Title

The digital signature on the mobile application installation code must identify the entity responsible for the application. (Cat III impact)

Discussion

Any code that a mobile application uses must contain a signature to authenticate the actual publisher in order to prove the source code is not only legitimate, but has also been created by a trusted source itself. Using software that cannot be traced to a trusted source means the code may have been written by an untrusted source. This situation can lead to an adversary creating an application that has the appearance and utility of an application in current use that will eventually be downloaded by a user in the form of an update, for example. In this instance, the application will contain malicious code that will gain root access and other escalated privileges compromising the security posture of the device and the data on it. This control assures the user that the code came from a trusted source that will protect against such instances as malicious action through escalated privilege that could corrupt or compromise the integrity and confidentiality of data on the device.

Check Content

Review the installation package and look for a digital signature. Assess if it identifies the developer. If no digital signature is available or if a signature is present but does not identify the developer, this is a finding.

Fix Text

Modify the application and the application's installation code to support identifying digital signatures.

Additional Identifiers

Rule ID: SV-46559r1_rule

Vulnerability ID: V-35272

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.