Samsung Android 8 with Knox must be configured to enforce an application installation policy by specifying an application whitelist that restricts applications by either of the following characteristics: List of digital signatures or list of package names.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-80169	KNOX-08-001300	SV-94873r1_rule		Medium

Description
The application whitelist, in addition to controlling the installation of applications on the mobile device (MD), must control user access/execution of all core and pre-installed applications, or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. Core application: Any application integrated into the operating system (OS) by the OS or MD vendors. Pre-installed application: Additional non-core applications included in the OS build by the OS vendor, MD vendor, or wireless carrier. Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. The application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core applications (included in the OS by the OS vendor) and pre-installed applications (provided by the MD vendor and wireless carrier), or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. SFR ID: FMT_SMF_EXT.1.1 #8b

Description

The application whitelist, in addition to controlling the installation of applications on the mobile device (MD), must control user access/execution of all core and pre-installed applications, or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. Core application: Any application integrated into the operating system (OS) by the OS or MD vendors. Pre-installed application: Additional non-core applications included in the OS build by the OS vendor, MD vendor, or wireless carrier. Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. The application whitelist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core applications (included in the OS by the OS vendor) and pre-installed applications (provided by the MD vendor and wireless carrier), or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. SFR ID: FMT_SMF_EXT.1.1 #8b

STIG	Date
Samsung Android OS 8 with Knox 3.x COBO Use Case Security Technical Implementation Guide	2018-11-30

Details

Check Text ( C-79837r1_chk )
Review Samsung Android 8 with Knox configuration settings to determine if the mobile device has been configured to whitelist application installations based on one of the following characteristics: - Digital signature - Package name Verify all applications listed on the whitelist have been approved by the Authorizing Official (AO). This validation procedure is performed only on the MDM Administration Console. On the MDM console, do the following (perform Steps 1 and 2 or Steps 3 and 4): 1. Ask the MDM Administrator to display the "Package Name Whitelist" in the "Android Applications" rule. 2. Verify the whitelist includes only package names that the AO has approved. or 3. Ask the MDM Administrator to display the "Signature Whitelist" in the "Android Applications" rule. 4. Verify the whitelist includes only digital signatures the AO has approved. Note: Either list may be empty if the AO has not approved any apps. Note: Refer to the Supplemental document for additional information. If the MDM console "Package Name Whitelist" or "Signature Whitelist" contains non-AO-approved entries, this is a finding. Note: The application Whitelist must be implemented so that only approved applications can be downloaded from the Google Play Store. Access to the Google Play Store must be enabled so that apps used by Google Play Services can be updated. The following app packages must be included in the app whitelist so that Google Play services can be updated: • com.android.vending • com.google.android.finsky • com.google.android.gm • com.google.android.gms • com.google.android.gsf.login • com.google.android.setupwizard • com.google.android.gsf

Check Text ( C-79837r1_chk )

Review Samsung Android 8 with Knox configuration settings to determine if the mobile device has been configured to whitelist application installations based on one of the following characteristics:
- Digital signature
- Package name

Verify all applications listed on the whitelist have been approved by the Authorizing Official (AO).

This validation procedure is performed only on the MDM Administration Console.

On the MDM console, do the following (perform Steps 1 and 2 or Steps 3 and 4):
1. Ask the MDM Administrator to display the "Package Name Whitelist" in the "Android Applications" rule.
2. Verify the whitelist includes only package names that the AO has approved.
or
3. Ask the MDM Administrator to display the "Signature Whitelist" in the "Android Applications" rule.
4. Verify the whitelist includes only digital signatures the AO has approved.

Note: Either list may be empty if the AO has not approved any apps.

Note: Refer to the Supplemental document for additional information.

If the MDM console "Package Name Whitelist" or "Signature Whitelist" contains non-AO-approved entries, this is a finding.

Note: The application Whitelist must be implemented so that only approved applications can be downloaded from the Google Play Store. Access to the Google Play Store must be enabled so that apps used by Google Play Services can be updated. The following app packages must be included in the app whitelist so that Google Play services can be updated:

• com.android.vending
• com.google.android.finsky
• com.google.android.gm
• com.google.android.gms
• com.google.android.gsf.login
• com.google.android.setupwizard
• com.google.android.gsf

Fix Text (F-86975r1_fix)
Configure the Samsung Android 8 with Knox device to whitelist application installations based on one of the following characteristics: - Digital signature - Package name Both whitelists apply to user installable applications only and do not control user access/execution of core and pre-installed applications. To restrict user access/execution to core and pre-installed applications, the MDM Administrator must configure the "application disable list". It is important to note that if the MDM Administrator has not blacklisted an application characteristic (package name, digital signature), it is implicitly whitelisted, as whitelists are exceptions to blacklists. If an application characteristic appears in both the blacklist and whitelist, the whitelist (as the exception to the blacklist) takes priority, and the user will be able to install the application. Therefore, the MDM Administrator must configure the blacklists to include all package names and digital signatures for whitelisting to behave as intended. Note that some MDM vendors have implemented the Blacklist function described above behind the scenes, and there may not be a Blacklist function for the System Administrator to configure. On the MDM console, do one of the following: Add each AO-approved package name to the "Package Name Whitelist" in the "Android Applications" rule. or Add each AO-approved digital signature to the "Signature Whitelist" in the "Android Applications" rule. Note: Either list may be empty if the AO has not approved any apps. Note: Refer to the Supplemental document for additional information. Note: The application Whitelist must be implemented so that only approved applications can be downloaded from the Google Play Store. Access to the Google Play Store must be enabled so that apps used by Google Play Services can be updated. The following app packages must be included in the app whitelist so that Google Play services can be updated: • com.android.vending • com.google.android.finsky • com.google.android.gm • com.google.android.gms • com.google.android.gsf.login • com.google.android.setupwizard • com.google.android.gsf

Fix Text (F-86975r1_fix)

Configure the Samsung Android 8 with Knox device to whitelist application installations based on one of the following characteristics:
- Digital signature
- Package name

Both whitelists apply to user installable applications only and do not control user access/execution of core and pre-installed applications. To restrict user access/execution to core and pre-installed applications, the MDM Administrator must configure the "application disable list".

It is important to note that if the MDM Administrator has not blacklisted an application characteristic (package name, digital signature), it is implicitly whitelisted, as whitelists are exceptions to blacklists. If an application characteristic appears in both the blacklist and whitelist, the whitelist (as the exception to the blacklist) takes priority, and the user will be able to install the application. Therefore, the MDM Administrator must configure the blacklists to include all package names and digital signatures for whitelisting to behave as intended. Note that some MDM vendors have implemented the Blacklist function described above behind the scenes, and there may not be a Blacklist function for the System Administrator to configure.

On the MDM console, do one of the following:
Add each AO-approved package name to the "Package Name Whitelist" in the "Android Applications" rule.
or
Add each AO-approved digital signature to the "Signature Whitelist" in the "Android Applications" rule.

Note: Either list may be empty if the AO has not approved any apps.

Note: Refer to the Supplemental document for additional information.

Note: The application Whitelist must be implemented so that only approved applications can be downloaded from the Google Play Store. Access to the Google Play Store must be enabled so that apps used by Google Play Services can be updated. The following app packages must be included in the app whitelist so that Google Play services can be updated:

• com.android.vending
• com.google.android.finsky
• com.google.android.gm
• com.google.android.gms
• com.google.android.gsf.login
• com.google.android.setupwizard
• com.google.android.gsf