The LG Android 5.0 platform must be configured to disable the capability for an operating system update to be automatically downloaded and installed on the mobile device.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-58833	LGA5-20-002102	SV-73263r1_rule		Medium

Description
FOTA allows the user to download and install firmware updates over-the-air. These updates can include OS upgrades, security patches, bug fixes, new features and applications. Since the updates are controlled by the carriers, DoD will not have an opportunity to review and update policies prior to update availability to end users. Disabling FOTA will mitigate the risk of allowing users access to applications that could compromise DoD sensitive data. After reviewing the update and adjusting any necessary policies (i.e. disabling applications determined to pose risk), the administrator can re-enable FOTA. SFR ID: FMT_SMF.1.1 #42

Description

FOTA allows the user to download and install firmware updates over-the-air. These updates can include OS upgrades, security patches, bug fixes, new features and applications. Since the updates are controlled by the carriers, DoD will not have an opportunity to review and update policies prior to update availability to end users. Disabling FOTA will mitigate the risk of allowing users access to applications that could compromise DoD sensitive data. After reviewing the update and adjusting any necessary policies (i.e. disabling applications determined to pose risk), the administrator can re-enable FOTA. SFR ID: FMT_SMF.1.1 #42

STIG	Date
LG Android 5.x Interim Security Configuration Guide	2015-09-22

Details

Check Text ( C-59677r2_chk )
This validation procedure is performed on both the MDM Administration Console and the LG Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the list of unapproved core and preinstalled applications in the "Application Blacklist (prevent launch of blacklist apps)" setting in the MDM console. 2. Verify the LGDMSclient package is on the list. On the LG Android device: 1. Unlock the device 2. Open the device settings. 3. Navigate to the System updates setting: Settings >> System updates 4. Verify the System updates menu is not running and the following message is displayed: Application is disabled by server policy. If the LGDMSclient package setting is enabled, or the "System updates" setting can be launched, this is a finding.

Check Text ( C-59677r2_chk )

This validation procedure is performed on both the MDM Administration Console and the LG Android device.

Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the list of unapproved core and preinstalled applications in the "Application Blacklist (prevent launch of blacklist apps)" setting in the MDM console.
2. Verify the LGDMSclient package is on the list.

On the LG Android device:
1. Unlock the device
2. Open the device settings.
3. Navigate to the System updates setting: Settings >> System updates
4. Verify the System updates menu is not running and the following message is displayed:
Application is disabled by server policy.

If the LGDMSclient package setting is enabled, or the "System updates" setting can be launched, this is a finding.

Fix Text (F-64217r1_fix)
Configure the mobile device to disable the FOTA client. On the MDM Administration Console, set the LGDMSclient package as Application Blacklist (prevent launch of blacklist apps).