The organization must perform a security risk analysis on a mobile operating system (OS) application by the DAA or DAA-authorized approval authority prior to the application being approved for use.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35985	SRG-MPOL-067	SV-47301r1_rule		Medium

Description
Non-approved applications can contain malware. Approved applications should be reviewed and tested by the approving authority to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, connect to a non-DoD management server). Core applications are applications included in the CMD operating system. Applications added by the wireless carrier are not considered core applications. A security risk analysis must be performed by the DAA or DAA approved approval authority prior to a mobile OS application being approved for use. The DAA, DAA designated Application Configuration Control Board, or other DAA designated process has the responsibility to approve all non-core applications installed on mobile devices under the purview of the DAA. The application review and approval process must include an evaluation of what OS level permissions are required by the application and how the application shares data and memory space with other applications. The review process must also ensure that approved applications do not contain malware or share data stored on the mobile OS device with non-DoD servers.

Description

Non-approved applications can contain malware. Approved applications should be reviewed and tested by the approving authority to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, connect to a non-DoD management server). Core applications are applications included in the CMD operating system. Applications added by the wireless carrier are not considered core applications. A security risk analysis must be performed by the DAA or DAA approved approval authority prior to a mobile OS application being approved for use. The DAA, DAA designated Application Configuration Control Board, or other DAA designated process has the responsibility to approve all non-core applications installed on mobile devices under the purview of the DAA. The application review and approval process must include an evaluation of what OS level permissions are required by the application and how the application shares data and memory space with other applications. The review process must also ensure that approved applications do not contain malware or share data stored on the mobile OS device with non-DoD servers.

STIG	Date
Mobile Policy Security Requirements Guide	2013-07-03

Details

Check Text ( C-44222r1_chk )
Determine if any non-core mobile OS applications have been approved by the DAA. If no non-core mobile OS applications have been approved by the DAA, this check is not applicable. Ask the site for documentation showing what security risk analysis procedures are used by the DAA prior to approving non-core applications for use. Determine if the security risk analysis includes the following: -What OS level permissions are required by the application? -The application does not contain malware. -The application does not share data stored on the CMDs with non-DoD servers. -If the application stores sensitive data, the application data storage container is FIPS 140-2 validated. If the application security risk review procedures do not contain the required risk assessment evaluation tasks, this is a finding.

Check Text ( C-44222r1_chk )

Determine if any non-core mobile OS applications have been approved by the DAA. If no non-core mobile OS applications have been approved by the DAA, this check is not applicable.

Ask the site for documentation showing what security risk analysis procedures are used by the DAA prior to approving non-core applications for use.

Determine if the security risk analysis includes the following:
-What OS level permissions are required by the application?
-The application does not contain malware.
-The application does not share data stored on the CMDs with non-DoD servers.
-If the application stores sensitive data, the application data storage container is FIPS 140-2 validated.

If the application security risk review procedures do not contain the required risk assessment evaluation tasks, this is a finding.

Fix Text (F-40512r1_fix)
Perform a security risk analysis on a mobile operating system (OS) application prior to the application being approved for use.