Title

The mobile application must initialize all parameter values on start up. (Cat II impact)

Discussion

An application could be compromised, providing an attack vector to it if the application initialization process is not designed to keep the application in both a secure and functional state. Any operating parameter in the application, such as variables and settings, must be reset and initialized to default values otherwise an adversary, in possession of the device could access the application with privileges. An application that re-initializes its parameters at start up is assured a more secure session since the application has initialized all functional components that allow it to operate properly and thus securely.

Check Content

Perform a dynamic program analysis to assess if the application, upon startup initializes all parameter values the application uses. If the dynamic program analysis identifies any parameter value that is not initialized on startup, this is a finding.

Fix Text

Modify code to ensure upon starting, the application initializes all parameter values.

Additional Identifiers

Rule ID: SV-47041r1_rule

Vulnerability ID: V-35754

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.