Check: SRG-APP-000050-MAPP-00016
Mobile Application SRG:
SRG-APP-000050-MAPP-00016
(in version v1 r1)
Title
A mobile application must authenticate the persona from which data is coming before permitting transfer to or from a DoD persona when the mobile application supports multiple personas. (Cat II impact)
Discussion
Transfer of data from one persona to another on a device that supports multiple personas poses two significant risks. First, malware present in one persona could migrate to another persona. In this case, the malware could be used to breach other systems, potentially resulting in the unauthorized disclosure of sensitive DoD data. Second, sensitive data from one persona could be exfiltrated to another persona. This also could result in the unauthorized disclosure of sensitive DoD data. Authenticating the source persona is a critical step in preventing improper transfer of data and malware because it provides assurance that security filters that stop unauthorized transfers are basing decisions on accurate information.
Check Content
If the application does not support multiple personas, this requirement is not applicable. For mobile applications that support multiple personas, conduct a dynamic program analysis to assess the application's ability to authenticate the source persona. This is primarily achieved by verifying the application enforces known restrictions on inter-persona transfers. If the dynamic program analysis cannot be performed or is inconclusive, perform a static program analysis to assess if code is present that will support the application's ability to authenticate the source persona in such scenarios. If the dynamic program analysis and/or static program analysis conclude that the application does not authenticate the source persona when transferring data from one person to another, this is a finding.
Fix Text
Modify code to authenticate the source persona when data is transferred from one persona to another.
Additional Identifiers
Rule ID: SV-46516r1_rule
Vulnerability ID: V-35229
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001377 |
The information system uniquely authenticates source domains for information transfer. |
Controls
Number | Title |
---|---|
No controls are assigned to this check |