The mobile application must clear or overwrite memory blocks used to process sensitive data.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35748	SRG-APP-999999-MAPP-00067	SV-47035r1_rule		Medium

Description
Sensitive data in memory should be cleared or overwritten to protect data that may be available to an attacker seeking ways to gain access to data that otherwise appears erased. Unless an application can overwrite memory blocks, the possibility exists for an attacker to cause the application to crash and analyze a memory dump of the application for sensitive information. Clearing memory will ensure the DoD the application can operate more securely, with greater protection applied to sensitive data that will be properly removed when no longer required. Additional overwriting requirements may be applicable to classified applications. Please refer to CWEs: 14, 226, 244, and 591 for further information. The MAPP SRG Overview contains additional information on the use of CWEs.

Description

Sensitive data in memory should be cleared or overwritten to protect data that may be available to an attacker seeking ways to gain access to data that otherwise appears erased. Unless an application can overwrite memory blocks, the possibility exists for an attacker to cause the application to crash and analyze a memory dump of the application for sensitive information. Clearing memory will ensure the DoD the application can operate more securely, with greater protection applied to sensitive data that will be properly removed when no longer required. Additional overwriting requirements may be applicable to classified applications. Please refer to CWEs: 14, 226, 244, and 591 for further information. The MAPP SRG Overview contains additional information on the use of CWEs.

STIG	Date
Mobile Application Security Requirements Guide	2013-01-04

Details

Check Text ( C-44092r1_chk )
If the application does not contain sensitive or classified information this check is not applicable. Furthermore, if the MOS on which the application runs clears memory whenever an application releases memory, this check is not applicable. Otherwise, perform a dynamic program analysis of the application and assess how memory blocks are cleared of sensitive or classified data. This will likely require the use of a MOS emulator. If the application releases memory blocks before clearing them, this is a finding.

Check Text ( C-44092r1_chk )

If the application does not contain sensitive or classified information this check is not applicable. Furthermore, if the MOS on which the application runs clears memory whenever an application releases memory, this check is not applicable. Otherwise, perform a dynamic program analysis of the application and assess how memory blocks are cleared of sensitive or classified data. This will likely require the use of a MOS emulator. If the application releases memory blocks before clearing them, this is a finding.

Fix Text (F-40293r1_fix)
Modify code to clear memory blocks used for storing sensitive and classified data before the memory is released to other processes.