The mobile application must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-35698 | SRG-APP-000264-MAPP-00057 | SV-46985r1_rule | Medium |
| Description |
|---|
| Unencrypted sensitive application data could be intercepted in transit. Encryption of data in transit will protect the data from being extricated, modified or being used for malicious purposes. When the data is encrypted prior to transmission, the risk of unauthorized disclosure from interception and the subsequent use thereof is greatly reduced. |
| STIG | Date |
|---|---|
| Mobile Application Security Requirements Guide | 2013-01-04 |
Details
| Check Text ( C-44041r1_chk ) |
|---|
| If the operating system encrypts all data in transit or the mobile application leverages a VPN client that encrypts all data in transit, then the mobile application is compliant and the requirement not applicable. Perform a dynamic program analysis with a protocol analyzer to determine if the application is protecting data in transit. If the data in transit is not encrypted, this is a finding. |
| Fix Text (F-40241r1_fix) |
|---|
| Configure the application or leverage OS or other applications that provide protection of data in transit. Otherwise modify the code to provide such protections. |