Check: SRG-APP-000033-MAPP-00012
Mobile Application SRG:
SRG-APP-000033-MAPP-00012
(in version v1 r1)
Title
A mobile application must not call APIs or otherwise invoke resources external to the mobile application unless such activity serves the documented purposes of the mobile application. (Cat II impact)
Discussion
An application that does not operate within what should be an appropriate sandbox will expose the device and all stored data inadvertently to non-secure domains, as well as, provide a path for a malicious intruder to access the device and the data stored in it. If the mobile application calls APIs outside of its purpose, it could potentially perform unauthorized functions. These might include revealing the location of the user, obtaining data from the user's contact database, or other unauthorized functions. This control limits the API set and mitigates the risk that unauthorized actions are taking place with the application that could compromise the data confidentiality, as well as the user's safety and mission.
Check Content
Review the requirements for the application design, and assess which external resources it will require to address for normal operation. Perform a document review to evaluate the functional requirements to understand which APIs require addressing in order to meet these requirements. Next, perform a static program analysis and assess which APIs are addressed, i.e., camera, microphone, Bluetooth, address book, GPS, etc., and which applications, as well as other resources external to the application that are addressed. If the design/functional requirements documentation and static program analysis reveal that APIs and resources addressed or available are beyond those which the functional and operational requirements demand, this is a finding.
Fix Text
Modify code and architecture to create a sandbox environment for the application to prevent it from controlling APIs and accessing other resources that do not relate to the application's functional and operational requirements.
Additional Identifiers
Rule ID: SV-46455r1_rule
Vulnerability ID: V-35168
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
Controls
Number | Title |
---|---|
AC-3 |
Access Enforcement |