The mobile operating system and mobile device management services must mutually authenticate each other using bi-directional PKI-based cryptographic authentication methods.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33095	SRG-OS-000116-MOS-000072	SV-43493r1_rule		High

Description
Without strong mutual (bi-directional) authentication a mobile device may connect to an unauthorized mobile device management (MDM) server and obtain improper security policies or configuration commands from that server. This could, in turn, make the device vulnerable to a wide variety of other attacks that could reveal sensitive information and enable an adversary to obtain full control of the device. Cryptographic mutual authentication greatly mitigates this risk. Shared secret methods are an acceptable alternative to PKI-based authentication. The authentication need not be performed synchronously, but methods using asynchronous messages must still employ mutual authentication. For example, the MDM may digitally sign a configuration message encrypted with the mobile device's public key. This would, in effect, authenticate the mobile device because no other device would be able to access the configuration.

Description

Without strong mutual (bi-directional) authentication a mobile device may connect to an unauthorized mobile device management (MDM) server and obtain improper security policies or configuration commands from that server. This could, in turn, make the device vulnerable to a wide variety of other attacks that could reveal sensitive information and enable an adversary to obtain full control of the device. Cryptographic mutual authentication greatly mitigates this risk. Shared secret methods are an acceptable alternative to PKI-based authentication. The authentication need not be performed synchronously, but methods using asynchronous messages must still employ mutual authentication. For example, the MDM may digitally sign a configuration message encrypted with the mobile device's public key. This would, in effect, authenticate the mobile device because no other device would be able to access the configuration.

STIG	Date
Mobile Operating System Security Requirements Guide	2013-07-03

Details

Check Text ( C-41354r1_chk )
Review system documentation and operating system configuration to determine if there is mutual authentication between the device and the mobile device management services. Both certificate-based and shared secret methods are acceptable. If there is not cryptographic mutual authentication, this is a finding.

Fix Text (F-36995r1_fix)
Configure the mobile operating system to require mutual authentication with mobile device management services using bi-directional PKI-based cryptographic authentication methods.