Samsung Android's Work profile must be configured to disable exceptions to the access control policy that prevent application processes, and groups of application processes from accessing all data stored by other application processes, and groups of application processes.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-252429	KNOX-12-210240	SV-252429r816530_rule		Medium

Description
App data sharing gives apps the ability to access the data of other apps for enhanced user functionality. However, sharing also poses a significant risk that unauthorized users or apps will obtain access to DoD sensitive information. To mitigate this risk, there are data sharing restrictions, primarily from sharing data from personal (unmanaged) apps and work (managed) apps. If a user is allowed to make exceptions to the data sharing restriction policy, the user could enable unauthorized sharing of data, leaving it vulnerable to breach. Limiting the granting of exceptions to either the Administrator or common application developer mitigates this risk. Copy/paste of data between applications in different application processes or groups of application processes is considered an exception to the access control policy and therefore, the Administrator must be able to enable/disable the feature. Other exceptions include allowing any data or application sharing between process groups. SFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2

Description

App data sharing gives apps the ability to access the data of other apps for enhanced user functionality. However, sharing also poses a significant risk that unauthorized users or apps will obtain access to DoD sensitive information. To mitigate this risk, there are data sharing restrictions, primarily from sharing data from personal (unmanaged) apps and work (managed) apps. If a user is allowed to make exceptions to the data sharing restriction policy, the user could enable unauthorized sharing of data, leaving it vulnerable to breach. Limiting the granting of exceptions to either the Administrator or common application developer mitigates this risk. Copy/paste of data between applications in different application processes or groups of application processes is considered an exception to the access control policy and therefore, the Administrator must be able to enable/disable the feature. Other exceptions include allowing any data or application sharing between process groups. SFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2

STIG	Date
Samsung Android 12 with Knox 3.x COPE Security Technical Implementation Guide	2022-06-07

Details

Check Text ( C-55885r815498_chk )
Review the Samsung documentation and inspect the configuration to verify the Samsung Android devices are enabling an "access control policy" that prevents "application processes, and groups of application processes from accessing all data stored by other application processes, and groups of application processes". This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the Work profile restrictions, set "Cross profile copy/paste" to "Disallow". On the Samsung Android device: 1. Using any Work app, copy text to the clipboard. 2. Using any Personal app, verify that the clipboard text cannot be pasted. If on the management tool "Cross profile copy/paste" is not set to "Disallow", or on the Samsung Android device the clipboard text can be pasted into a Personal app, this is a finding.

Check Text ( C-55885r815498_chk )

Review the Samsung documentation and inspect the configuration to verify the Samsung Android devices are enabling an "access control policy" that prevents "application processes, and groups of application processes from accessing all data stored by other application processes, and groups of application processes".

This validation procedure is performed on both the management tool and the Samsung Android device.

On the management tool, in the Work profile restrictions, set "Cross profile copy/paste" to "Disallow".

On the Samsung Android device:
1. Using any Work app, copy text to the clipboard.
2. Using any Personal app, verify that the clipboard text cannot be pasted.

If on the management tool "Cross profile copy/paste" is not set to "Disallow", or on the Samsung Android device the clipboard text can be pasted into a Personal app, this is a finding.

Fix Text (F-55835r815499_fix)
Configure the Samsung Android devices to enable an "access control policy" that prevents "application processes, and groups of application processes from accessing all data stored by other application processes, and groups of application processes". On the management tool, in the Work profile restrictions section, set "Cross profile copy/paste" to "Disallow".