All non-core applications on the mobile OS device must be approved by the DAA or Command IT Configuration Control Board.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-24986	WIR-MOS-AND-006-01	SV-35015r1_rule	DCCB-1 ECWN-1	High

Description
Non-approved applications can contain malware. Approved applications should be reviewed and tested by the approving authority to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, connect to a non-DoD management server).

STIG	Date
Android 2.2 (Dell) Security Technical Implementation Guide	2014-08-26

Details

Check Text ( C-34891r1_chk )
Detailed Requirements: Core applications are applications included in the mobile Operating system. Applications added by the wireless carrier are not considered core applications. All non-core applications on the mobile OS device must be approved by the DAA or the Command IT Configuration Control Board. Approval must be documented in some type of approval (memo, letter, etc.). Check Procedures: Review the procedures the site or command uses to review and approve third-party applications used on managed Android devices. Have the IAO or DAA representative provide a copy of the application review. Second, select 3-4 random devices managed by the site to review. -Make a list of non-core applications on each device. Look in the smartphone memory and on the SD card. --Have the user log into the device. Go to Settings > Applications > Manage applications. To view the list of applications on the smartphone select “All.”. To view a list of applications on the SD media card select “On SD card.”. --If an App is not in the list of core Apps (see below), then note the name of the App. --Verify the site has written approval to use the App from the DAA or site IT CCB. -Mark as a finding if any App has not been approved. A list of standard core Android Apps can be found in the STIG Configuration Tables document. Note: The DAA or IT CCB should also indicate if location services are approved for any approved applications, including core applications (e.g., can the user enable location services in Android for the application).

Check Text ( C-34891r1_chk )

Detailed Requirements:
Core applications are applications included in the mobile Operating system. Applications added by the wireless carrier are not considered core applications. All non-core applications on the mobile OS device must be approved by the DAA or the Command IT Configuration Control Board. Approval must be documented in some type of approval (memo, letter, etc.).

Check Procedures:

Review the procedures the site or command uses to review and approve third-party applications used on managed Android devices. Have the IAO or DAA representative provide a copy of the application review.
Second, select 3-4 random devices managed by the site to review.

-Make a list of non-core applications on each device. Look in the smartphone memory and on the SD card.

--Have the user log into the device. Go to Settings > Applications > Manage applications. To view the list of applications on the smartphone select “All.”. To view a list of applications on the SD media card select “On SD card.”.
--If an App is not in the list of core Apps (see below), then note the name of the App.
--Verify the site has written approval to use the App from the DAA or site IT CCB.

-Mark as a finding if any App has not been approved.

A list of standard core Android Apps can be found in the STIG Configuration Tables document.

Note: The DAA or IT CCB should also indicate if location services are approved for any approved applications, including core applications (e.g., can the user enable location services in Android for the application).

Fix Text (F-27627r1_fix)
Have DAA or Command IT CCB review and approve all non-core applications on mobile OS devices.