An error occurred:

Check: SRG-APP-000061-MAPP-00018

Mobile Application SRG: SRG-APP-000061-MAPP-00018 (in version v1 r1)

Title

When the mobile application supports multiple persona (e.g., DoD work and non-DoD personal or public), the application must record a log entry when there is a failed attempt to improperly transfer data from one domain to another. (Cat III impact)

Discussion

Transferring data between various domains exposes the data to both accidental and malicious intruders able to perform physical attacks. This form of attack will allow an unauthorized user to gain access to the operating system or application through one of the domains. Similarly, sensitive data conveyed to a less-secure domain holds the potential to cause data exposure. This control provides the user a more secure operating domain; adding controls that prevent the transfer of data between security domains mitigates a number of IA risks. Furthermore, logging all failed attempts to transfer data between security domains will enable the user and administrator to identify when there has been a likely breach of system security and take appropriate incident responses measures.

Check Content

For mobile applications that support multiple personas, conduct a dynamic program analysis to assess the application's ability to detect and log all failed attempts to transfer data between security domains. Observe any on-screen messages and system logs that would reflect a failed attempt to transfer the data. If the dynamic program analysis cannot be performed or is inconclusive, perform a static program analysis to assess the application's ability to detect and log all failed attempts to transfer data between security domains. Search for code that supports the ability to force any on-screen messaging or create any log file that would reflect a failed attempt to transfer the data. If the dynamic or static program analysis concludes that no means are available to detect failed attempts of cross domain data transfer, this is a finding.

Fix Text

Modify code so the application records a log entry when there is a failed attempt to improperly transfer data from one domain to another.

Additional Identifiers

Rule ID: SV-46535r1_rule

Vulnerability ID: V-35248

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001557

The information system tracks problems associated with the information transfer.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
No controls are assigned to this check