Title

The mobile application must identify potentially security-relevant error conditions. (Cat II impact)

Discussion

The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the application is able to identify and handle error conditions is guided by organizational policy and operational requirements. An error condition can occur when an attacker provides unexpected values at an input prompt, causing the mobile application to crash or force it to excessively consume resources, such as battery, memory and CPU. This can also expose the application to data confidentiality and integrity issues as a result of the attacker gaining control of the device. Applying this control assures that security-relevant issues arising from data input correctness are addressed.

Check Content

The reviewer is only required to check whether the mobile application identifies improper inputs, unless there are specific known error conditions that require additional investigation. Perform a dynamic program analysis by fuzzing all user inputs of the application by providing invalid, unexpected, or random data to the inputs. Test the application for invalid sizes and types. Test input and try to exceed buffer limits on the input fields. Try to put wrong types of data in the input fields. For example, put character data in a numeric field. If the application requires the entry of IP addresses as an example, and is not capable of handling IPv6 Formats that are 128 bits long, this is finding. If the application is not capable of handling IPv6 formats and accepts characters that are of hexadecimal notation including colons, this is a finding. Perform a static analysis to assess if code is present that when executed, checks input data for validation against defined constraints. If no input validation code is present, this is a finding.

Fix Text

Modify code to identify potentially-relevant error conditions.

Additional Identifiers

Rule ID: SV-46986r1_rule

Vulnerability ID: V-35699

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.