Title

The mobile application must use the mobile devices system time for its authoritative time source. (Cat III impact)

Discussion

Synchronizing with authorized timing sources enables an application to perform a number of important, back-office functions that require synchronization between the application, the device, network, and back office infrastructure. If the mobile device uses a system for timing synchronization other than that for its authoritative time source, a number of issues could arise concerning control functions that must be accomplished in both short time frames and time stamping of events. This control assures the mobile application will be fully synchronized with the device's system time, which is derived from the OS. This will support accurate time stamping of events concerned with auditing; time-sensitive processes will complete and not time out; and coordinated functions between the application, device, and back office will function with greater stability and accuracy.

Check Content

If both the mobile application and the MOS use the same time source (e.g., GPS), then it is not necessary for the mobile application to refer to the MOS system time, and this check is not applicable. Otherwise, perform a documentation review to assess if the mobile devices system time is used as the authoritative time source. If the documentation review is inconclusive, perform a static program analysis to assess if code exists that supports the application using the mobile device's internal clock as a source for all timing the application uses. If the application uses a different timing source other than the device's system time, this is a finding.

Fix Text

Modify code to use the device's system time for its authoritative time source, removing any code that uses other sources.

Additional Identifiers

Rule ID: SV-46640r1_rule

Vulnerability ID: V-35353

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.