The mobile app must enforce organization-defined limitations on the embedding of data types within other data types.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-APP-000057-MAPP-000017	SRG-APP-000057-MAPP-000017	SRG-APP-000057-MAPP-000017_rule		Medium

Description
Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Information flow enforcement mechanisms compare security attributes on all information (data content and data structure), source and destination objects, and respond appropriately (e.g., block, quarantine, alert administrator) when the mechanisms encounter information flows not explicitly allowed by the information flow policy. Embedding of data within other data is often used for the surreptitious transfer of data. For example, embedding data within an image file (e.g., .jpg) is referred to as steganography and is used to circumvent protections in place to protect information.

Description

Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Information flow enforcement mechanisms compare security attributes on all information (data content and data structure), source and destination objects, and respond appropriately (e.g., block, quarantine, alert administrator) when the mechanisms encounter information flows not explicitly allowed by the information flow policy. Embedding of data within other data is often used for the surreptitious transfer of data. For example, embedding data within an image file (e.g., .jpg) is referred to as steganography and is used to circumvent protections in place to protect information.

STIG	Date
Mobile Application Security Requirements Guide	2014-07-22

Details

Check Text ( C-SRG-APP-000057-MAPP-000017_chk )
If the organization has no defined limitations on the embedding of data types within other data types, this requirement is NA. Perform a static program analysis to determine whether the mobile app contains code to limit the embedding of data types within other data types according to organization-defined specifications. Alternatively, perform a dynamic program analysis to determine if the app enforces the restriction in operation. This will require embedding data in other data in a manner that violates the organization-defined limitations, and then verifying the mobile app enforces the limitation. If the mobile app neither contains code to enforce the restriction nor can be demonstrated to enforce the organization-defined restriction, this is a finding.

Check Text ( C-SRG-APP-000057-MAPP-000017_chk )

If the organization has no defined limitations on the embedding of data types within other data types, this requirement is NA. Perform a static program analysis to determine whether the mobile app contains code to limit the embedding of data types within other data types according to organization-defined specifications. Alternatively, perform a dynamic program analysis to determine if the app enforces the restriction in operation. This will require embedding data in other data in a manner that violates the organization-defined limitations, and then verifying the mobile app enforces the limitation. If the mobile app neither contains code to enforce the restriction nor can be demonstrated to enforce the organization-defined restriction, this is a finding.

Fix Text (F-SRG-APP-000057-MAPP-000017_fix)
Configure or code the mobile app to limit the ability to embed data types within other data types.