Title

The mobile application must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission. (Cat II impact)

Discussion

Unencrypted sensitive application data could be intercepted in transit. Encryption of data in transit will protect the data from being extricated, modified or being used for malicious purposes. When the data is encrypted prior to transmission, the risk of unauthorized disclosure from interception and the subsequent use thereof is greatly reduced.

Check Content

If the operating system encrypts all data in transit or the mobile application leverages a VPN client that encrypts all data in transit, then the mobile application is compliant and the requirement not applicable. Perform a dynamic program analysis with a protocol analyzer to determine if the application is protecting data in transit. If the data in transit is not encrypted, this is a finding.

Fix Text

Configure the application or leverage OS or other applications that provide protection of data in transit. Otherwise modify the code to provide such protections.

Additional Identifiers

Rule ID: SV-46985r1_rule

Vulnerability ID: V-35698

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.