Title

The mobile application must not transmit error messages to any entity other than authorized audit logs, the MDM, or the device display. (Cat III impact)

Discussion

Error messages that are transmitted outside of the application environment reveal weaknesses in the application that will offer the potential for exposure to malicious users. By default many error messages contain data pertaining to the session, the ports, and user and in some instances, their authentication credentials. Through this control, any issues that an application may have are restricted to the user and the personnel who have access to audit logs.

Check Content

Perform a static program analysis to assess if any errors are transmitted to any other entity other than audit logs, the MDM, or user display. Do the following: - launch the application - create an error condition using incorrect input - observe any error messages that result on screen - observe where any log files containing error messages are stored. If the static program analysis reveals that error messages are sent to an entity other than a user defined audit log, the MDM, or the device screen, this is a finding.

Fix Text

Modify code to send error messages to MOS audit logs, the MDM or the device display.

Additional Identifiers

Rule ID: SV-46988r1_rule

Vulnerability ID: V-35701

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.