The mobile application must shut down or take an alternative organization defined action when it determines that one of its required security functions is unavailable.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35526	SRG-APP-000200-MAPP-00044	SV-46813r1_rule		Medium

Description
While mobile applications primarily rely on MOS security controls, a mobile application may contain security functions that enable the device and user to operate in a secure manner. For example, the mobile application may operate its own cryptographic modules for data at rest and data in transit. In the event a security function that would normally encrypt data at rest, data in motion or perform some other form of security measure is not present, then all data, the device and network are at risk to exposure and intrusion from a malicious, unauthorized user. This measure mitigates DoD risk and exposure from being compromised due to the security posture of the device being weakened as a result of failed or disabled security modules. When the application shuts down it must cease running and not just deny services to a user. Other organization defined response actions might include writing an entry to the audit log, notifying the user, or limiting access to particular application features, such as the ability to export data.

Description

While mobile applications primarily rely on MOS security controls, a mobile application may contain security functions that enable the device and user to operate in a secure manner. For example, the mobile application may operate its own cryptographic modules for data at rest and data in transit. In the event a security function that would normally encrypt data at rest, data in motion or perform some other form of security measure is not present, then all data, the device and network are at risk to exposure and intrusion from a malicious, unauthorized user. This measure mitigates DoD risk and exposure from being compromised due to the security posture of the device being weakened as a result of failed or disabled security modules. When the application shuts down it must cease running and not just deny services to a user. Other organization defined response actions might include writing an entry to the audit log, notifying the user, or limiting access to particular application features, such as the ability to export data.

STIG	Date
Mobile Application Security Requirements Guide	2013-01-04

Details

Check Text ( C-43866r1_chk )
If the application does not contain security functions beyond those provided by the MOS, this requirement is not applicable. Perform a static analysis and assess if there is code present that checks for the presence and availability of required security functions which will then shut the application down. If the static analysis reveals that no code exists that checks for the presence and availability of required security functions which will then shut the application down, this is a finding.

Check Text ( C-43866r1_chk )

If the application does not contain security functions beyond those provided by the MOS, this requirement is not applicable. Perform a static analysis and assess if there is code present that checks for the presence and availability of required security functions which will then shut the application down. If the static analysis reveals that no code exists that checks for the presence and availability of required security functions which will then shut the application down, this is a finding.

Fix Text (F-40067r1_fix)
Modify code to assure the application will shut down or perform an organization defined response action when one of its required security features is not available.