The mobile app must not change the file permissions of any files other than those dedicated to its own operation.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-APP-000381-MAPP-000010	SRG-APP-000381-MAPP-000010	SRG-APP-000381-MAPP-000010_rule		Medium

Description
A file's access level is pivotal to a mobile app and its data's security. The modification of a file's permission must be strictly controlled in an effort to maintain the integrity and confidentially of the data stored. If the file permissions are easily changed, attackers will try to gain any possible level of access and then try to escalate that level until they are able to obtain restricted data or make unapproved system modifications. This control mitigates the risk of privilege escalation by an unauthorized process or user resulting in data integrity and confidentiality issues. Please refer to CWEs: 250, 265, 272, and 284. The MApp SRG Overview contains additional information on the use of CWEs.

Description

A file's access level is pivotal to a mobile app and its data's security. The modification of a file's permission must be strictly controlled in an effort to maintain the integrity and confidentially of the data stored. If the file permissions are easily changed, attackers will try to gain any possible level of access and then try to escalate that level until they are able to obtain restricted data or make unapproved system modifications. This control mitigates the risk of privilege escalation by an unauthorized process or user resulting in data integrity and confidentiality issues. Please refer to CWEs: 250, 265, 272, and 284. The MApp SRG Overview contains additional information on the use of CWEs.

STIG	Date
Mobile Application Security Requirements Guide	2014-07-22

Details

Check Text ( C-SRG-APP-000381-MAPP-000010_chk )
Perform a static program analysis to determine if the mobile app code attempts to change the file permissions of files external to the operation of the mobile app. If this is not feasible, perform a dynamic program analysis to determine if routine installation and operation of the mobile app changes the permissions of any files other than those dedicated to the app. In order to complete this analysis, the permissions after operation of the mobile app will have to be measured against a known baseline of all the file permissions in the file system. If static analysis is not feasible and the MOS does not permit visibility into file system permissions, then this should be marked "Not Reviewed". If data files not dedicated to the operation of the app can have their permission attributes modified by the app, this is a finding.

Check Text ( C-SRG-APP-000381-MAPP-000010_chk )

Perform a static program analysis to determine if the mobile app code attempts to change the file permissions of files external to the operation of the mobile app. If this is not feasible, perform a dynamic program analysis to determine if routine installation and operation of the mobile app changes the permissions of any files other than those dedicated to the app. In order to complete this analysis, the permissions after operation of the mobile app will have to be measured against a known baseline of all the file permissions in the file system. If static analysis is not feasible and the MOS does not permit visibility into file system permissions, then this should be marked "Not Reviewed". If data files not dedicated to the operation of the app can have their permission attributes modified by the app, this is a finding.

Fix Text (F-SRG-APP-000381-MAPP-000010_fix)
Modify the mobile app code so it does not change the file permission on any files not dedicated to the mobile app's operation.