Samsung Knox Android must authenticate tethered connections to the device.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-48291	KNOX-23-013700	SV-61163r1_rule		Medium

Description
Authentication may occur either by reentry of the device unlock passcode at the time of connection, through another passcode with the same or stronger complexity, or through PKI certificates. Authentication mitigates the risk that an adversary who obtains physical possession of the device is not able to use the tethered connection to access sensitive data on the device or otherwise tamper with its operating system or applications. SFR ID: FMT_SMF.1.1 #42

Description

Authentication may occur either by reentry of the device unlock passcode at the time of connection, through another passcode with the same or stronger complexity, or through PKI certificates. Authentication mitigates the risk that an adversary who obtains physical possession of the device is not able to use the tethered connection to access sensitive data on the device or otherwise tamper with its operating system or applications. SFR ID: FMT_SMF.1.1 #42

STIG	Date
Samsung Android (with Knox 1.x) STIG	2014-04-22

Details

Check Text ( C-50723r3_chk )
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. Note: KNOX-25-15800 also verifies that USB Debugging has been disabled. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Disable USB Debugging", "Disable Vendor USB Protocol", and "Disable USB Media Player" checkboxes in the "Android Restrictions" rule. 2. Verify all of the checkboxes are selected. Note: This combination of settings will force the user to unlock the phone in order to perform any functions leveraging a tethered connection. On the Samsung Knox Android device: 1. With the device locked, connect the device to another device via a USB cable. 2. Verify the MOS file system is not accessible. 3. Unlock the device and open the device settings. 4. Select "Developer Options". 5. Ensure the "USB debugging" checkbox is not checked and cannot be checked by the user. If any one of the "Disable USB debugging", "Disable Vendor USB Protocol", or "Disable USB Media Player" checkboxes is not selected in the MDM Management Console; or if the file system is accessible via a USB connection when the device is locked; or the user can select the "USB debugging" checkbox within Samsung Knox, this is a finding.

Check Text ( C-50723r3_chk )

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox Android device.

Note: KNOX-25-15800 also verifies that USB Debugging has been disabled.

Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Disable USB Debugging", "Disable Vendor USB Protocol", and "Disable USB Media Player" checkboxes in the "Android Restrictions" rule.
2. Verify all of the checkboxes are selected.
Note: This combination of settings will force the user to unlock the phone in order to perform any functions leveraging a tethered connection.

On the Samsung Knox Android device:
1. With the device locked, connect the device to another device via a USB cable.
2. Verify the MOS file system is not accessible.
3. Unlock the device and open the device settings.
4. Select "Developer Options".
5. Ensure the "USB debugging" checkbox is not checked and cannot be checked by the user.

If any one of the "Disable USB debugging", "Disable Vendor USB Protocol", or "Disable USB Media Player" checkboxes is not selected in the MDM Management Console; or if the file system is accessible via a USB connection when the device is locked; or the user can select the "USB debugging" checkbox within Samsung Knox, this is a finding.

Fix Text (F-51899r1_fix)
Configure the operating system to require authentication of tethered connections. On the MDM Administration Console, check the "Disable USB Debugging", "Disable Vendor USB Protocol", and "Disable USB Media Player" checkboxes in the "Android Restrictions" rule.