The mobile application must not write data to persistent memory accessible to other applications.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35642	SRG-APP-000243-MAPP-00049	SV-46929r1_rule		Medium

Description
Persistent memory is memory that retains data even when the device is no longer powered on. It is often referred to as non-volatile memory and is typically used for file storage. If the application shares the same location of persistent memory with that used by other applications to include encrypted data, then the data is at great risk to exposure through being available to other applications after the application has shut down or a user session has terminated. Furthermore, even though the OS will always be able to read files, other applications that share the same persistent memory are potentially less secure and thus offer an accessible means for malicious intruders to retrieve this information through the other application. In many operating environments, assigning unique process IDs to each application facilitates their separation from one another. In applying this control, the user will be less susceptible to malicious intrusion and extrusion of data that resides in areas shared by other applications.

Description

Persistent memory is memory that retains data even when the device is no longer powered on. It is often referred to as non-volatile memory and is typically used for file storage. If the application shares the same location of persistent memory with that used by other applications to include encrypted data, then the data is at great risk to exposure through being available to other applications after the application has shut down or a user session has terminated. Furthermore, even though the OS will always be able to read files, other applications that share the same persistent memory are potentially less secure and thus offer an accessible means for malicious intruders to retrieve this information through the other application. In many operating environments, assigning unique process IDs to each application facilitates their separation from one another. In applying this control, the user will be less susceptible to malicious intrusion and extrusion of data that resides in areas shared by other applications.

STIG	Date
Mobile Application Security Requirements Guide	2013-01-04

Details

Check Text ( C-43984r1_chk )
If the mobile OS on which the mobile application resides does not permit the application to share persistent memory, then the application is compliant with this IA control. If the above control is not available, perform a static program analysis to assess if the application ever modifies the permissions of files to enable other applications to read or modify the files. If the static program analysis reveals that the application grants permissions that enable the application to share its area of persistent memory with other applications or processes, this is a finding. If the static program analysis reveals that the application's persistent memory is not secured and can be addressed and used by other applications and processes that allow file permissions to be changed, this is a finding. When applicable, examine the file permissions of files created by the application. If they permit other applications to access the files, this is a finding.

Check Text ( C-43984r1_chk )

If the mobile OS on which the mobile application resides does not permit the application to share persistent memory, then the application is compliant with this IA control. If the above control is not available, perform a static program analysis to assess if the application ever modifies the permissions of files to enable other applications to read or modify the files. If the static program analysis reveals that the application grants permissions that enable the application to share its area of persistent memory with other applications or processes, this is a finding. If the static program analysis reveals that the application's persistent memory is not secured and can be addressed and used by other applications and processes that allow file permissions to be changed, this is a finding. When applicable, examine the file permissions of files created by the application. If they permit other applications to access the files, this is a finding.

Fix Text (F-40184r1_fix)
Modify code and architecture to assure the application does not share its persistent memory allocation with other applications and processes and does not address areas of persistent memory used by other applications and processes.