The mobile operating system must enable a system administrator to (i) select which data fields will be available to applications outside of the contact database application and (ii) limit the number of contact database fields accessible outside of a work persona in the case of dual persona phones.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33296	SRG-OS-999999-MOS-000139	SV-43715r2_rule		Low

Description
The contact database often contains a significant amount of information beyond each person's name and phone number. The records may contain addresses and other identifying or sensitive information that should not be revealed. There may be cases in which an organization has determined that it is an acceptable risk to distribute parts of person's contact record but not others. Enabling the system administrator to select which fields are available outside the contact database application (or to applications outside the work persona in the case of a dual persona device) assists with management of the risk.

Description

The contact database often contains a significant amount of information beyond each person's name and phone number. The records may contain addresses and other identifying or sensitive information that should not be revealed. There may be cases in which an organization has determined that it is an acceptable risk to distribute parts of person's contact record but not others. Enabling the system administrator to select which fields are available outside the contact database application (or to applications outside the work persona in the case of a dual persona device) assists with management of the risk.

STIG	Date
Mobile Operating System Security Requirements Guide	2013-07-03

Details

Check Text ( C-41593r2_chk )
Review system documentation to determine if this capability is present. If it is not, this is a finding. If the capability is alleged to be present, ask the systems administrator to disable access to one of the fields in the contact database (e.g., organization name). This may be accomplished using an MDM system. Find an application that can access the contact database and verify the blocked field is inaccessible. If the phone is dual persona, repeat the prior test and attempt to access the contact database from an application external to the work persona. If it is accessible, this is a finding.

Check Text ( C-41593r2_chk )

Review system documentation to determine if this capability is present. If it is not, this is a finding. If the capability is alleged to be present, ask the systems administrator to disable access to one of the fields in the contact database (e.g., organization name). This may be accomplished using an MDM system. Find an application that can access the contact database and verify the blocked field is inaccessible. If the phone is dual persona, repeat the prior test and attempt to access the contact database from an application external to the work persona. If it is accessible, this is a finding.

Fix Text (F-37226r2_fix)
Configure the operating system to enable a system administrator to select which data fields will be available to (i) applications outside of the contact database application and (ii) the work persona in the case of a dual persona phone.