Title

The mobile application must remove cookies or information used to track a users identity when it terminates. (Cat III impact)

Discussion

If the application does not remove temporary data, such as authentication data, temporary files containing sensitive data, and cookies, the data can be used again if the device lost or stolen. Such information could also be used to track the user across application sessions or even across different applications, which poses an OPSEC risk. The temporary data could be used to re-authenticate the user or allow unauthorized access to sensitive data. Removing cookies assures DoD greater security from intruders and unauthorized users accessing the temporary data and using it to potentially access the system, accessing sensitive data and compromising sensitive data's integrity.

Check Content

Determine if the application uses cookies or otherwise saves information used to track a user's identity. Perform a dynamic program analysis by launching the application and performing a transaction that would cause a cookie or other information tracking a user's identity to be downloaded onto the device. A baseline of the hash files of all application files may be needed to check whether changes have occurred. If the cookie or other information tracking a user's identity remains, this is a finding.

Fix Text

Configure or redesign the application to remove cookies or other information used to track the user's identity before the application exits.

Additional Identifiers

Rule ID: SV-47036r1_rule

Vulnerability ID: V-35749

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.