The mobile application must validate the signature on DoD Mobile Code Policy Category 1A and 2 mobile code before executing such code.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35263	SRG-APP-000074-MAPP-00021	SV-46550r1_rule		High

Description
Untrusted mobile code may contain malware or malicious code and digital signatures provide a source of the content which is crucial to authentication and trust of the data. Category 2 mobile code that operates in an unconstrained environment, like category 1, must possess a signature that indicates the identity of the developer. Unsigned code is potentially dangerous to use since there is no verification the code is tested and free of defects that will cause security issues. Also, the code, being untested could also contain malware. In applying this control, the user is assured greater security against using code that is prohibited because it is untrusted and untested.

Description

Untrusted mobile code may contain malware or malicious code and digital signatures provide a source of the content which is crucial to authentication and trust of the data. Category 2 mobile code that operates in an unconstrained environment, like category 1, must possess a signature that indicates the identity of the developer. Unsigned code is potentially dangerous to use since there is no verification the code is tested and free of defects that will cause security issues. Also, the code, being untested could also contain malware. In applying this control, the user is assured greater security against using code that is prohibited because it is untrusted and untested.

STIG	Date
Mobile Application Security Requirements Guide	2013-01-04

Details

Check Text ( C-43632r1_chk )
Perform a review of the application documentation to assess if the application design validates the signature on Category 1A and 2 mobile code. If the documentation review is inconclusive, conduct a dynamic program analysis to assess if code is available that performs the necessary functions required to validate all digital signatures. If the dynamic program analysis reveals the code does not validate digital signatures through a DoD approved PKI certificate, this is a finding. Definitions for mobile code categories can be found in DoD Instruction 8552.01.

Check Text ( C-43632r1_chk )

Perform a review of the application documentation to assess if the application design validates the signature on Category 1A and 2 mobile code. If the documentation review is inconclusive, conduct a dynamic program analysis to assess if code is available that performs the necessary functions required to validate all digital signatures. If the dynamic program analysis reveals the code does not validate digital signatures through a DoD approved PKI certificate, this is a finding. Definitions for mobile code categories can be found in DoD Instruction 8552.01.

Fix Text (F-39809r1_fix)
Modify code so the application will verify DoD Mobile Code Policy Category 1A and 2 mobile code before executing it.