An error occurred:

Check: SRG-APP-000035-MAPP-00013

Mobile Application SRG: SRG-APP-000035-MAPP-00013 (in version v1 r1)

Title

When the mobile application supports multiple persona (e.g., DoD work and non-DoD personal or public), the mobile application must enforce a non-discretionary access control policy that prohibits a user from accessing DoD data when operating in a persona not authorized for access to data categorized at that level. (Cat II impact)

Discussion

If a device supports multiple persona, the potential exists for data to migrate from one domain to another in an unauthorized or inadvertent manner. In the case of a dual persona device that supports both personal and DoD use, the potential exists for a user operating in a personal mode to access DoD data, which would be a violation of security policy. Enforcing non-discretionary access control policies to prevent access to domains outside of that which the user is operating greatly mitigates the risk of unauthorized disclosure of sensitive DoD data. Implementation of this control forces the correct domain to be used given the non-discretionary nature of the control.

Check Content

For mobile applications that support multiple persona, perform a dynamic program analysis to assess the application's ability: - to identify the domains not authorized for using DoD data. - to prevent inter-domain transfer of data on the device through any designed in policy controls if they are present. If the dynamic program analysis cannot be performed or is inconclusive, perform a static program analysis to assess if code is present that will support the application's ability to identify the domains not authorized for accessing DoD data and the ability to prevent data transfer between these identified domains. If the dynamic program analysis and static program analysis concludes that domains cannot be identified and discerned between, this is a finding.

Fix Text

Implement non-discretionary access controls in the application or operating system to prohibit unauthorized transfers between domains.

Additional Identifiers

Rule ID: SV-46458r1_rule

Vulnerability ID: V-35171

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000022

The information system enforces one or more organization-defined nondiscretionary access control policies over an organization-defined set of users and resources.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
No controls are assigned to this check