Check: SRG-APP-000243-MAPP-00049
Mobile Application SRG:
SRG-APP-000243-MAPP-00049
(in version v1 r1)
Title
The mobile application must not write data to persistent memory accessible to other applications. (Cat II impact)
Discussion
Persistent memory is memory that retains data even when the device is no longer powered on. It is often referred to as non-volatile memory and is typically used for file storage. If the application shares the same location of persistent memory with that used by other applications to include encrypted data, then the data is at great risk to exposure through being available to other applications after the application has shut down or a user session has terminated. Furthermore, even though the OS will always be able to read files, other applications that share the same persistent memory are potentially less secure and thus offer an accessible means for malicious intruders to retrieve this information through the other application. In many operating environments, assigning unique process IDs to each application facilitates their separation from one another. In applying this control, the user will be less susceptible to malicious intrusion and extrusion of data that resides in areas shared by other applications.
Check Content
If the mobile OS on which the mobile application resides does not permit the application to share persistent memory, then the application is compliant with this IA control. If the above control is not available, perform a static program analysis to assess if the application ever modifies the permissions of files to enable other applications to read or modify the files. If the static program analysis reveals that the application grants permissions that enable the application to share its area of persistent memory with other applications or processes, this is a finding. If the static program analysis reveals that the application's persistent memory is not secured and can be addressed and used by other applications and processes that allow file permissions to be changed, this is a finding. When applicable, examine the file permissions of files created by the application. If they permit other applications to access the files, this is a finding.
Fix Text
Modify code and architecture to assure the application does not share its persistent memory allocation with other applications and processes and does not address areas of persistent memory used by other applications and processes.
Additional Identifiers
Rule ID: SV-46929r1_rule
Vulnerability ID: V-35642
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001090 |
The information system prevents unauthorized and unintended information transfer via shared system resources. |
Controls
Number | Title |
---|---|
SC-4 |
Information In Shared Resources |