A security risk analysis must be performed on a mobile operating system (OS) application by the DAA or DAA authorized authority prior to the application being approved for use.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32677	WIR-SPP-021	SV-43023r1_rule	DCCT-1	High

Description
Non-approved applications can contain malware. Approved applications should be reviewed and tested by the approving authority to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, connect to a non-DoD management server).

STIG	Date
Smartphone Policy Security Technical Implementation Guide	2012-10-09

Details

Check Text ( C-41050r3_chk )
Detailed Requirements: Core applications are applications included in the mobile device operating system. Applications added by the wireless carrier are not considered core applications. A security risk analysis must be performed by the DAA or DAA approved approval authority prior to a mobile OS application being approved for use. - Since the native cryptographic module included in iOS and generic Android is not FIPS 140-2 validated, non-core applications can only be approved if they meet the following conditions: -- The application does not synchronize or store any sensitive data locally on the device; or -- The application synchronizes and stores sensitive data locally on the device and the data-at-rest as well as data-in-transit is encrypted using a FIPS 140-2 validated cryptographic module. - The application review and approval process must include an evaluation of what OS level permissions are required by the application and how the application shares data and memory space with other applications. The review process must also ensure: - Approved applications do not contain malware or share data stored on the mobile OS device with non-DoD servers. Check Procedures: Review this check after reviewing check WIR-SPP-020. Determine if any non-core mobile OS applications have been approved by the DAA. - If no, this check is not applicable. - If yes, complete the following procedures: Ask the site for documentation showing what security risk analysis procedures are used by the DAA prior to approving non-core applications for use. Determine if the procedures include an evaluation of the following: - What OS level permissions are required by the application? - The application does not contain malware. - The application does not share data stored on the smartphones with non-DoD servers. - If the application stores sensitive data, the application data storage container uses FIPS 140-2 validated cryptographic module. - Mark as a finding if a security review was not conducted on approved applications or the application security risk review procedures do not contain the required risk assessment evaluation tasks.

Check Text ( C-41050r3_chk )

Detailed Requirements:
Core applications are applications included in the mobile device operating system. Applications added by the wireless carrier are not considered core applications. A security risk analysis must be performed by the DAA or DAA approved approval authority prior to a mobile OS application being approved for use.

- Since the native cryptographic module included in iOS and generic Android is not FIPS 140-2 validated, non-core applications can only be approved if they meet the following conditions:
-- The application does not synchronize or store any sensitive data locally on the device; or
-- The application synchronizes and stores sensitive data locally on the device and the data-at-rest as well as data-in-transit is encrypted using a FIPS 140-2 validated cryptographic module.

- The application review and approval process must include an evaluation of what OS level permissions are required by the application and how the application shares data and memory space with other applications. The review process must also ensure:
- Approved applications do not contain malware or share data stored on the mobile OS device with non-DoD servers.

Check Procedures:

Review this check after reviewing check WIR-SPP-020. Determine if any non-core mobile OS applications have been approved by the DAA.
- If no, this check is not applicable.

- If yes, complete the following procedures:

Ask the site for documentation showing what security risk analysis procedures are used by the DAA prior to approving non-core applications for use.

Determine if the procedures include an evaluation of the following:
- What OS level permissions are required by the application?
- The application does not contain malware.
- The application does not share data stored on the smartphones with non-DoD servers.
- If the application stores sensitive data, the application data storage container uses FIPS 140-2 validated cryptographic module.

- Mark as a finding if a security review was not conducted on approved applications or the application security risk review procedures do not contain the required risk assessment evaluation tasks.

Fix Text (F-36582r1_fix)
Have DAA or Command IT CCB use the required procedures to review mobile OS applications prior to approving them.