The mobile application must provide notification of failed automated security tests.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35709	SRG-APP-000275-MAPP-00062	SV-46996r1_rule		Medium

Description
Automated security tests may include checking the cryptographic hash of key application files, and verifying the presence of critical MOS services, the presence of a VPN connection, correct file permission, or other security functionality. The need to verify security functionality applies to all security functions, and can be achieved through automated security tests of the application. When an application fails one of its automated security tests with security components unavailable or non-functional, the application is no longer able to protect itself to the same level of security were the security components functional. In applying this control, the application is able to activate an alarm and/or automatically notify the user a security test has failed and provides the user a greater level of security knowing that the application should stop being used. Logging the event is also an acceptable means of notification.

Description

Automated security tests may include checking the cryptographic hash of key application files, and verifying the presence of critical MOS services, the presence of a VPN connection, correct file permission, or other security functionality. The need to verify security functionality applies to all security functions, and can be achieved through automated security tests of the application. When an application fails one of its automated security tests with security components unavailable or non-functional, the application is no longer able to protect itself to the same level of security were the security components functional. In applying this control, the application is able to activate an alarm and/or automatically notify the user a security test has failed and provides the user a greater level of security knowing that the application should stop being used. Logging the event is also an acceptable means of notification.

STIG	Date
Mobile Application Security Requirements Guide	2013-01-04

Details

Check Text ( C-44052r1_chk )
If an application does not include its own automated security tests, then this check does not apply. If the application documentation or website does not describe an automated security test, it can be presumed that one does not exist. For applications that have their own, automated security tests, perform a dynamic program analysis to assess if the application sends an alert or notification to either the MOS logs, the MDM, or the user upon the failure of an automated security test. The testing must force a condition where an application's security test is purposely failed. If the application does not alert the OS, MDM, or the user of an automated security test failure, this is a finding.

Check Text ( C-44052r1_chk )

If an application does not include its own automated security tests, then this check does not apply. If the application documentation or website does not describe an automated security test, it can be presumed that one does not exist. For applications that have their own, automated security tests, perform a dynamic program analysis to assess if the application sends an alert or notification to either the MOS logs, the MDM, or the user upon the failure of an automated security test. The testing must force a condition where an application's security test is purposely failed. If the application does not alert the OS, MDM, or the user of an automated security test failure, this is a finding.

Fix Text (F-40252r1_fix)
Modify code to send a notification to the MOS logs, MDM, or user when an application fails an automated security test.