Title

The mobile application must include classification attributes with transmitted data if it transmits classified data. (Cat I impact)

Discussion

A classification attribute assures the data is correctly handled and processed according to its sensitivity when it is transmitted. Transmitted data is vulnerable to exposure through incorrect labeling if its classification attribute is not transmitted with it, and when it is received and processed. This control assures the data is handled accordingly regarding its classification during transmission and subsequent distribution, greatly reducing the risk of misclassification and the eventual spill that may occur.

Check Content

For applications that store a single classification of data or have multiple personas, this check does not apply. For applications that transmit classified data, perform a dynamic program analysis to assess if any data classification attributes are transmitted with the data. Check the received data and examine it for the inclusion of classification attributes. If the dynamic program analysis is inconclusive, or cannot be performed, carry out a static program analysis to assess if the code supports any data classification attributes are transmitted with the data. If the static or dynamic program analysis reveals no data classification attributes are transmitted with the data, this is a finding. This test may entail an end-to-end test that extends beyond that of the application, to ensure the data file construct meets the requirements of data classification attribute presence.

Fix Text

Modify code to include data classification attributes with transmitted data.

Additional Identifiers

Rule ID: SV-46372r1_rule

Vulnerability ID: V-35085

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.