The Samsung Knox for Android platform must be configured to implement the management setting: disable public cloud backup apps.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-56095	KNOX-35-022600	SV-70349r1_rule		Medium

Description
A cloud backup feature may gather a user's information, such as PII, or sensitive documents. With this feature enabled, sensitive information will be backed up to the manufacturer's servers and database. This data is stored at a location that has unauthorized employees accessing this data. This data is stored on a server that has a location unknown to the DoD. Disabling this feature mitigates the risk of a backup feature that stores sensitive data on a server that has the potential to be located in a country other than the United States. SFR ID: FMT_SMF.1.1 #42

Description

A cloud backup feature may gather a user's information, such as PII, or sensitive documents. With this feature enabled, sensitive information will be backed up to the manufacturer's servers and database. This data is stored at a location that has unauthorized employees accessing this data. This data is stored on a server that has a location unknown to the DoD. Disabling this feature mitigates the risk of a backup feature that stores sensitive data on a server that has the potential to be located in a country other than the United States. SFR ID: FMT_SMF.1.1 #42

STIG	Date
Samsung Android (with Knox 2.x) STIG	2016-02-25

Details

Check Text ( C-56665r2_chk )
This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Application" rule. 2. Verify the setting includes all pre-installed public cloud backup applications. (Note: The following applications are known to be pre-installed public cloud applications, but other applications can be found on other devices: Google Drive, Dropbox, Verizon Cloud, AT&T Locker.) (Note: Refer to the Supplemental document for the list.) On the Samsung Knox for Android device: 1. Attempt to locate and launch the pre-installed public cloud applications that are included on the disable list. (Note: this application will not be visible) If the "Application disable list" configuration in the MDM console does not contain all pre-installed public cloud backup applications, or if the user is able to successfully launch an application on this list, this is a finding.

Check Text ( C-56665r2_chk )

This validation procedure is performed on both the MDM Administration Console and the Samsung Knox for Android device.

Check whether the appropriate setting is configured on the MDM Administration Console:
1. Ask the MDM administrator to display the "Application disable list" setting in the "Android Application" rule.
2. Verify the setting includes all pre-installed public cloud backup applications.

(Note: The following applications are known to be pre-installed public cloud applications, but other applications can be found on other devices: Google Drive, Dropbox, Verizon Cloud, AT&T Locker.)

(Note: Refer to the Supplemental document for the list.)

On the Samsung Knox for Android device:
1. Attempt to locate and launch the pre-installed public cloud applications that are included on the disable list.

(Note: this application will not be visible)

If the "Application disable list" configuration in the MDM console does not contain all pre-installed public cloud backup applications, or if the user is able to successfully launch an application on this list, this is a finding.

Fix Text (F-60973r2_fix)
Configure the mobile operating system to disable all pre-installed public cloud backup applications. On the MDM Administration Console, add all pre-installed public cloud backup applications that are not DoD-approved to the "Application disable list" setting in the "Android Application" rule. (Note: Refer to the Supplemental document for the list.)