Check: SRG-APP-000112-MAPP-00026
Mobile Application SRG:
SRG-APP-000112-MAPP-00026
(in version v1 r1)
Title
The mobile application code must not include embedded interpreters for prohibited mobile code. (Cat I impact)
Discussion
Embedding interpreters for prohibited code will expose the device and stored data to all forms of malicious attacks. Prohibited code is intentionally not used in order to maintain the security and integrity of the device and all stored data. If interpreters are embedded in an application that invokes prohibited code that is either resident on the device or transferred to the device from an external server, then the device, stored data, and network are vulnerable to various forms of malicious attack. This control assures the device data stored and network of higher security as a result of inhibiting or stopping prohibited code from being executed.
Check Content
Perform a static program analysis to assess if the application hosts interprets that process mobile code. If this is not feasible, conduct a dynamic program analysis in conjunction with a protocol analyzer to determine if the mobile application downloads and executes mobile code, thereby providing evidence of an embedded interpreter. Also, check what type of mobile code is being downloaded to determine whether it is prohibited. If the source code contains an embedded interpreter that executes prohibited mobile code, this is a finding.
Fix Text
Modify the application architecture so it does not require embedded interpreters.
Additional Identifiers
Rule ID: SV-46635r1_rule
Vulnerability ID: V-35348
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001695 |
The information system prevents the execution of organization-defined unacceptable mobile code. |
Controls
Number | Title |
---|---|
SC-18 (3) |
Prevent Downloading / Execution |