All non-core applications on the smartphone must be approved by the DAA or the Command IT Configuration Control Board.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-24986	WIR-MOS-iOS-006-01	SV-30785r1_rule	DCCB-1 ECWN-1	Low

Description
Non-approved applications can contain malware. Approved applications should be reviewed and tested by the approving authority to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, connect to a non-DoD management server). The DAA or Command IT Configuration Control Board is responsible for setting up procedures to review, test, and approve smartphone applications. It is expected the process will be similar to what is used to approve and manage applications on command PCs.

Description

Non-approved applications can contain malware. Approved applications should be reviewed and tested by the approving authority to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, connect to a non-DoD management server). The DAA or Command IT Configuration Control Board is responsible for setting up procedures to review, test, and approve smartphone applications. It is expected the process will be similar to what is used to approve and manage applications on command PCs.

STIG	Date
Apple iOS 4 (Good Mobility Suite) Interim Security Configuration Guide (ISCG)	2011-11-07

Details

Check Text ( C-31202r1_chk )
Detailed Requirements: Core applications are applications included in the smartphone operating system. Applications added by the wireless carrier are not considered core applications. All non-core applications on the smartphone must be approved by the DAA or the Command IT Configuration Control Board. -Since Apple iOS is not FIPS 140-2 validated, iOS non-core applications can only be approved if they meet the following conditions: --The application does not save any data; or --The application saves data and uses a FIPS 140-2 validated encryption model to save the data inside the application. Check Procedures: -Select 3-4 random devices managed by the site to review. -Make a list of non-core applications on each device. --Have the user log into the device. View all App icons on the home screen or in folders on the home screen. --If an App is not in the list of core Apps (see below), then note the name of the App. --Verify the site has written approval to use the App from the DAA or site IT CCB. --Verify the DAA or site IT CCB has performed an analysis on each approved application to determine if it saves data inside the application and meets the required conditions. Documentation should be available to show a security reviewer that this analysis was completed. -Mark as a finding if any App has not been approved or the required analysis for an approved application was not completed. A list of standard core iOS device Apps can be found in the ISCG Configuration Tables document. Note: The DAA or IT CCB should also indicate if location services are approved for any approved applications, including core applications (e.g., can the user enable location services in iOS for the application).

Check Text ( C-31202r1_chk )

Detailed Requirements:
Core applications are applications included in the smartphone operating system. Applications added by the wireless carrier are not considered core applications. All non-core applications on the smartphone must be approved by the DAA or the Command IT Configuration Control Board.

-Since Apple iOS is not FIPS 140-2 validated, iOS non-core applications can only be approved if they meet the following conditions:
--The application does not save any data; or
--The application saves data and uses a FIPS 140-2 validated encryption model to save the data inside the application.

Check Procedures:
-Select 3-4 random devices managed by the site to review.

-Make a list of non-core applications on each device.
--Have the user log into the device. View all App icons on the home screen or in folders on the home screen.
--If an App is not in the list of core Apps (see below), then note the name of the App.
--Verify the site has written approval to use the App from the DAA or site IT CCB.
--Verify the DAA or site IT CCB has performed an analysis on each approved application to determine if it saves data inside the application and meets the required conditions. Documentation should be available to show a security reviewer that this analysis was completed.

-Mark as a finding if any App has not been approved or the required analysis for an approved application was not completed.

A list of standard core iOS device Apps can be found in the ISCG Configuration Tables document.

Note: The DAA or IT CCB should also indicate if location services are approved for any approved applications, including core applications (e.g., can the user enable location services in iOS for the application).

Fix Text (F-27627r2_fix)
Have DAA or Command IT CCB review and approve all non-core applications on mobile OS devices.