An error occurred:

Check: SRG-APP-000133-MAPP-00030

Mobile Application SRG: SRG-APP-000133-MAPP-00030 (in version v1 r1)

Title

The mobile application must not enable other applications or non-privileged processes to modify software libraries. (Cat II impact)

Discussion

Many applications often leverage software libraries to perform application functions. If the application makes these library files world writeable or otherwise allows unauthorized changes, then other processes on the device could modify the library to give the application capabilities it did not have originally. These capabilities might enable the application to exfiltrate sensitive DoD information or permit privilege escalation, possibly leading to attacks on additional systems. Libraries could be modified through enabling other applications to do so or through the application itself allowing the user to do so. Implementing this control prevents applications from acquiring capabilities for which they were not originally authorized. Please refer to CWEs: 250, 265, 272, and 284. The MAPP SRG Overview contains additional information on the use of CWEs.

Check Content

Perform a documentation review to assess if the application supports other applications or non-privileged processes that enable the application the ability to modify software libraries. If the application functional requirements review cannot be carried out or is inconclusive perform a static program analysis to assess if code exists that invokes other applications or other non-privileged processes that enables them the ability to modify software libraries. If the application's functional requirements review and/or the static program analysis reveals the application can enable other applications, as well as permit privileged processes the ability to modify software libraries, this is a finding.

Fix Text

Modify the code or installation configuration files to limit an application's access to its software libraries to the application only.

Additional Identifiers

Rule ID: SV-46664r1_rule

Vulnerability ID: V-35377

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001499

Limit privileges to change software resident within software libraries.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-5(6)

Limit Library Privileges