The mobile application must not record or forward sensor data unless explicitly authorized to do so.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-35755 | SRG-APP-999999-MAPP-00075 | SV-47042r1_rule | High |
| Description |
|---|
| Sensors include the GPS, gyroscope, accelerometer, camera, and microphone. When sensor data is either recorded locally or sent to a remote server, the potential exists for an adversary to obtain sensitive information that could be used to harm the user or compromise information systems. In particular, when location data is forwarded, the user may be physically targeted. User safety and mission assurance risks are mitigated when sensor data is only collected or forwarded when expressly authorized. |
| STIG | Date |
|---|---|
| Mobile Application Security Requirements Guide | 2013-01-04 |
Details
| Check Text ( C-44099r1_chk ) |
|---|
| Perform a static program analysis to determine if the application accesses any sensor data during its operation. If it does not, then there is no finding. If it does, perform a static or dynamic program analysis to determine whether the application either locally records the sensor information or forwards it to another host. If it does either of these, then verify that the activity is authorized. If it is not authorized, then this is a finding. |
| Fix Text (F-40300r1_fix) |
|---|
| Remove code that records or forwards sensor data or cease using the mobile application. |