| V-29894 | High | A security risk analysis must be performed on a mobile Operating System (OS) application by the DAA or DAA authorized approval authority prior to the application being approved for use.
| Non-approved applications can contain malware. Approved applications should be reviewed and tested by the approving authority to ensure they do not contain malware, spyware, or have unexpected... |
| V-25003 | Medium | A compliance rule must be set up in the server defining required mobile OS software versions. | Unapproved OS versions do not support required security features. |
| V-27635 | Medium | Remote full device wipe must be enabled. | Sensitive DoD data could be compromised if mobile OS device data could not be wiped when directed by the system administrator. |
| V-28297 | Medium | The smartphone password/passcode complexity (alphanumeric) must be set. | Sensitive DoD data could be compromised if a strong device unlock password/passcode is not set up on a DoD smartphone. The complexity of the password is a key factor in the strength of the... |
| V-25019 | Medium | The smartphone Bluetooth radio must be disabled if not authorized for use. | The Bluetooth radio can be used by a hacker to connect to the iOS device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave. |
| V-25015 | Medium | iPhone screen capture must not be allowed. | Sensitive data could be copied into an email and sent over a non-DoD email link. |
| V-25016 | Medium | The device minimum password/passcode length must be set. | Sensitive DoD data could be compromised if a device unlock password/passcode is not set to required length on a DoD smartphones. |
| V-25017 | Medium | Apple iOS Auto-Lock must be set. | Sensitive DoD data could be compromised if the iOS device does not automatically lock after a set period of inactivity. |
| V-25010 | Medium | The smartphone inactivity timeout must be set. | Sensitive DoD data could be compromised if the smartphone does not automatically lock after 15 minutes of inactivity. |
| V-25011 | Medium | Passcode maximum failed attempts must be set to required value. | A hacker with unlimited attempts can determine the password of an iPhone / iPad within a few minutes using password hacking tools, which could lead to unauthorized access to the iPhone / iPad and... |
| V-25012 | Medium | Access to public application stores must be disabled. | Strong configuration management of all applications installed on DoD device is required to ensure the security baseline of the system is maintained. Otherwise, sensitive DoD data could be compromised. |
| V-25013 | Medium | Users must not be allowed to download applications on smartphones without SA control. | Strong configuration management of all applications installed on DoD device is required to ensure the security baseline of the system is maintained. Otherwise, sensitive DoD data could be compromised. |
| V-25007 | Medium | iPhones must be configured to require a password/passcode for device unlock. | Sensitive DoD data could be compromised if a device unlock passcode is not set up on a DoD iPhone/iPad/iPod Touch device. |
| V-25842 | Medium | The site must set up local operating procedures for initial provisioning and subsequent software and application updates using the procedures published in the STIG/ISCG Overview document. | Strong configuration management of applications on a smartphone is a key malware control. Most smartphones must have individual commercial web portal (e.g., iTunes, Android Market, etc.) accounts... |
| V-26753 | Medium | A “Restriction” policy must be manually added to each iOS device managed by the site during the provisioning/setup process. | The restriction policy will stop the capability of the user from accessing the Apple store and other unauthorized services, which could allow the download of malware or unapproved apps, before the... |
| V-19899 | Medium | All wireless PDA client VPNs must have split tunneling disabled. | DoD data could be compromised if transmitted data is not secured with a compliant VPN. Split tunneling could allow connections from non-secure Internet sites to access data on the DoD network. |
| V-19898 | Medium | All wireless PDA clients used for remote access to DoD networks must have a VPN supporting CAC authentication. | DoD data could be compromised if transmitted data is not secured with a compliant VPN. |
| V-19897 | Medium | All wireless PDA clients used for remote access to DoD networks must have a VPN supporting AES encryption. | DoD data could be compromised if transmitted data is not secured with a compliant VPN. |
| V-25008 | Medium | The smartphone password complexity must be set to the required value.
| Sensitive DoD data could be compromised if a strong device unlock passcode is not set up on a DoD iPhone/iPad/iPod Touch device. |
| V-25021 | Medium | When connecting an iOS device to a PC with iTunes, the user must not download an iOS software update, if prompted to do so by iTunes (User Based Enforcement (UBE)). | The security posture of the iOS system depends on strict configuration management control of all software installed on the device, including operating system version. Otherwise, the security... |
| V-25022 | Medium | All smartphones must display the required banner during device unlock/logon. | DoD CIO memo requires all PDAs, BlackBerrys, and smartphones to have a consent banner displayed during logon/device unlock to ensure users understand their responsibilities to safeguard DoD data. |
| V-24981 | Medium | Smartphone devices must have required operating system software version installed. | Required security features are not available in earlier OS versions. In addition, there are known vulnerabilities in earlier versions. |
| V-24983 | Medium | S/MIME must be installed on smartphones so users can sign/encrypt email. | S/MIME provides the capability for users to send and receive S/MIME email messages from wireless email devices. S/MIME and digital signatures provide assurance the message is authentic and is... |
| V-25006 | Medium | iPhones must be configured to require a password to remove the iPhone configuration profile. | Sensitive DoD data could be compromised if a security profile is not installed on DoD iPhone/iPad/iPod Touch devices. The profile should only be removed by the system administrator. |
| V-18627 | Medium | The VPN client on wireless clients (PDAs, smartphones) used for remote access to DoD networks must be FIPS 140-2 validated. | DoD data could be compromised if transmitted data is not secured with a compliant VPN. FIPS validation provides a level of assurance that the encryption of the device has been securely implemented. |
| V-24986 | Low | All non-core applications on the smartphone must be approved by the DAA or the Command IT Configuration Control Board. | Non-approved applications can contain malware. Approved applications should be reviewed and tested by the approving authority to ensure they do not contain malware, spyware, or have unexpected... |
| V-25051 | Low | Location services must be turned off on the smartphone during device provisioning. | Smartphone location services allow applications to gather information about the location of the handheld device and possibly forward it to servers located on the Internet. This is an operational... |
| V-25033 | Low | iOS Safari must be enabled or disabled based on system requirements. | The Safari browser could be used to connect to web sites with malware. The browser should be enabled if required by the iOS system and when properly configured. |
| V-25018 | Low | The smartphone passcode history setting must be set. | The passcode would be more susceptible to compromise if the user can select frequently used passcodes. |
| V-25014 | Low | Smartphone cameras must be used only if documented approval is in the site physical security policy. | This is an operational security issue. DoD sensitive information could be compromised if cameras are allowed in areas not authorized by the site physical security plan. |
| V-25092 | Low | The iOS device Wi-Fi setting "Ask to Join Networks" must be set to "On" at all times (User Based Enforcement (UBE)). | The Wi-Fi radio can be used by a hacker to connect to the iOS device without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the... |
| V-25093 | Low | The Safari web browser AutoFill feature must be disabled on an iOS device (this is a User Based Enforcement (UBE) feature). | When AutoFill is enabled, sensitive DoD information or personal information could automatically be sent to a non-DoD web site. |
| V-25757 | Low | The SA must change the iOS device profile passwords every 365 days or sooner. | Sensitive DoD data could be compromised if a security profile is not installed on DoD iOS devices. The profile should only be removed by the SA. When a new profile is pushed to an iOS device, the... |
| V-25756 | Low | Encrypted smartphone backups must be enabled. | The act of connecting an iOS device to a PC can put it at risk of attack if the PC is compromised. The iOS device should sync to a minimum number of approved machines. It should not sync to... |
| V-25755 | Low | Access to online application purchases must be disabled. | Strong configuration management of all applications installed on DoD devise is required to ensure the security baseline of the system is maintained. Otherwise, sensitive DoD data could be compromised. |
| V-26559 | Low | The Personal Hotspot feature of the smartphone OS must be disabled if it does not meet DoD WLAN or Bluetooth security requirements and is not approved by the IAO. | The Wi-Fi radio and Bluetooth radio can be used by a hacker to connect to the smartphone without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device... |
| V-24984 | Low | If smartphone email auto signatures are used, the signature message must not disclose the email originated from a smartphone (e.g., “Sent From My Wireless Handheld”). | The disclaimer message may give information which may key an attacker in on the device. |
| V-25009 | Low | Maximum passcode age must be set. | Sensitive DoD data could be compromised if a strong device unlock passcode is not set up on a DoD iPhone/iPad/iPod Touch device and the passcode is not changed periodically. |
| V-25020 | Low | The smartphone device Wi-Fi radio must be disabled as the default setting and is enabled only when Wi-Fi connectivity is required.
| The Wi-Fi radio can be used by a hacker to connect to the smartphone without the knowledge of the user. Sensitive DoD data could be exposed and the hacker could use the device to attack the enclave. |
| V-24982 | Low | Smart Card Readers (SCRs) used with smartphones must have required software version installed. | Required security features are not available in earlier software versions. In addition, there may be known vulnerabilities in earlier versions. |
| V-24985 | Low | The Good Internet proxy must be enabled. | A DoD Internet proxy provides additional security over the carrier's browser. When using the DoD Internet proxy for iOS device Internet connections, enclave Internet security controls will filter... |
