UCF STIG Viewer Logo

Mobile Application Security Requirements Guide


Overview

Date Finding Count (37)
2014-07-22 CAT I (High): 0 CAT II (Med): 37 CAT III (Low): 0
STIG Description
The Mobile Application Security Requirements Guide (SRG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
SRG-APP-000057-MAPP-000017 Medium The mobile app must enforce organization-defined limitations on the embedding of data types within other data types.
SRG-APP-000393-MAPP-000100 Medium The mobile app must implement organization-defined out-of-band authentication under organization-defined conditions.
SRG-APP-000439-MAPP-000100 Medium The mobile app must protect the confidentiality and integrity of transmitted information.
SRG-APP-000141-MAPP-000031 Medium The mobile app must not include source code, unreferenced code or subroutines that are never invoked during operation, except for software components and libraries from approved third-party products.
SRG-APP-000033-MAPP-000010 Medium The mobile app must not modify, request, or assign values for operating system parameters unless necessary to perform application functions.
SRG-APP-000033-MAPP-000011 Medium The mobile app must not execute as a privileged operating system process unless necessary to perform any app functions.
SRG-APP-000133-MAPP-000030 Medium The mobile app must not enable other applications or non-privileged processes to modify software libraries.
SRG-APP-000342-MAPP-000100 Medium The mobile app must prevent organization-defined software from executing at higher privilege levels than users executing the software.
SRG-APP-000516-MAPP-000069 Medium The mobile app must not call functions vulnerable to buffer overflows.
SRG-APP-000516-MAPP-000068 Medium The mobile app must not be vulnerable to integer arithmetic vulnerabilities.
SRG-APP-000516-MAPP-000041 Medium Mobile apps involved in the production, control, and distribution of asymmetric cryptographic keys must use approved PKI Class 3 or class 4 certificates and hardware tokens that protect the user's private key.
SRG-APP-000516-MAPP-000040 Medium Mobile apps involved in the production, control, and distribution of asymmetric cryptographic keys must use approved PKI Class 3 certificates or prepositioned keying material.
SRG-APP-000516-MAPP-000065 Medium The mobile app must remove temporary files when it terminates.
SRG-APP-000516-MAPP-000064 Medium The mobile app code must not contain hardcoded references to resources external to the app.
SRG-APP-000516-MAPP-000067 Medium The mobile app must clear or overwrite memory blocks used to process potentially sensitive data. Sensitive data may include PII, a user's location, or authentication credentials.
SRG-APP-000516-MAPP-000066 Medium The mobile app must remove cookies or information used to track a users identity when it terminates.
SRG-APP-000033-MAPP-000012 Medium A mobile app must not call APIs or otherwise invoke resources external to the mobile app unless such activity serves the documented purposes of the mobile app.
SRG-APP-000388-MAPP-000100 Medium The mobile app, when conditions defined in CCI-0002856, CP-12 are detected, must enter a safe mode of operation defined in CCI-0002857, CP-12.
SRG-APP-000267-MAPP-000060 Medium The mobile app must not transmit error messages to any entity other than authorized audit logs, the MDM, or the device display.
SRG-APP-000243-MAPP-000049 Medium The mobile app must not write data to persistent memory accessible to other applications.
SRG-APP-000514-MAPP-000100 Medium If the underlying MOS does not provide NIST FIPS-validated crypto modules, the mobile app must implement NIST FIPS-validated cryptography for the following: to provision digital signatures; to generate cryptographic hashes; and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
SRG-APP-000449-MAPP-000100 Medium The mobile app must validate information output from software programs and/or applications defined in SI-15, CCI-0002770 to ensure the information is consistent with the expected content.
SRG-APP-000392-MAPP-000100 Medium The mobile app must electronically verify Personal Identity Verification (PIV) credentials.
SRG-APP-000225-MAPP-000047 Medium The mobile app must fail to an initial state when the application unexpectedly terminates, unless it maintains a secure state at all times.
SRG-APP-000391-MAPP-000100 Medium The mobile app must accept Public Key Infrastructure (PKI) credentials.
SRG-APP-000142-MAPP-000032 Medium The mobile app must utilize ports or protocols in a manner consistent with DoD Ports and Protocols guidance.
SRG-APP-000372-MAPP-000100 Medium The mobile app must synchronize internal information system clocks to the MOS-based authoritative time source.
SRG-APP-000516-MAPP-000034 Medium The mobile app must not lock or set permissions on application files in a manner such that the operating system or an approved backup application cannot copy the files.
SRG-APP-000416-MAPP-000100 Medium The mobile app must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
SRG-APP-000516-MAPP-000038 Medium Mobile apps involved in the production, control, and distribution of symmetric cryptographic keys must use NIST approved or NSA approved key management technology and processes.
SRG-APP-000516-MAPP-000039 Medium Mobile apps involved in the production, control, and distribution of asymmetric cryptographic keys must use NIST approved or NSA approved key management technology and processes.
SRG-APP-000516-MAPP-000078 Medium Unless the MOS manages app signing, the mobile app installation package must be digitally signed in accordance with FIPS 186-3 approved methods.
SRG-APP-000516-MAPP-000077 Medium The mobile app source code must not contain adware or known malware.
SRG-APP-000381-MAPP-000010 Medium The mobile app must not change the file permissions of any files other than those dedicated to its own operation.
SRG-APP-000516-MAPP-000075 Medium The mobile app must not record or forward sensor data unless explicitly authorized to do so.
SRG-APP-000516-MAPP-000073 Medium The mobile app must initialize all parameter values on startup.
SRG-APP-000516-MAPP-000071 Medium The mobile app must not be vulnerable to race conditions.