The mobile app must remove cookies or information used to track a users identity when it terminates.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-APP-000516-MAPP-000066 | SRG-APP-000516-MAPP-000066 | SRG-APP-000516-MAPP-000066_rule | Medium |
| Description |
|---|
| If the app does not remove temporary data, such as authentication data, temporary files containing sensitive data, and cookies, the data can be used again if the device is lost or stolen. Such information could also be used to track the user across app sessions or even across different apps, which poses an OPSEC risk. The temporary data could be used to reauthenticate the user or allow unauthorized access to sensitive data. Removing cookies assures the DoD greater security from intruders and unauthorized users accessing the temporary data and using it to potentially access the system, accessing sensitive data and compromising sensitive data's integrity. |
| STIG | Date |
|---|---|
| Mobile Application Security Requirements Guide | 2014-07-22 |
Details
| Check Text ( C-SRG-APP-000516-MAPP-000066_chk ) |
|---|
| Determine if the app uses cookies or otherwise saves information used to track a user's identity. Perform a dynamic program analysis by launching the app and performing a transaction that would cause a cookie or other information tracking a user's identity to be downloaded onto the device. A baseline of the hash files of all app files may be needed to check whether changes have occurred. If the cookie or other information tracking a user's identity remains, this is a finding. |
| Fix Text (F-SRG-APP-000516-MAPP-000066_fix) |
|---|
| Configure or code the app to remove cookies or other information used to track the user's identity before the application exits. |