An error occurred:

Check: SRG-APP-000022-MAPP-00009

Mobile Application SRG: SRG-APP-000022-MAPP-00009 (in version v1 r1)

Title

The mobile application must not permit execution of code without user direction unless the code is sourced from an organization-defined list of approved network resources. (Cat II impact)

Discussion

Unapproved and thus untrusted code presents a very high risk for malicious action by network and device intruders. Some mobile applications enable adware and other real time execution of code. If the mobile application executes code that was not installed when the application was installed, then that code has not been reviewed as part of the application certification process, which scans for known malicious code among other vulnerabilities. In this situation, it is more likely that malicious code may run on the mobile device. Execution of malicious code may compromise sensitive DoD data or potentially cause a privilege elevation that might enable subsequent attacks. There are several ways to mitigate this risk. First, if the user explicitly authorizes exceptions, the user may be able to stop unauthorized execution. Second, if the mobile application authenticates the code, at least the code has been shown to come from a known source. This control protects the user from code that cannot be trusted and exhibits the potential to compromise the device, application, network, and all stored data. Please refer to CWEs: 250, 265, 272, and 284 for further information. Additional information on CWEs is found in the MAPP SRG Overview.

Check Content

Perform a static program analysis to determine if the application executes non DoD-approved external code at any time. Check whether calls to such code include a user acceptance or direction step. Perform a dynamic program analysis to verify the application does not execute non DoD- approved code without user direction. In this context, user direction refers to the user either accepting or requesting the service or capability that the code provides upon each instance code is executed which has not been executed previously. It is not acceptable to have a one-time acceptance to accept automatic execution. If the application ever executes non DoD-approved external code, this is a finding.

Fix Text

Modify code to prevent execution of code non DoD-approved without user direction.

Additional Identifiers

Rule ID: SV-46413r1_rule

Vulnerability ID: V-35126

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000087

The organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
No controls are assigned to this check