All non-core applications on mobile devices must be approved by the DAA or Command IT Configuration Control Board.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-24986	WIR-MOS-NS-006-01	SV-40110r2_rule	DCCB-1 ECWN-1	Low

Description
Non-approved applications can contain malware. Approved applications should be reviewed and tested by the approving authority to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, connect to a non-DoD management server). The DAA or Command IT Configuration Control Board (CCB) is responsible for setting up procedures to review, test, and approve smartphone applications. It is expected the process will be similar to what is used to approve and manage applications on command PCs.

Description

Non-approved applications can contain malware. Approved applications should be reviewed and tested by the approving authority to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, connect to a non-DoD management server). The DAA or Command IT Configuration Control Board (CCB) is responsible for setting up procedures to review, test, and approve smartphone applications. It is expected the process will be similar to what is used to approve and manage applications on command PCs.

STIG	Date
General Mobile Device (Technical) (Non-Enterprise Activated) Security Technical Implementation Guide	2013-03-19

Details

Check Text ( C-39058r1_chk )
Detailed Requirements: Core applications are applications included in the mobile operating system by the operating system vendor. A list of core applications is usually in the STIG overview document or the STIG Configuration Tables document. All non-core applications on the mobile device must be approved by the DAA or the Command IT CCB. Approval must be documented in some type of approval (memo, letter, etc.). Non-core applications include applications added to the device by the carrier (AT&T or Verizon Wireless map application). Check Procedures: First, review the procedures the site or command uses to review and approve third-party applications used on site managed mobile devices. Have the IAO or DAA representative provide a copy of the application review. Second, select 2-3 random devices managed by the site to review. -Make a list of non-core applications on each device. Look in the smartphone memory and on the SD card. --Have the user log into the device and show the list of applications installed on the device and the media card (procedure will vary, depending on mobile OS). --Verify the site has written approval to use the app from the DAA or Command IT CCB. -Mark as a finding if any app has not been approved.

Check Text ( C-39058r1_chk )

Detailed Requirements:
Core applications are applications included in the mobile operating system by the operating system vendor. A list of core applications is usually in the STIG overview document or the STIG Configuration Tables document. All non-core applications on the mobile device must be approved by the DAA or the Command IT CCB. Approval must be documented in some type of approval (memo, letter, etc.). Non-core applications include applications added to the device by the carrier (AT&T or Verizon Wireless map application).

Check Procedures:

First, review the procedures the site or command uses to review and approve third-party applications used on site managed mobile devices. Have the IAO or DAA representative provide a copy of the application review.

Second, select 2-3 random devices managed by the site to review.

-Make a list of non-core applications on each device. Look in the smartphone memory and on the SD card.

--Have the user log into the device and show the list of applications installed on the device and the media card (procedure will vary, depending on mobile OS).

--Verify the site has written approval to use the app from the DAA or Command IT CCB.

-Mark as a finding if any app has not been approved.

Fix Text (F-27627r1_fix)
Have DAA or Command IT CCB review and approve all non-core applications on mobile OS devices.