The mobile application must identify potentially security-relevant error conditions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35699	SRG-APP-000265-MAPP-00058	SV-46986r1_rule		Medium

Description
The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the application is able to identify and handle error conditions is guided by organizational policy and operational requirements. An error condition can occur when an attacker provides unexpected values at an input prompt, causing the mobile application to crash or force it to excessively consume resources, such as battery, memory and CPU. This can also expose the application to data confidentiality and integrity issues as a result of the attacker gaining control of the device. Applying this control assures that security-relevant issues arising from data input correctness are addressed.

Description

The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the application is able to identify and handle error conditions is guided by organizational policy and operational requirements. An error condition can occur when an attacker provides unexpected values at an input prompt, causing the mobile application to crash or force it to excessively consume resources, such as battery, memory and CPU. This can also expose the application to data confidentiality and integrity issues as a result of the attacker gaining control of the device. Applying this control assures that security-relevant issues arising from data input correctness are addressed.

STIG	Date
Mobile Application Security Requirements Guide	2013-01-04

Details

Check Text ( C-44042r1_chk )
The reviewer is only required to check whether the mobile application identifies improper inputs, unless there are specific known error conditions that require additional investigation. Perform a dynamic program analysis by fuzzing all user inputs of the application by providing invalid, unexpected, or random data to the inputs. Test the application for invalid sizes and types. Test input and try to exceed buffer limits on the input fields. Try to put wrong types of data in the input fields. For example, put character data in a numeric field. If the application requires the entry of IP addresses as an example, and is not capable of handling IPv6 Formats that are 128 bits long, this is finding. If the application is not capable of handling IPv6 formats and accepts characters that are of hexadecimal notation including colons, this is a finding. Perform a static analysis to assess if code is present that when executed, checks input data for validation against defined constraints. If no input validation code is present, this is a finding.

Check Text ( C-44042r1_chk )

The reviewer is only required to check whether the mobile application identifies improper inputs, unless there are specific known error conditions that require additional investigation. Perform a dynamic program analysis by fuzzing all user inputs of the application by providing invalid, unexpected, or random data to the inputs. Test the application for invalid sizes and types. Test input and try to exceed buffer limits on the input fields. Try to put wrong types of data in the input fields. For example, put character data in a numeric field. If the application requires the entry of IP addresses as an example, and is not capable of handling IPv6 Formats that are 128 bits long, this is finding. If the application is not capable of handling IPv6 formats and accepts characters that are of hexadecimal notation including colons, this is a finding. Perform a static analysis to assess if code is present that when executed, checks input data for validation against defined constraints. If no input validation code is present, this is a finding.

Fix Text (F-40242r1_fix)
Modify code to identify potentially-relevant error conditions.