Title

The mobile application must implement automated mechanisms to enforce access control restrictions which are not provided by the operating system (Cat II impact)

Discussion

Applications often have additional access control requirements beyond those provided by the operating system. For example, a contact or key database may contain particular sensitive records that require additional levels of authentication beyond device unlock. When access control mechanisms are not automated, they are much less likely to be properly enforced. Users may either inadvertently fail to enforce the restrictions or intentionally do so as a matter of convenience. Without the proper enforcement of controls, it is more likely that DoD data will be disclosed in an unauthorized manner. Automated enforcement of access controls significantly reduces the risk of unauthorized disclosure of data. There are various ways to implement automated mechanisms. Mandatory access control (MAC) provides the greatest assurance because the user has no discretion in this framework. Other automated controls might include file permissions or cryptography.

Check Content

If the MOS fulfills all of the mobile application's access control requirements, then this requirement is NA. Investigate the application's access control requirements. Identify requirements that are not addressed by the operating system. For each identified requirement, perform a dynamic program analysis to assess the ability of the application to automatically impose restrictions related to that requirement. Alternatively, perform a static analysis to verify appropriate automation exists for each of the indentified requirements. Automated enforcement includes any mechanism not based on user enforcement. If a user must type a password or present a biometric, this is still considered automated because the inability to access information without presenting these credentials is automated. If restrictions to data were based on user trust and not a technical mechanism, this would not be automated. If either the dynamic or static program analyses reveal that one or more requirements are not addressed through automated enforcement, this is a finding.

Fix Text

Modify code to implement automated enforcement of access control not provided by the operating system.

Additional Identifiers

Rule ID: SV-46657r1_rule

Vulnerability ID: V-35370

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.