| V-56037 | High | The Samsung Knox for Android platform must be configured to enable data-at-rest protection for built-in storage media. | The operating system must ensure the data being written to the mobile device's built-in storage media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to... |
| V-56039 | High | The Samsung Knox for Android platform must be configured to enable data-at-rest protection for removable storage media. | The operating system must ensure the data being written to the mobile device's removable media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to... |
| V-56063 | Medium | The Samsung Knox for Android platform must be configured to disable developer modes. | Developer modes circumvent certain security measures, so their use for standard operation is not recommended. Developer modes may increase the likelihood of compromise of confidentiality,... |
| V-56143 | Medium | The Samsung Knox for Android container must be configured to implement the management setting: configure application disable list. | Applications from various sources (including the vendor, the carrier, and Google) are installed on the device at the time of manufacture. Core apps are apps preinstalled by Google. Third-party... |
| V-56103 | Medium | The Samsung Knox for Android platform must be configured to implement the management setting: disable mobile printing. | Mobile printing allows the device to connect to a printer over a Wi-Fi connection. Data is sent unencrypted over the Wi-Fi connection, potentially resulting in the compromise of sensitive DoD... |
| V-56089 | Medium | The Samsung Knox for Android platform must be configured to implement the management setting: disable Google backup. | A cloud backup feature may gather a user's information, such as PII, or sensitive documents. With this feature enabled, sensitive information will be backed up to the manufacturer's servers and... |
| V-56047 | Medium | The Samsung Knox for Android container must be configured to lock the display after 15 minutes (or less) of inactivity. | The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain... |
| V-56127 | Medium | The Samsung Knox for Android platform must be configured to implement the management setting: enable CC mode. | CC mode implements several security controls required by the Mobile Device Functional Protection Profile (MDFPP). If CC mode is not implemented, DoD data is more at risk of being compromised, and... |
| V-56123 | Medium | The Samsung Knox for Android container must be configured to implement the management setting: enable container. | The container must be enabled by the administrator/MDM or the container's protections will not apply to the mobile device. This will cause the mobile device's apps and data to be at significantly... |
| V-56057 | Medium | The Samsung Knox for Android platform must be configured to disable USB mass storage mode. | This data transfer capability could allow users to transfer sensitive DoD data onto unauthorized USB storage devices, thus leading to the compromise of this DoD data.
SFR ID: FMT_SMF.1.1 #42 |
| V-56055 | Medium | The Samsung Knox for Android platform must be configured to enforce an application installation policy through application whitelist specifying a set of allowed applications and versions. | Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to... |
| V-56053 | Medium | The Samsung Knox for Android platform must be configured to enforce an application installation policy by specifying one or more authorized application repositories: enroll in MDM. | Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing... |
| V-56051 | Medium | The Samsung Knox for Android platform must be configured to enforce an application installation policy by specifying one or more authorized application repositories: disable unknown sources. | Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing... |
| V-56073 | Medium | The Samsung Knox for Android platform must be configured to implement the management setting: disable Allow New Admin Install. | An application with administrator permissions (e.g., MDM agent) is allowed to configure policies on the device. If a user is allowed to install another MDM agent on the device, then this will... |
| V-57447 | Medium | The Samsung Knox for Android container must be configured to implement the management setting.
Disable sharing of calendar information outside the container. | Calendar events can include potentially DoD-sensitive data such as names, contacts, dates and times, and locations. If made available outside the container this information will be accessible to... |
| V-56077 | Medium | The Samsung Knox for Android platform must be configured to implement the management setting: configure application disable list. | Applications from various sources (including the vendor, the carrier, and Google) are pre-installed on the device at the time of manufacture. Some of the applications can compromise DoD data or... |
| V-56059 | Medium | The Samsung Knox for Android platform must be configured to implement the management setting: disable USB debugging. | USB debugging mode provides access to developer mode features. Developer modes circumvent certain security measures, so their use for standard operation is not recommended. Developer modes may... |
| V-56093 | Medium | The Samsung Knox for Android platform must be configured to implement the management setting.
Disable multi-user mode. | By default the enterprise administrator will install and enroll MDM on the device's owner user space. Since some policies configured by the MDM will only apply to the owner space, the user can... |
| V-56091 | Medium | The Samsung Knox for Android platform must be configured to implement the management setting: configure Knox License. | A cloud backup feature may gather a user's information, such as PII, or sensitive documents. With this feature enabled, sensitive information will be backed up to the manufacturer's servers and... |
| V-56079 | Medium | The Samsung Knox for Android platform must be configured to implement the management setting: disable Google auto sync. | When a user configures their personal Google account on the device, the Google auto sync feature is automatically enabled. This results in the automatic upload and sync of data on the device... |
| V-56095 | Medium | The Samsung Knox for Android platform must be configured to implement the management setting: disable public cloud backup apps. | A cloud backup feature may gather a user's information, such as PII, or sensitive documents. With this feature enabled, sensitive information will be backed up to the manufacturer's servers and... |
| V-56075 | Medium | The Samsung Knox for Android platform must be configured to implement the management setting: configure application install blacklist. | Blacklisting all applications is required so that only white-listed applications can be installed on the device. Requiring all authorized applications to be in an application whitelist prevents... |
| V-56099 | Medium | The Samsung Knox for Android platform must be configured to implement the management setting: disable S Voice. | On MOS devices, users (may be able to) access the device's contact database or calendar to obtain phone numbers and other information using a human voice even when the mobile device is locked.... |
| V-56109 | Medium | The Samsung Knox for Android platform must be configured to implement the user-based enforcement setting: disable Samsung Account. | Configuring a Samsung Account on the device allows the user to backup files (including S Health data) to Samsung servers, as well as download applications from Samsung Apps (Galaxy Apps) store.... |
| V-56097 | Medium | The Samsung Knox for Android platform must be configured to implement the user-based enforcement setting: disable messaging preview notifications in lock screen. | Text messages can potentially include sensitive information. When this feature is enabled, both text message data and the sender's name or number will be displayed on the lock screen. This may... |
| V-56161 | Medium | The Samsung Knox for Android container must be configured to implement the user-based enforcement setting: disable Samsung Account. | Configuring a Samsung Account on the device allows the user to backup files (including S Health data) to Samsung servers, as well as download applications from Samsung Apps (Galaxy Apps) store.... |
| V-56117 | Medium | The Samsung Knox for Android platform must be configured to implement the management setting: disable Manual Date Time Changes. | Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events.
Periodically synchronizing... |
| V-57949 | Medium | The Samsung Knox for Android platform must be configured to disable firmware updates over-the-air (FOTA). | FOTA allows the user to download and install firmware updates over-the-air. These updates can include OS upgrades, security patches, bug fixes, new features and applications. Since the updates are... |
| V-56105 | Medium | The Samsung Knox for Android platform must be configured to implement the management setting: disable NFC. | NFC is a wireless technology that transmits small amounts of information from the device to the NFC reader. Any data transmitted can be potentially compromised. Disabling this feature mitigates... |
| V-56133 | Medium | The Samsung Knox for Android container must be configured to enforce an application installation policy through application whitelist specifying a set of allowed applications and versions. | Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to... |
| V-56071 | Medium | The Samsung Knox for Android platform must be configured to implement the management setting. Employ mobile device management services to centrally manage security relevant configuration and policy settings. | Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-56107 | Medium | The Samsung Knox for Android platform must be configured to implement the user-based enforcement setting: disable screen mirroring. | Screen mirroring allows the user to display device content to a compatible device (e.g., TV) over a Wi-Fi connection. Although this feature uses HDCP 2.x protocol and encryption of visual data to... |
| V-56087 | Medium | The Samsung Knox for Android platform must be configured to implement the management setting.
Not allow the device unlock password to contain more than two sequential or repeating characters (e.g., 456, aaa). | Password complexity or strength refers to how difficult it is to determine a password using a dictionary or brute-force attack. Passwords with sequential or repeating numbers or alphabetic... |
| V-56081 | Medium | The Samsung Knox for Android platform must be configured to implement the management setting: disable Google crash report. | Applications that can be downloaded from Google Play (including pre-installed applications) will prompt the user to send a crash report to Google servers when the application crashes. The crash... |
| V-57451 | Medium | The Samsung Knox for Android container must be configured to implement the management setting.
Disable sharing of notification details outside the container. | Application notifications can include DoD-sensitive data. If made available outside the container this information will be accessible to personal applications, resulting in potential compromise of... |
| V-56049 | Medium | The Samsung Knox for Android platform must be configured to enforce an application installation policy by specifying one or more authorized application repositories: disable Google Play. | Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing... |
| V-56101 | Medium | The Samsung Knox for Android platform must be configured to implement the management setting.
Disable mobile payment. | Mobile payment makes use of NFC to transmit personal account information from the device to the NFC reader. Compromise of this data can result in financial loss to both the individual and DoD.... |
| V-56085 | Medium | The Samsung Knox for Android platform must be configured to implement the management setting: disable USB host storage. | The USB host storage feature allows the device to connect to select USB devices (e.g., USB flash drives, USB mouse, USB keyboard) using a micro USB to USB adapter cable. A user can copy sensitive... |
| V-56159 | Medium | The Samsung Knox for Android container must be configured to implement the management setting: Account blacklist. | Blacklisting all email accounts is required so that only white-listed accounts can be configured.
SFR ID: FMT_SMF.1.1 #42 |
| V-56113 | Medium | The Samsung Knox for Android platform must be configured to disable USB media player. | This data transfer capability could allow users to transfer sensitive DoD data onto unauthorized USB storage devices, thus leading to the compromise of this DoD data.
SFR ID: FMT_SMF.1.1 #42 |
| V-56083 | Medium | The Samsung Knox for Android platform must be configured to implement the management setting: disable Wi-Fi Direct. | Wi-Fi Direct allows the device to connect directly to another device via Wi-Fi without accessing a Wi-Fi access point and using DoD-required security mechanisms since Wi-Fi Direct can be used by... |
| V-56111 | Medium | The Samsung Knox for Android platform must be configured to implement the user-based enforcement setting: disable Nearby devices. | The Nearby devices feature allows the user to share files with other devices that are connected on the same Wi-Fi access point using the DLNA technology. Even though the user must allow requests... |
| V-56067 | Medium | The Samsung Knox for Android platform must be configured to implement the management setting: install DoD root and intermediate PKI certificates on the device. | DoD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the root and intermediate certificates are not available, an... |
| V-56065 | Medium | The Samsung Knox for Android platform must be configured to implement the management setting: disable Insecure VPN Connections. | Without strong mutual authentication, a mobile device may connect to an unauthorized network. In many cases, the user may falsely believe that the device is connected to an authorized network and... |
| V-56129 | Medium | The Samsung Knox for Android platform must be configured to implement the management setting: disable all Bluetooth profiles except for HSP (Headset Profile), HFP (Hands-Free Profile), and SPP (Serial Port Profile). | Unsecure Bluetooth profiles may allow either unauthenticated connections to mobile devices or transfer of sensitive DoD data without required DoD information assurance (IA) controls. Only the HSP,... |
| V-56045 | Medium | The Samsung Knox for Android platform must be configured to lock the display after 15 minutes (or less) of inactivity. | The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain... |
| V-56069 | Medium | The Samsung Knox for Android platform must be configured to implement the management setting: whitelist DoD root and intermediate PKI certificates. | If unauthorized device authentication certificates are installed on the device, there is the potential that the device may connect to a rogue device or network. Rogue devices can mimic the... |
| V-56061 | Medium | The Samsung Knox for Android platform must be configured to implement the management setting: disable mock locations. | Developers often use mock locations in the development of apps that leverage location-based services. Developer modes circumvent certain security measures, so their use for standard operation is... |
| V-56135 | Medium | The Samsung Knox for Android container must be configured to implement the management setting: configure application install blacklist. | Blacklisting all applications is required so that only white-listed applications can be installed on the device. Requiring all authorized applications to be in an application whitelist prevents... |
| V-57449 | Medium | The Samsung Knox for Android container must be configured to implement the management setting.
Disable sharing of contact information outside the container. | Contacts can include DoD-sensitive data and PII of DoD employees including names, numbers, addresses, and email addresses. If made available outside the container this information will be... |
| V-56137 | Medium | The Samsung Knox for Android container must be configured to implement the management setting: disable Move Applications to Container. | Applications determined to be acceptable for personal use outside the container might not be acceptable for use within the container. The Move Applications to Container feature allows users to... |
| V-56141 | Medium | The Samsung Knox for Android container must be configured to implement the management setting: disable Move Files from Personal to Container. | Allowing movement of files between the container and personal side will result in both personal data and sensitive DoD data being placed in the same space. This can potentially result in DoD data... |
| V-56157 | Medium | The Samsung Knox for Android container must be configured to implement the management setting: Account whitelist. | Whitelisting of authorized email accounts (POP3, IMAP, EAS) prevents a user from configuring a personal email account that could be used to forward sensitive DoD data to unauthorized... |
| V-56139 | Medium | The Samsung Knox for Android container must be configured to implement the management setting: disable Move Files from Container to Personal. | Allowing movement of files between the container and personal side will result in both personal data and sensitive DoD data being placed in the same space. This can potentially result in DoD data... |
| V-56115 | Low | The Samsung Knox for Android platform must be configured to require the user to manifest consent to the terms of the DoD-specified warning banner each time the user unlocks the device. | The mobile operating system is required to display the DoD-approved system use notification message or banner before granting access to the system that provides privacy and security notices... |
| V-56121 | Low | The Samsung Knox for Android container must be configured to prohibit more than 10 consecutive failed authentication attempts. | Users must not be able to override the system policy on the maximum number of consecutive failed authentication attempts because this could allow them to raise the maximum, thus giving adversaries... |
| V-56041 | Low | The Samsung Knox for Android platform must be configured to enforce a minimum password length of 6 characters. | Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is... |
| V-56119 | Low | The Samsung Knox for Android container must be configured to enforce a minimum password length of 4 characters. | Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. The ability to crack a password is a function of how many attempts an adversary is... |
| V-56043 | Low | The Samsung Knox for Android platform must be configured to prohibit more than 10 consecutive failed authentication attempts. | Users must not be able to override the system policy on the maximum number of consecutive failed authentication attempts because this could allow them to raise the maximum, thus giving adversaries... |
