UCF STIG Viewer Logo

The mobile operating system must protect the confidentiality of the provisioning data downloaded to the handheld device during a trusted over-the-air (OTA) provisioning session.


Overview

Finding ID Version Rule ID IA Controls Severity
V-32701 WIR-MOS-iOS-65-03 SV-43047r1_rule ECWN-1 Medium
Description
Provisioning data may be sensitive and therefore must be adequately protected. An adversary within the general proximity of the mobile device can eavesdrop on OTA transactions, making them particularly vulnerable to attack if confidentiality protections are not in place. Proper use of cryptography provides strong assurance that provisioning data is protected against confidentiality attacks.
STIG Date
Apple iOS 6 Security Technical Implementation Guide (STIG) 2013-05-23

Details

Check Text ( C-41064r5_chk )
The link between iOS 6 and Apple meets this requirement for iOS updates from Apple.

Review system documentation and operating system configuration to determine if there is appropriate cryptography protecting the confidentiality of OTA provisioning between the mobile device and the provisioning server (MDM and/or MAM). AES encryption is one example of an acceptable cryptography. A review of product documentation may be needed. If the provisioning data is not protected by cryptographic means during an OTA provisioning procedure, this is a finding.
Fix Text (F-36599r1_fix)
Configure the operating system to use cryptography providing confidentiality for provisioning downloads.