-000100 | Medium | The mobile app, when conditions defined in CCI-0002856, CP-12 are detected, must enter a safe mode of operation defined in CCI-0002857, CP-12. | Configuring the app to revert to a predetermined safe mode of operation helps ensure continuity of critical operations during adverse conditions. For apps supporting mission-critical functions. |
| SRG-APP-000267-MAPP-000060 | Medium | The mobile app must not transmit error messages to any entity other than authorized audit logs, the MDM, or the device display. | Error messages that are transmitted outside of the app environment reveal weaknesses in the app that will offer the potential for exposure to malicious users. By default many error messages. |
| SRG-APP-000243-MAPP-000049 | Medium | The mobile app must not write data to persistent memory accessible to other applications. | Persistent memory is memory that retains data even when the device is no longer powered on. It is often referred to as non-volatile memory and is typically used for file storage. If the app shares. |
| SRG-APP-000514-MAPP-000100 | Medium | If the underlying MOS does not provide NIST FIPS-validated crypto modules, the mobile app must implement NIST FIPS-validated cryptography for the following: to provision digital signatures; to generate cryptographic hashes; and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The app must implement cryptographic modules adhering to the higher standards. |
| SRG-APP-000449-MAPP-000100 | Medium | The mobile app must validate information output from software programs and/or applications defined in SI-15, CCI-0002770 to ensure the information is consistent with the expected content. | Certain types of cyber attacks (e.g., SQL injections) produce output results that are unexpected or inconsistent with the output results that would normally be expected from software programs or. |
| SRG-APP-000392-MAPP-000100 | Medium | The mobile app must electronically verify Personal Identity Verification (PIV) credentials. | The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. The DoD has mandated the use of the CAC to support identity management and personal. |
| SRG-APP-000225-MAPP-000047 | Medium | The mobile app must fail to an initial state when the application unexpectedly terminates, unless it maintains a secure state at all times. | An app maintains a secure state when there is strong assurance that each of its state transitions is consistent with the app's security policy. For many mobile apps, the only state for which the. |
| SRG-APP-000391-MAPP-000100 | Medium | The mobile app must accept Public Key Infrastructure (PKI) credentials. | The use of PKI credentials facilitates standardization and reduces the risk of unauthorized access. The DoD has mandated the use of the CAC to support identity management and personal. |
| SRG-APP-000142-MAPP-000032 | Medium | The mobile app must utilize ports or protocols in a manner consistent with DoD Ports and Protocols guidance. | Failure to comply with DoD Ports, Protocols Services Management (PPSM) Category Assurance List (CAL) and associated vulnerability assessments may result in compromise of mobile protections or. |
| SRG-APP-000372-MAPP-000100 | Medium | The mobile app must synchronize internal information system clocks to the MOS-based authoritative time source. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when. |
| SRG-APP-000516-MAPP-000034 | Medium | The mobile app must not lock or set permissions on application files in a manner such that the operating system or an approved backup application cannot copy the files. | If the app is able to lock files or modify file permissions in a manner that prevents higher-level system operations, such as backup and copying from taking place, then the potential exists for. |
| SRG-APP-000416-MAPP-000100 | Medium | The mobile app must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The app must implement cryptographic modules adhering to the higher standards. |
| SRG-APP-000516-MAPP-000038 | Medium | Mobile apps involved in the production, control, and distribution of symmetric cryptographic keys must use NIST approved or NSA approved key management technology and processes. | Symmetric cryptographic keys must be managed according to approved processes using approved technology, to ensure malicious intruders do not take advantage of any network resource exposure that. |
| SRG-APP-000516-MAPP-000039 | Medium | Mobile apps involved in the production, control, and distribution of asymmetric cryptographic keys must use NIST approved or NSA approved key management technology and processes. | Asymmetric cryptographic keys must be managed according to approved processes using approved technology, to ensure malicious intruders do not take advantage of any network resource exposure that. |
| SRG-APP-000516-MAPP-000078 | Medium | Unless the MOS manages app signing, the mobile app installation package must be digitally signed in accordance with FIPS 186-3 approved methods. | One of the biggest risks on a mobile device is that it will execute malware that will compromise sensitive data on the device or enable subsequent attacks on other DoD information systems. One. |
| SRG-APP-000516-MAPP-000077 | Medium | The mobile app source code must not contain adware or known malware. | Malware will compromise the app data, device, and system. Under no circumstances will any code that is known to contain adware or malware be used. The entire application ecosystem will operate. |
| SRG-APP-000381-MAPP-000010 | Medium | The mobile app must not change the file permissions of any files other than those dedicated to its own operation. | A file's access level is pivotal to a mobile app and its data's security. The modification of a file's permission must be strictly controlled in an effort to maintain the integrity and. |
| SRG-APP-000516-MAPP-000075 | Medium | The mobile app must not record or forward sensor data unless explicitly authorized to do so. | Sensors include the GPS, gyroscope, accelerometer, camera, and microphone. When sensor data is either recorded locally or sent to a remote server, the potential exists for an adversary to obtain. |
| SRG-APP-000516-MAPP-000073 | Medium | The mobile app must initialize all parameter values on startup. | A mobile app could be compromised, providing an attack vector to it if the app initialization process is not designed to keep the app in both a secure and functional state. Any operating. |
| SRG-APP-000516-MAPP-000071 | Medium | The mobile app must not be vulnerable to race conditions. | A race condition occurs when an app receives two or more actions on the same resource in an unanticipated order which causes a conflict. Sometimes, the resource is locked by different users or. |
Scope, Define, and Maintain Regulatory Demands Online in Minutes.
10161 Park Run Drive, Suite 150
Las Vegas, Nevada 89145
PHONE 702.776.9898
FAX 866.924.3791
info@unifiedcompliance.com
© 2018 Network Frontiers LLC
All right reserved.