The mobile operating system must encrypt all data on the mobile device using AES encryption (AES 128 bit encryption key length is the minimum requirement; AES 256 desired).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-33238 | SRG-OS-000230-MOS-000118 | SV-43656r1_rule | Medium |
| Description |
|---|
| If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. AES encryption with appropriate key lengths provides assurance that the cryptography is adequate. |
| STIG | Date |
|---|---|
| Mobile Operating System Security Requirements Guide | 2012-10-01 |
Details
| Check Text ( C-41534r1_chk ) |
|---|
| Review system documentation and operating system configuration to verify the operating system encrypts all data using AES encryption. Any NIST-approved mode of AES is acceptable. Validate this includes data on removable memory, such as SD cards. If the operating system does not encrypt data at rest, or does so only selectively, or does so using an encryption algorithm other than AES (for unclassified data), this is a finding. |
| Fix Text (F-37168r1_fix) |
|---|
| Configure the operating system to encrypt all data on the mobile device using AES encryption. |