Skip to content

Schema

Jump to bottom
jeffblank edited this page Oct 22, 2015 · 17 revisions

XML Schema and Stylesheet Development Area

Top-level requirements

  • The elements of the schema must be sufficient to capture the information needed in a reciprocity report, and may capture additional information.
  • A stylesheet will need to be developed alongside the schema, to demonstrate at least one style of reciprocity report. Different organizations may customize the stylesheet to meet their needs, but a common schema is necessary to capture the essential data. The goal is to achieve look-and-feel similar or identical to the worksheet developed by MAVSWG.
  • Each general area of the schema should correspond to Requirements for Vetting Mobile Apps from the Protection Profile for Application Software. The schema may of course need to contain security-relevant reporting that is not contained in the Protection Profile. Often, but not always, this should also indicate future changes for the Protection Profile.
  • Mobile app vetting tool vendors must be able to validate their output against the schema.

Essential Elements

The list below represents a working draft of items to include in the schema. Collection of the data below should enable analysts to create output similar to the Sample Mobile App Security Vetting Reciprocity Report provided in the Proposed Concept of Operations Supporting Reciprocity (22 Dec 2014).

  • ALC_CMC.1.1C - reference identifier for app
    • name
    • version
    • description
    • platform
    • SWID tags (optional)
    • hash (optional)
  • FCS_RBG_EXT.1.1 - use of any random bit generators
    • attribute: parameters and API used
  • FCS_STO_EXT.1.1 - list of any credentials stored/used
    • attribute: where they are stored
  • FDP_DEC_EXT.1.1 - list of hardware resources used
  • FDP_DEC_EXT.1.2 - list of sensitive information repositories
  • FDP_DEC_EXT.1.3 - list of any privileges beyond those necessary for functionality
  • FDP_DEC_EXT.1.4 - list of all non-user driven communications to servers
  • FDP_DEC_EXT.1.4 - list of any ports that the app opens, in order to respond to communications
  • FDP_DEC_EXT.1.5 - list of any PII transmitted
  • FTP_DIT_EXT.1.1 - protection of network transmissions
    • encrypted, not encrypted, sensitive
  • FDP_DAR_EXT.1.1 - list of data/files stored
    • attribute: encryption status/method
  • FMT_MEC_EXT.1.1 - list of any configuration options
  • FMT_CFG_EXT.1.1 - list of any default credentials
  • FMT_CFG_EXT.1.2 - list of files of the app and its data
    • attribute: permissions
  • FPT_TUD_EXT.1.4 - list of any binary code downloaded by app / self modification
  • FPT_LIB_EXT.1.1 - list of 3rd party libraries included with app

Clone this wiki locally