The mobile operating system must encrypt passwords stored on the mobile device.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33000	SRG-OS-000073-MOS-000048	SV-43398r1_rule		Medium

Description
Passwords need to be protected at all times and encryption is the standard method for protecting passwords while in storage so unauthorized users/processes cannot gain access. If an adversary obtains a password, the adversary can use it to compromise sensitive information. Encrypting passwords stored on the device mitigates the risk that the passwords will be compromised. Super user access is typically required to access the password database. If a system administrator is able to obtain this level of privilege on the device, have the system administrator display the contents of the password database, often a simple file.

Description

Passwords need to be protected at all times and encryption is the standard method for protecting passwords while in storage so unauthorized users/processes cannot gain access. If an adversary obtains a password, the adversary can use it to compromise sensitive information. Encrypting passwords stored on the device mitigates the risk that the passwords will be compromised. Super user access is typically required to access the password database. If a system administrator is able to obtain this level of privilege on the device, have the system administrator display the contents of the password database, often a simple file.

STIG	Date
Mobile Operating System Security Requirements Guide	2012-10-01

Details

Check Text ( C-41297r1_chk )
Verify the mobile operating system configuration enforces the passwords contained in the database are encrypted. If the passwords stored on the device are not encrypted, this is a finding.

Fix Text (F-36912r1_fix)
Configure the mobile operating system to encrypt passwords stored on the mobile device.