An app maintains a secure state when there is strong assurance that each of its state transitions is consistent with the app's security policy. For many mobile apps, the only state for which the state is known to be compliant is the initial state because it does not have a documented security policy regarding state transitions. An app could be compromised, providing an attack vector to the app and OS if initialization, shutdown, and aborts are not designed to keep the app in a secure state. If the app fails without closing or shutting down processes or open sessions; authentication and validation mechanisms are considered weak and do not provide sufficient protection against unauthorized access to the application and all stored data. In applying this control, the app can be secured to its initial level of security in the event the app crashes or terminates. This will mitigate the threat of an unauthorized user taking control of the device and accessing the app and stored data, compromising its integrity and confidentiality. |