The mobile operating system must re-encrypt all device data when the device is locked.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-33240 | SRG-OS-000230-MOS-000120 | SV-43658r2_rule | Medium |
| Description |
|---|
| Data at rest refers to all stored data on a mobile device that will include the address book and other PII, data created by a user when using some applications, as well as data received, such as emails. If data is not encrypted upon the lock of the device, there is the potential for an adversary to remove non-volatile memory from the device and read it directly using tools for that purpose. This attack would render other operating system controls useless. Encrypting all data at rest provides assurance that it will be protected even when memory is physically removed from the device. |
| STIG | Date |
|---|---|
| Mobile Operating System Security Requirements Guide | 2013-07-03 |
Details
| Check Text ( C-41536r2_chk ) |
|---|
| Review system documentation and other IA information resources to determine how the operating system treats data in memory upon locking the device. The operating system may enforce this requirement through a variety of means. The reviewer should focus on the fact that the data is encrypted when the device has been locked or unexpectedly shuts down - not on the timing of the encryption, much of which might occur prior to device lock. If it is determined that unencrypted data still resides on the device after device lock, this is a finding. |
| Fix Text (F-37170r2_fix) |
|---|
| Configure the operating system to re-encrypt all device data in memory when the device is locked or unexpectedly shuts down. |