The mobile application must define a character set for data inputs.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35660	SRG-APP-000251-MAPP-00053	SV-46947r1_rule		Low

Description
Characters entered in an application's input fields that are undefined can lead to unpredictable results and leave the application's stored data vulnerable. By setting the character set for the application, the possibility of receiving unexpected input that uses other character set encodings could cause the application to operate unpredictably and allow an intruder access to the application through manipulation of certain characters that would allow access and privileges of authorized users. In defining character sets for input, users are assured of a greater security posture through use of a defined set of characters that are filtered for use with the application. Please refer to CWEs: 74, 78, and 88 for further information. Additional information on CWEs is found in the MAPP SRG Overview.

Description

Characters entered in an application's input fields that are undefined can lead to unpredictable results and leave the application's stored data vulnerable. By setting the character set for the application, the possibility of receiving unexpected input that uses other character set encodings could cause the application to operate unpredictably and allow an intruder access to the application through manipulation of certain characters that would allow access and privileges of authorized users. In defining character sets for input, users are assured of a greater security posture through use of a defined set of characters that are filtered for use with the application. Please refer to CWEs: 74, 78, and 88 for further information. Additional information on CWEs is found in the MAPP SRG Overview.

STIG	Date
Mobile Application Security Requirements Guide	2013-01-04

Details

Check Text ( C-44002r1_chk )
For mobile applications that accept character data, perform a static program analysis on the application by checking for the declaration of the character set. Next, perform a dynamic program analysis and test the application for invalid sizes and types. Test input and try to exceed buffer limits on the input fields. Try to put wrong types of data in the input fields. For example, put character data in a numeric field. If the static analysis reveals no character set was declared, this is a finding. If the dynamic analysis reveals invalid input is not rejected, such as numbers being accepted where only alpha characters are required, this is a finding. As a further example, If the application requires the entry of IP addresses is not capable of handling IPv6 formats that are 128 bits long, this is a finding. If the application is not capable of handling IPv6 formats and accepts characters that are of hexadecimal notation including colons, this is a finding.

Check Text ( C-44002r1_chk )

For mobile applications that accept character data, perform a static program analysis on the application by checking for the declaration of the character set. Next, perform a dynamic program analysis and test the application for invalid sizes and types. Test input and try to exceed buffer limits on the input fields. Try to put wrong types of data in the input fields. For example, put character data in a numeric field. If the static analysis reveals no character set was declared, this is a finding. If the dynamic analysis reveals invalid input is not rejected, such as numbers being accepted where only alpha characters are required, this is a finding. As a further example, If the application requires the entry of IP addresses is not capable of handling IPv6 formats that are 128 bits long, this is a finding. If the application is not capable of handling IPv6 formats and accepts characters that are of hexadecimal notation including colons, this is a finding.

Fix Text (F-40202r1_fix)
Modify the code to fix the character set for the application.