| V-69685 | High | The Samsung KNOX for Android platform must be configured to enable CC mode. | CC mode implements several security controls required by the Mobile Device Functional Protection Profile (MDFPP). If CC mode is not implemented, DoD data is more at risk of being compromised, and... |
| V-69591 | High | The Samsung KNOX for Android platform must protect data at rest on built-in storage media. | The mobile operating system must ensure the data being written to the mobile device's built-in storage media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable... |
| V-69593 | High | The Samsung KNOX for Android platform must protect data at rest on removable storage media. | The mobile operating system must ensure the data being written to the mobile device's removable media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to... |
| V-69663 | Medium | The Samsung KNOX for Android platform must be configured to disable Enable Smart Lock. | The fingerprint reader can be used to authenticate the user in order to unlock the mobile device. At this time, no biometric reader has been approved for DoD use on mobile devices. This technology... |
| V-69661 | Medium | The Samsung KNOX for Android platform must be configured to enable a Certificate Revocation Status (CRL) Check. | A CRL allows a certificate issuer to revoke a certificate for any reason, including improperly issued certificates and compromise of the private keys. Checking the revocation status of the... |
| V-69589 | Medium | All mobile operating system cryptography supporting DoD functionality must be FIPS 140-2 validated. | Unapproved cryptographic algorithms cannot be relied upon to provide confidentiality or integrity, and DoD data could be compromised as a result. The most common vulnerabilities with cryptographic... |
| V-69705 | Medium | The Samsung KNOX for Android container must have the Account Blacklist configured. | Blacklisting all email accounts is required so only whitelisted accounts can be configured.
SFR ID: FMT_SMF_EXT.1.1 #45 |
| V-69617 | Medium | The Samsung KNOX for Android platform whitelist must not include any pre-installed (core) applications not approved for DoD use by the Authorizing Official (AO). | Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to... |
| V-69645 | Medium | The Samsung KNOX for Android platform must not display notifications when the device is locked. | Many mobile devices display notifications on the lock screen so users can obtain relevant information in a timely manner without having to frequently unlock the phone to determine if there are new... |
| V-69647 | Medium | The Samsung KNOX for Android platform must not allow backup to locally connected systems. | Data on mobile devices is protected by numerous mechanisms, including user authentication, access control, and cryptography. When the data is backed up to an external system (either locally... |
| V-69641 | Medium | The Samsung KNOX for Android platform must be configured to disable USB mass storage mode. | USB mass storage mode enables the transfer of data and software from one device to another. This software can include malware. When USB mass storage is enabled on a mobile device, it becomes a... |
| V-69643 | Medium | The Samsung KNOX for Android platform must be configured to disable automatic updates of system software. | FOTA allows the user to download and install firmware updates over the air. These updates can include OS upgrades, security patches, bug fixes, new features, and applications. Since the updates... |
| V-69609 | Medium | The Samsung KNOX for Android platform must not allow use of developer modes. | Developer modes expose features of the mobile operating system that are not available during standard operation. An adversary may leverage a vulnerability inherent in a developer mode to... |
| V-69601 | Medium | The Samsung KNOX for Android platform must lock the container after 15 minutes (or less) of inactivity. | The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain... |
| V-69673 | Medium | The Samsung KNOX for Android container must be configured to enforce a minimum password length of four characters. | Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. The ability to crack a password is a function of how many attempts an adversary is... |
| V-69749 | Medium | The Samsung KNOX for Android platform must be configured to enable Google Play Inside KNOX. | Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing... |
| V-69629 | Medium | The Samsung KNOX for Android platform must be configured to disable USB host storage. | The USB host storage feature allows the device to connect to select USB devices (e.g., USB flash drives, USB mouse, USB keyboard) using a micro USB to USB adapter cable. A user can copy sensitive... |
| V-69603 | Medium | The Samsung KNOX for Android platform must be configured to disable Google Play. | Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing... |
| V-69623 | Medium | The Samsung KNOX for Android platform whitelist must not include applications that back up device data to non-DoD cloud servers (including user and application access to cloud backup services). | Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to... |
| V-69625 | Medium | The Samsung KNOX for Android platform must be configured to disable backup to remote systems. | Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than the mobile operating system. Where the remote... |
| V-69621 | Medium | The Samsung KNOX for Android platform whitelist must not include applications that process payments. | Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to... |
| V-69613 | Medium | The Samsung KNOX for Android platform must be configured to disable Allow New Admin Install. | An application with administrator permissions (e.g., MDM agent) is allowed to configure policies on the device. If a user is allowed to install another MDM agent on the device, this will allow... |
| V-69681 | Medium | The Samsung KNOX for Android container must be configured to disable sharing of notification details outside the container when the container is locked. | Application notifications can include DoD sensitive data. If made available outside the container, this information will be accessible to personal applications, resulting in potential compromise... |
| V-69683 | Medium | The Samsung KNOX for Android container must be enabled. | The container must be enabled by the administrator/MDM or the container's protections will not apply to the mobile device. This will cause the mobile device's apps and data to be at significantly... |
| V-69637 | Medium | The Samsung KNOX for Android platform must be configured to disable Allow NFC. | NFC is a wireless technology that transmits small amounts of information from the device to the NFC reader. Any data transmitted can be potentially compromised. Disabling this feature mitigates... |
| V-69687 | Medium | The Samsung KNOX for Android platform must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (Hands-Free Profile), and SPP (Serial Port Profile). | Some Bluetooth profiles provide the capability for remote transfer of sensitive DoD data without encryption or otherwise do not meet DoD IT security policies and therefore should be disabled.
SFR... |
| V-69689 | Medium | The Samsung KNOX for Android container must enforce an application installation policy by specifying an application whitelist. | Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to... |
| V-69605 | Medium | The Samsung KNOX for Android platform must enforce an application installation policy by disabling application installation from unknown sources. | Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing... |
| V-69611 | Medium | The Samsung KNOX for Android platform must have DoD root and intermediate PKI certificates installed on the device. | DoD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the root and intermediate certificates are not available, an... |
| V-69607 | Medium | The Samsung KNOX for Android platform must enforce an application installation policy by specifying an application whitelist. | Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to... |
| V-69653 | Medium | The Samsung KNOX for Android platform must disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor. | The fingerprint reader can be used to authenticate the user in order to unlock the mobile device. At this time, no biometric reader has been approved for DoD use on mobile devices. This technology... |
| V-69671 | Medium | The Samsung KNOX for Android platform must be configured to disable manual date and time changes. | Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events.
Periodically synchronizing... |
| V-69659 | Medium | The Samsung KNOX for Android platform must be configured to Disable Admin Remove. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-69599 | Medium | The Samsung KNOX for Android platform must lock the display after 15 minutes (or less) of inactivity. | The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain... |
| V-69675 | Medium | The Samsung KNOX for Android container must be configured to disable sharing of calendar information outside the container. | Calendar events can include potentially DoD-sensitive data such as names, contacts, dates and times, and locations. If made available outside the container, this information will be accessible to... |
| V-69679 | Medium | The Samsung KNOX for Android container must be configured to disable sharing of contact information outside the container. | Contacts can include DoD-sensitive data and personally identifiable information (PII) of DoD employees, including names, numbers, addresses, and email addresses. If made available outside the... |
| V-69651 | Medium | The Samsung KNOX for Android platform must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor (e.g., using a fingerprint), unless the mechanism is DoD-approved. | The fingerprint reader can be used to authenticate the user in order to unlock the mobile device. At this time, no biometric reader has been approved for DoD use on mobile devices. This technology... |
| V-69657 | Medium | The Samsung KNOX for Android platform must be configured to enable the access control policy that prevents groups of application processes from accessing all data stored by other groups of application processes. | The access control policy restricts processes and applications in one processing environment (container) from accessing data in another. Exceptions should only be allowed under the administrator... |
| V-69655 | Medium | The Samsung KNOX for Android platform must be configured to disable VPN split-tunneling (if the mobile device provides a configurable control for FDP_IFC_EXT.1.1). | Spilt-tunneling allows multiple simultaneous remote connections to the mobile device. Without VPN split-tunneling disabled, malicious applications can covertly off-load device data to a... |
| V-69707 | Medium | The Samsung KNOX for Android container must have the minimum password complexity configured. | Authentication mechanisms other than a Password Authentication Factor often provide convenience to users, but many of these mechanisms have known vulnerabilities. Configuring a minimum password... |
| V-69639 | Medium | The Samsung KNOX for Android platform must be configured to disable Nearby devices. | The Nearby devices feature allows the user to share files with other devices that are connected on the same Wi-Fi access point using the Digital Living Network Alliance (DLNA) technology. Even... |
| V-69703 | Medium | The Samsung KNOX for Android container must have the Account Whitelist configured. | Whitelisting of authorized email accounts (POP3, IMAP, EAS) prevents a user from configuring a personal email account that could be used to forward sensitive DoD data to unauthorized... |
| V-69635 | Medium | The Samsung KNOX for Android platform must be configured to disable S Voice. | On mobile operating system devices, users may be able to access the device's contact database or calendar to obtain phone numbers and other information using a human voice even when the mobile... |
| V-69619 | Medium | The Samsung KNOX for Android platform whitelist must not include applications that allow synchronization of data or applications between devices associated with the user. | Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to... |
| V-69633 | Medium | The Samsung KNOX for Android platform must be configured to disable Multi-User mode. | By default, the enterprise administrator will install and enroll MDM on the device's owner user space. Since some policies configured by the MDM will only apply to the owner space, the user can... |
| V-69699 | Medium | The Samsung KNOX for Android container must be configured to disable automatic completion of browser text input. | The auto-fill functionality in the web browser allows the user to complete a form that contains sensitive information, such as personally identifiable information (PII), without previous knowledge... |
| V-69697 | Medium | The Samsung KNOX for Android container must have the application disable list configured. | Applications from various sources (including the vendor, the carrier, and Google) are installed on the device at the time of manufacture. Core apps are apps preinstalled by Google. Third-party... |
| V-69695 | Medium | The Samsung KNOX for Android container must be configured to disable Move Files from Container to Personal. | Allowing movement of files between the container and personal side will result in both personal data and sensitive DoD data being placed in the same space. This can potentially result in DoD data... |
| V-69693 | Medium | The Samsung KNOX for Android container must be configured to disable Move Applications to Container. | Applications determined to be acceptable for personal use outside the container might not be acceptable for use within the container. The Move Applications to Container feature allows users to... |
| V-69691 | Medium | The Samsung KNOX for Android container must have the application install blacklist configured. | Blacklisting all applications is required so only whitelisted applications can be installed on the device. Requiring all authorized applications to be in an application whitelist prevents the... |
| V-69615 | Medium | The Samsung KNOX for Android platform must have the Application Install Blacklist configured. | Blacklisting all applications is required so that only whitelisted applications can be installed on the device. Requiring all authorized applications to be in an application whitelist prevents the... |
| V-69701 | Low | The Samsung KNOX for Android container must not allow passwords that include more than two repeating or sequential characters. | Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. Passwords that contain repeating or sequential characters are significantly easier... |
| V-69649 | Low | The Samsung KNOX for Android platform must enable virtual private networks (VPN) protection. | A key characteristic of mobile devices is that they typically will communicate wirelessly and are often expected to reside in locations outside the physical security perimeter of a DoD facility.... |
| V-69665 | Low | The Samsung KNOX for Android platform must disable the automatic transfer of diagnostic data to an external device. | Many software systems automatically send diagnostic data to the manufacturer or a third party. This data enables the developers to understand real-world field behavior and improve the product... |
| V-69627 | Low | The Samsung KNOX for Android platform must be configured to disable Google Crash Report. | Many software systems automatically send diagnostic data to the manufacturer or a third party. This data enables the developers to understand real-world field behavior and improve the product... |
| V-69667 | Low | The Samsung KNOX for Android platform must disable Report diagnostic info. | Many software systems automatically send diagnostic data to the manufacturer or a third party. This data enables the developers to understand real-world field behavior and improve the product... |
| V-69669 | Low | The Samsung KNOX for Android platform must display the DoD advisory warning message at start-up or each time the user unlocks the device. | The mobile operating system is required to display the DoD-approved system use notification message or banner before granting access to the system that provides privacy and security notices... |
| V-69677 | Low | The Samsung KNOX for Android container must be configured to prohibit more than 10 consecutive failed authentication attempts. | Users must not be able to override the system policy on the maximum number of consecutive failed authentication attempts because this could allow them to raise the maximum, thus giving adversaries... |
| V-69595 | Low | The Samsung KNOX for Android platform must enforce a minimum password length of six characters. | Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is... |
| V-69597 | Low | The Samsung KNOX for Android platform must not allow more than 10 consecutive failed authentication attempts. | The more attempts an adversary has to guess a password, the more likely the adversary will enter the correct password and gain access to resources on the device. Setting a limit on the number of... |
| V-69631 | Low | The Samsung KNOX for Android platform must not allow passwords that include more than two repeating or sequential characters. | Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. Passwords that contain repeating or sequential characters are significantly easier... |
