The mobile application must not transmit error messages to any entity other than authorized audit logs, the MDM, or the device display.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-35701 | SRG-APP-000267-MAPP-00060 | SV-46988r1_rule | Low |
| Description |
|---|
| Error messages that are transmitted outside of the application environment reveal weaknesses in the application that will offer the potential for exposure to malicious users. By default many error messages contain data pertaining to the session, the ports, and user and in some instances, their authentication credentials. Through this control, any issues that an application may have are restricted to the user and the personnel who have access to audit logs. |
| STIG | Date |
|---|---|
| Mobile Application Security Requirements Guide | 2013-01-04 |
Details
| Check Text ( C-44044r3_chk ) |
|---|
| Perform a static program analysis to assess if any errors are transmitted to any other entity other than audit logs, the MDM, or user display. Do the following: - launch the application - create an error condition using incorrect input - observe any error messages that result on screen - observe where any log files containing error messages are stored. If the static program analysis reveals that error messages are sent to an entity other than a user defined audit log, the MDM, or the device screen, this is a finding. |
| Fix Text (F-40244r1_fix) |
|---|
| Modify code to send error messages to MOS audit logs, the MDM or the device display. |