The mobile application must not include sensitive information in system logs not necessary for IA functions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-35700 | SRG-APP-000266-MAPP-00059 | SV-46987r1_rule | Medium |
| Description |
|---|
| The application must only generate messages that provide information necessary for corrective actions and without revealing organization defined sensitive or potentially harmful information. Any application providing too much information in system logs and in administrative messages to the screen risks compromising the data and security of the application and system. This control assures DoD is given greater protection against authentication credentials being exposed to both internal and malicious external users, when an error occurs. Please refer to CWE 388 for further information. The MAPP SRG Overview contains additional information on CWEs. |
| STIG | Date |
|---|---|
| Mobile Application Security Requirements Guide | 2013-01-04 |
Details
| Check Text ( C-44043r2_chk ) |
|---|
| Perform a dynamic program analysis to assess if the user's credentials or application code and structure, and internal workings that could be exploited are contained in error reporting messages as follows: - login to the application - create an error condition using incorrect input - observe any error messages that result - assess above error message for any authentication credential. If the dynamic program analysis reveals error messages contain user credentials, this is a finding. |
| Fix Text (F-40243r1_fix) |
|---|
| Modify code for logging functions to exclude sensitive information not necessary for IA functions from being written to the logs. |