The mobile application must remove cookies or information used to track a users identity when it terminates.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35749	SRG-APP-999999-MAPP-00066	SV-47036r1_rule		Low

Description
If the application does not remove temporary data, such as authentication data, temporary files containing sensitive data, and cookies, the data can be used again if the device lost or stolen. Such information could also be used to track the user across application sessions or even across different applications, which poses an OPSEC risk. The temporary data could be used to re-authenticate the user or allow unauthorized access to sensitive data. Removing cookies assures DoD greater security from intruders and unauthorized users accessing the temporary data and using it to potentially access the system, accessing sensitive data and compromising sensitive data's integrity.

Description

If the application does not remove temporary data, such as authentication data, temporary files containing sensitive data, and cookies, the data can be used again if the device lost or stolen. Such information could also be used to track the user across application sessions or even across different applications, which poses an OPSEC risk. The temporary data could be used to re-authenticate the user or allow unauthorized access to sensitive data. Removing cookies assures DoD greater security from intruders and unauthorized users accessing the temporary data and using it to potentially access the system, accessing sensitive data and compromising sensitive data's integrity.

STIG	Date
Mobile Application Security Requirements Guide	2013-01-04

Details

Check Text ( C-44093r1_chk )
Determine if the application uses cookies or otherwise saves information used to track a user's identity. Perform a dynamic program analysis by launching the application and performing a transaction that would cause a cookie or other information tracking a user's identity to be downloaded onto the device. A baseline of the hash files of all application files may be needed to check whether changes have occurred. If the cookie or other information tracking a user's identity remains, this is a finding.

Check Text ( C-44093r1_chk )

Determine if the application uses cookies or otherwise saves information used to track a user's identity. Perform a dynamic program analysis by launching the application and performing a transaction that would cause a cookie or other information tracking a user's identity to be downloaded onto the device. A baseline of the hash files of all application files may be needed to check whether changes have occurred. If the cookie or other information tracking a user's identity remains, this is a finding.

Fix Text (F-40294r1_fix)
Configure or redesign the application to remove cookies or other information used to track the user's identity before the application exits.