Title

The mobile application must not record or forward sensor data unless explicitly authorized to do so. (Cat I impact)

Discussion

Sensors include the GPS, gyroscope, accelerometer, camera, and microphone. When sensor data is either recorded locally or sent to a remote server, the potential exists for an adversary to obtain sensitive information that could be used to harm the user or compromise information systems. In particular, when location data is forwarded, the user may be physically targeted. User safety and mission assurance risks are mitigated when sensor data is only collected or forwarded when expressly authorized.

Check Content

Perform a static program analysis to determine if the application accesses any sensor data during its operation. If it does not, then there is no finding. If it does, perform a static or dynamic program analysis to determine whether the application either locally records the sensor information or forwards it to another host. If it does either of these, then verify that the activity is authorized. If it is not authorized, then this is a finding.

Fix Text

Remove code that records or forwards sensor data or cease using the mobile application.

Additional Identifiers

Rule ID: SV-47042r1_rule

Vulnerability ID: V-35755

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.