UCF STIG Viewer Logo

All non-core applications on the smartphone must be approved by the DAA or the Command IT Configuration Control Board.


Overview

Finding ID Version Rule ID IA Controls Severity
V-32674 WIR-SPP-020 SV-43020r1_rule ECWN-1 Medium
Description
Non-approved applications can contain malware. Approved applications should be reviewed and tested by the approving authority to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, connect to a non-DoD management server). The DAA or Command IT Configuration Control Board is responsible for setting up procedures to review, test, and approve smartphone applications. It is expected the process will be similar to what is used to approve and manage applications on command PCs.
STIG Date
Smartphone Policy Security Technical Implementation Guide 2012-10-09

Details

Check Text ( C-41049r2_chk )
Core applications are applications included in the smartphone operating system. Applications added by the wireless carrier are not considered core applications. All non-core applications on the smartphone must be approved by the DAA or the Command IT Configuration Control Board.

-Select 3-4 random devices managed by the site to review.

-Make a list of non-core applications on each device.
--Have the user log into the device. View all App icons on the home screen or in folders on the home screen.
--If an App is not in the list of core Apps (see below), then note the name of the App.
--Verify the site has written approval to use the App from the DAA or site IT CCB.

-Mark as a finding if any App has not been approved.
A list of standard core mobile OS applications can be found in the mobile device manual from the handset manual.
Fix Text (F-36581r1_fix)
Have DAA or Command IT CCB review and approve all non-core applications on mobile OS devices.