UCF STIG Viewer Logo

Samsung Android must be configured to enforce an application installation policy by specifying an application whitelist that restricts applications by the following characteristics: list of digital signatures, list of package names.


Overview

Finding ID Version Rule ID IA Controls Severity
V-92861 KNOX-09-000070 SV-102949r1_rule Medium
Description
The application whitelist, in addition to controlling the installation of applications on the mobile device, must control user access to/execution of all core and preinstalled applications, or the mobile device must provide an alternate method of restricting user access to/execution of core and preinstalled applications. Core application: Any application integrated into the operating system by the operating system or mobile device vendors. Preinstalled application: Additional noncore applications included in the operating system build by the operating system vendor, mobile device vendor, or wireless carrier. Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DoD data accessible by these applications. The application whitelist, in addition to controlling the installation of applications on the mobile device, must control user access to/execution of all core applications (included in the operating system by the operating system vendor) and preinstalled applications (provided by the mobile device vendor and wireless carrier), or the mobile device must provide an alternate method of restricting user access to/execution of core and preinstalled applications. SFR ID: FMT_SMF_EXT.1.1 #8b
STIG Date
Samsung OS 9 with Knox 3.x COBO Use Case KPE(AE) Deployment Security Technical Implementation Guide 2020-02-24

Details

Check Text ( C-92167r1_chk )
Review device configuration settings to confirm that an application installation whitelist has been configured.

This procedure is performed only on the MDM Administration console.

Confirm if Method #1 or Method #2 is used at the Samsung device site and follow the appropriate procedure.

****

Method #1: On the MDM console, for the device, in the "managed Google Play" group, verify that each package listed on the application installation whitelist has been approved for DoD use by the Authorizing Official (AO).

If the application installation whitelist contains non-AO-approved packages, this is a finding.

****

Method #2: On the MDM console, for the device, in the "Knox application" group, verify that each package listed on the application installation whitelist has been approved for DoD use by the AO.

If the application installation whitelist contains non-AO-approved packages, this is a finding.
Fix Text (F-99105r1_fix)
Configure Samsung Android to enforce an application installation whitelist.

The application installation whitelist does not control user access to/execution of all core and preinstalled applications, and guidance for doing so is covered in KNOX-09-000050.

Do one of the following:
- Method #1: Use managed Google Play for the Device (managed device).
- Method #2: Use Knox application installation whitelist.

****

Method #1: On the MDM console, for the device, in the "managed Google Play" group, add each AO-approved package to the managed Google Play application installation whitelist.

****

Method #2: On the MDM console, for the device, in the "Knox application" group, add each AO-approved package to the application installation whitelist.

Refer to the MDM documentation to determine the following:
- If an application installation blacklist is also required to be configured when enforcing an application installation whitelist.
- If the MDM supports adding packages to the application installation whitelist by package name and/or digital signature or supports a combination of the two.

****

Note: Refer to the "System Apps That Must Not Be Disabled" table in the Supplemental document for this STIG. These apps must be included in the application installation whitelist to allow updates.