Title

The mobile application must not lock or set permissions on application files in a manner such that the operating system or an approved backup application cannot copy the files. (Cat III impact)

Discussion

If the application is able to lock files or modify file permissions in a manner that prevents higher-level system operations, such as backup and copying to take place, then the potential exists for the data to be lost. This condition may also be a form of denial of service if the operating system cannot recover the locked areas, thereby leaving fewer resources for other processes. In applying this control, the system is able to perform its over-arching control and functional procedures, above any privileges the application, the user, or an intruder may have. The control must be employed judiciously. For example, file access should not be so broad as to allow non-approved applications from reading the files (e.g., by setting files to world readable).

Check Content

Perform a static program analysis, to assess the application's ability to lock or set file permissions that would prevent OS and other approved applications from performing copy and backup functions. If the application has the ability to set and lock file permissions, this is a finding.

Fix Text

Modify code so the MOS or approved backup application is not prevented from copying application files.

Additional Identifiers

Rule ID: SV-46685r1_rule

Vulnerability ID: V-35398

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.