The mobile application must not modify, request, or assign values for operating system parameters unless necessary to perform application functions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35164	SRG-APP-000033-MAPP-00010	SV-46451r1_rule		High

Description
An application that operates with the privileges of its host OS is vulnerable to integrity issues and escalated privileges that would affect the entire platform and device. If the application is able to obtain OS privileges greater than necessary for proper operation, then an adversary is able to breach the application, has access to these additional privileges, and can perform unauthorized functions. These functions might include the ability to read sensitive data or execute unauthorized code. If the latter, then additional attacks on the system and DoD networks may be possible. Prohibiting an application from assigning itself unnecessary privileges greatly mitigates the risk of unauthorized use of those privileges.

Description

An application that operates with the privileges of its host OS is vulnerable to integrity issues and escalated privileges that would affect the entire platform and device. If the application is able to obtain OS privileges greater than necessary for proper operation, then an adversary is able to breach the application, has access to these additional privileges, and can perform unauthorized functions. These functions might include the ability to read sensitive data or execute unauthorized code. If the latter, then additional attacks on the system and DoD networks may be possible. Prohibiting an application from assigning itself unnecessary privileges greatly mitigates the risk of unauthorized use of those privileges.

STIG	Date
Mobile Application Security Requirements Guide	2013-01-04

Details

Check Text ( C-43545r1_chk )
Perform a review of the application's documentation to understand the application's operational requirements or the functionality of the application to establish the level of OS privilege required to operate. Based on the review, determine the appropriate OS permissions the application should have assigned during and at the time of installation. Next, conduct a static program analysis to assess the application's ability to restrict user OS privileges except where explicitly required for the application to operate. If the static program analysis reveals OS access privileges that exist, are modifiable or can be requested that are beyond requirements are granted to the application, this is a finding.

Check Text ( C-43545r1_chk )

Perform a review of the application's documentation to understand the application's operational requirements or the functionality of the application to establish the level of OS privilege required to operate. Based on the review, determine the appropriate OS permissions the application should have assigned during and at the time of installation. Next, conduct a static program analysis to assess the application's ability to restrict user OS privileges except where explicitly required for the application to operate. If the static program analysis reveals OS access privileges that exist, are modifiable or can be requested that are beyond requirements are granted to the application, this is a finding.

Fix Text (F-39712r1_fix)
Modify the code to secure the boundaries within which the application may operate with respect to OS privileges.