Title

The mobile application installation package must be digitally signed in accordance with FIPS 186-3. (Cat II impact)

Discussion

One of the biggest risks on a mobile device is that it will execute malware that will compromise sensitive data on the device or enable subsequent attacks on other DoD information systems. One of the most effective means for preventing malware execution is to authenticate that software comes from a trusted source before it is installed. Digital signatures on software can be used to authenticate that the software comes from a trusted source. Signing the software in accordance with FIPS 186-3 provides additional assurance that the signature was affixed properly.

Check Content

Perform a static program analysis to assess if the installation package uses digital signatures. If there is no digital signature, or if the signature was performed in a manner inconsistent with the guidance in FIPS 186-3, this is a finding. If the static program analysis reveals the installation package is not FIPS 186-3 compliant with regards to its digital signatures and the algorithms used, this is a finding.

Fix Text

Digitally sign the application package using FIPS 186-3 approved methods.

Additional Identifiers

Rule ID: SV-47043r1_rule

Vulnerability ID: V-35756

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.