The Samsung KNOX for Android container must be configured to disable automatic completion of browser text input.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-69699	KNOX-39-021000	SV-84321r1_rule		Medium

Description
The auto-fill functionality in the web browser allows the user to complete a form that contains sensitive information, such as personally identifiable information (PII), without previous knowledge of the information. By allowing the use of auto-fill functionality, an adversary who learns a user's mobile operating system device password, or who otherwise is able to unlock the device, may be able to further breach other systems by relying on the auto-fill feature to provide information unknown to the adversary. By disabling the auto-fill functionality, the risk of an adversary gaining further information about the device's user or compromising other systems is significantly mitigated. SFR ID: FMT_SMF_EXT.1.1 #45

Description

The auto-fill functionality in the web browser allows the user to complete a form that contains sensitive information, such as personally identifiable information (PII), without previous knowledge of the information. By allowing the use of auto-fill functionality, an adversary who learns a user's mobile operating system device password, or who otherwise is able to unlock the device, may be able to further breach other systems by relying on the auto-fill feature to provide information unknown to the adversary. By disabling the auto-fill functionality, the risk of an adversary gaining further information about the device's user or compromising other systems is significantly mitigated. SFR ID: FMT_SMF_EXT.1.1 #45

STIG	Date
Samsung Android OS 6 (with KNOX 2.x) Security Technical Implementation Guide	2016-11-14

Details

Check Text ( C-70141r1_chk )
This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Allow browser auto-fill" setting in the "Android KNOX Container >> Container Restrictions" rule. 2. Verify the setting is disabled. On the Samsung KNOX for Android device: 1. Open the KNOX container. 2. Launch the browser application. 3. Select the application's setting menu. 4. Select "Auto fill profile". 5. Select "Auto fill profile" and attempt to create a profile. 6. Select "Privacy" from the setting menu. 7. Attempt to enable "Save sign-in info". If the "Allow browser auto-fill" configuration in the MDM console is enabled, or if the user is able to successfully create a profile or enable "Save sign-in info", this is a finding.

Check Text ( C-70141r1_chk )

This validation procedure is performed on both the MDM Administration Console and the Samsung KNOX for Android device.

Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Allow browser auto-fill" setting in the "Android KNOX Container >> Container Restrictions" rule.
2. Verify the setting is disabled.

On the Samsung KNOX for Android device:
1. Open the KNOX container.
2. Launch the browser application.
3. Select the application's setting menu.
4. Select "Auto fill profile".
5. Select "Auto fill profile" and attempt to create a profile.
6. Select "Privacy" from the setting menu.
7. Attempt to enable "Save sign-in info".

If the "Allow browser auto-fill" configuration in the MDM console is enabled, or if the user is able to successfully create a profile or enable "Save sign-in info", this is a finding.

Fix Text (F-75903r1_fix)
Configure the mobile operating system to disable browser auto-fill for the container browser application. On the MDM Administration Console, disable the "Allow browser auto-fill" setting in the "Android KNOX Container >> Container Restrictions" rule.