Applications providing a login capability must also provide a logout functionality to allow the user to manually terminate the session.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-35563 | SRG-APP-000221-MAPP-NA | SV-46850r1_rule | Medium |
| Description |
|---|
| An application that will not allow the user the ability to log out will leave the application and all stored data vulnerable to unauthorized access in the event an adversary is able to unlock the device and re-launch the application or continue the prior session. If a user cannot log out of a mobile application, an adversary could continue to use the previous user's session, access the stored data with malicious intent, and compromise the integrity and confidentiality of the data. This control provides the DoD greater assurance that the device and all stored data is less vulnerable to malicious action in the event a device is stolen or found. Rationale for non-applicability: The MAPP SRG does not require user authentication. Since there is no requirement for a login capability, there similarly is no requirement to provide a logout capability. |
| STIG | Date |
|---|---|
| Mobile Application Security Requirements Guide | 2013-01-04 |
Details
| Check Text ( C-43903r1_chk ) |
|---|
| This requirement is NA for the MAPP SRG. |
| Fix Text (F-40104r1_fix) |
|---|
| The requirement is NA. No fix is required. |