The mobile application must close opened network ports at the end of the application session or after an organization defined time period of inactivity.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35516	SRG-APP-000190-MAPP-00037	SV-46803r1_rule		Low

Description
Ports that are not closed upon termination of an application or following a pre-defined period of inactivity leave the device vulnerable to exposure from attacks that exploit ports that remain open. As an example, wireless ports, such as Wi-Fi and Bluetooth, are both vulnerable to an adversary in a war driving scenario. In this event, the unauthorized user has the potential to access the device, compromising the security posture of the stored data. Applying this control assures that threat from malicious exploitation of open and unprotected ports that can lead to data integrity and confidentiality risks are mitigated.

Description

Ports that are not closed upon termination of an application or following a pre-defined period of inactivity leave the device vulnerable to exposure from attacks that exploit ports that remain open. As an example, wireless ports, such as Wi-Fi and Bluetooth, are both vulnerable to an adversary in a war driving scenario. In this event, the unauthorized user has the potential to access the device, compromising the security posture of the stored data. Applying this control assures that threat from malicious exploitation of open and unprotected ports that can lead to data integrity and confidentiality risks are mitigated.

STIG	Date
Mobile Application Security Requirements Guide	2013-01-04

Details

Check Text ( C-43856r1_chk )
Perform a documentation review to assess if the application is in compliance with DoD PPSM related guidance. If the documentation review was inconclusive, perform a dynamic program analysis to assess if the application will close ports after an application has terminated a session, or after an organizationally defined time period. This may include the use of port scanners or protocol analyzers. Next, perform a static program analysis to assess if code is present and able to be executed that scans the status of ports used by the application. The code must be able to identify all ports used and force a port closure following termination of the mobile application session. Termination of the application can be either through user action or an unexpected crash. Code must also be present that detects a period of user inactivity that will also force a closure of all ports. If the documentation, dynamic program analysis or static program analysis reveals that ports are not closed either automatically following a session's termination or following a predefined timeout period, this is a finding.

Check Text ( C-43856r1_chk )

Perform a documentation review to assess if the application is in compliance with DoD PPSM related guidance. If the documentation review was inconclusive, perform a dynamic program analysis to assess if the application will close ports after an application has terminated a session, or after an organizationally defined time period. This may include the use of port scanners or protocol analyzers. Next, perform a static program analysis to assess if code is present and able to be executed that scans the status of ports used by the application. The code must be able to identify all ports used and force a port closure following termination of the mobile application session. Termination of the application can be either through user action or an unexpected crash. Code must also be present that detects a period of user inactivity that will also force a closure of all ports. If the documentation, dynamic program analysis or static program analysis reveals that ports are not closed either automatically following a session's termination or following a predefined timeout period, this is a finding.

Fix Text (F-40057r1_fix)
Modify code to close network ports when the application closes or after a period of inactivity.