An error occurred:

Check: SRG-APP-000160-MAPP-00035

Mobile Application SRG: SRG-APP-000160-MAPP-00035 (in version v1 r1)

Title

The mobile application must authenticate devices using bidirectional cryptographic authentication if it manages wireless network connections for other devices. (Cat II impact)

Discussion

If a wireless device authenticates on a network without using encryption to protect the authentication data, then the device is vulnerable to intruders who will perform either replay or man-in-the-middle and spoofing attacks, as well as the many other attacks that take advantage of weak or no encryption. Intruders who exploit these weaknesses can launch further attacks on other network components and attempt to gain control of the network. Bidirectional authentication greatly mitigates the risk that the mobile application will allow connections from unauthorized devices and helps prevent remote devices from improperly connecting to a rogue network. One of the assumptions of the MAPP SRG is that an application does not perform server functions or support remote devices. This control addresses the exception to that general assumption, namely applications that support permitted personal hotspots or alternative technology that bridges connections to networks without permitting access to the device itself.

Check Content

For mobile applications that manage wireless network connections for other devices, perform a documentation review to assess if the application uses encryption when managing other wireless connections for other devices. If the documentation review is inconclusive, perform a dynamic program analysis to assess if the application offers the user set up options or readily indicates encryption is present when managing other wireless connections for other devices. If the above tests are inconclusive, perform a static program analysis and assess if code is available that supports providing the user options for encryption when managing other wireless connections for other devices. If the documentation review, dynamic program analysis, or static program analysis reveals the application does not authenticate devices using bidirectional cryptographic authentication, this is a finding.

Fix Text

Modify code to support the use of bidirectional cryptographic authentication.

Additional Identifiers

Rule ID: SV-46705r1_rule

Vulnerability ID: V-35418

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000780

The information system authenticates devices before establishing wireless network connections using bidirectional authentication between devices that is cryptographically based.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
No controls are assigned to this check