The mobile operating system must disable access to the device's contact database when the device is locked.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
KNOX-04-001400	KNOX-04-001400	KNOX-04-001400_rule		Medium

Description
On some devices, users can access the device's contact database to obtain phone numbers and other information using voice-activated Bluetooth peripherals even when the mobile device is locked. Often this information is personally identifiable information (PII), which is considered sensitive. It could also be used by an adversary to profile the user or engage in social engineering to obtain further information from other unsuspecting users. Disabling access to the contact database in these situations mitigates the risk of this attack. The DAA may waive this requirement with written notice if the operational environment requires this capability.

Description

On some devices, users can access the device's contact database to obtain phone numbers and other information using voice-activated Bluetooth peripherals even when the mobile device is locked. Often this information is personally identifiable information (PII), which is considered sensitive. It could also be used by an adversary to profile the user or engage in social engineering to obtain further information from other unsuspecting users. Disabling access to the contact database in these situations mitigates the risk of this attack. The DAA may waive this requirement with written notice if the operational environment requires this capability.

STIG	Date
Samsung Knox Android 1.0 STIG	2013-05-03

Details

Check Text ( C-KNOX-04-001400_chk )
This check procedure contains several elements from KNOX-04-001300 (SRG-OS-000231-MOS-000122). Results from that check procedure may be reused here. This check procedure is performed on both the MDM Administration Console and the Samsung Knox Android device. Check that the appropriate setting is configured on the MDM server. For example, on the Fixmo Sentinel Administration Console: 1. Ask the administrator to display the "Disable USB Debugging" and "Disable Vendor USB Protocol" checkboxes in the "Android Knox Base Restrictions" rule. 2. Verify both of the checkboxes are selected. 3. Ask the administrator to display the "Disable USB Tethering" checkbox in the "Android Knox Restrictions" rule. 4. Verify the checkbox is selected. On the Samsung Knox Android device: 1. With the device locked, connect the device to another device via a USB cable. 2. Verify the MOS file system is not accessible. 3. Unlock the device and open the device settings. 4. Select "Developer Options". 5. Verify the "USB debugging" checkbox is not checked. 6. Verify the user cannot select the "USB debugging" checkbox. If any one or more of the "Disable USB debugging", "Disable Vendor USB Protocol", or "Disable USB tethering" checkboxes is not selected; the file system is accessible via a USB connection when the device is locked; or the user can select the "USB debugging" checkbox within Samsung Knox Android, this is a finding. Note: This IA control is implemented by disabling any USB connection that someone could use to get access to the contact database when the device is locked. These connections are Android Debug Bridge, Vendor USB Protocol and USB Tethering. Once these features are disabled it is no longer feasible to access the contact database when the device is locked.

Check Text ( C-KNOX-04-001400_chk )

This check procedure contains several elements from KNOX-04-001300 (SRG-OS-000231-MOS-000122). Results from that check procedure may be reused here.

This check procedure is performed on both the MDM Administration Console and the Samsung Knox Android device.

Check that the appropriate setting is configured on the MDM server.

For example, on the Fixmo Sentinel Administration Console:
1. Ask the administrator to display the "Disable USB Debugging" and "Disable Vendor USB Protocol" checkboxes in the "Android Knox Base Restrictions" rule.
2. Verify both of the checkboxes are selected.
3. Ask the administrator to display the "Disable USB Tethering" checkbox in the "Android Knox Restrictions" rule.
4. Verify the checkbox is selected.

On the Samsung Knox Android device:
1. With the device locked, connect the device to another device via a USB cable.
2. Verify the MOS file system is not accessible.
3. Unlock the device and open the device settings.
4. Select "Developer Options".
5. Verify the "USB debugging" checkbox is not checked.
6. Verify the user cannot select the "USB debugging" checkbox.

If any one or more of the "Disable USB debugging", "Disable Vendor USB Protocol", or "Disable USB tethering" checkboxes is not selected; the file system is accessible via a USB connection when the device is locked; or the user can select the "USB debugging" checkbox within Samsung Knox Android, this is a finding.

Note: This IA control is implemented by disabling any USB connection that someone could use to get access to the contact database when the device is locked. These connections are Android Debug Bridge, Vendor USB Protocol and USB Tethering. Once these features are disabled it is no longer feasible to access the contact database when the device is locked.

Fix Text (F-KNOX-04-001400_fix)
Configure the operating system to disable access to the device's contact database when the device is locked. For example, on the Fixmo Sentinel Administration Console, check the "Disable USB Debugging" and "Disable Vendor USB Protocol" checkboxes in the "Android Knox Base Restrictions" rule. Also on the Fixmo Sentinel Administration Console, check the "Disable USB Tethering" checkbox in the "Android Knox Restrictions" rule.

Fix Text (F-KNOX-04-001400_fix)

Configure the operating system to disable access to the device's contact database when the device is locked.

For example, on the Fixmo Sentinel Administration Console, check the "Disable USB Debugging" and "Disable Vendor USB Protocol" checkboxes in the "Android Knox Base Restrictions" rule.

Also on the Fixmo Sentinel Administration Console, check the "Disable USB Tethering" checkbox in the "Android Knox Restrictions" rule.