Check: BB10-2X-000300
BB10 2 X STIG:
BB10-2X-000300
(in version v1 r6)
Title
BlackBerry 10 OS must grant a downloaded application only the permissions the AO has authorized for that application. (Cat I impact)
Discussion
Mobile operating system applications that are able to perform unintended functions may be able to obtain sensitive information or otherwise compromise system security. The permissions that an application requires to perform its function may be delineated in a permissions manifest or in entitlements that are either bound to the application or embedded in its code. Enforcing these permissions limitations is necessary to ensure the application is not permitted to perform unintended functions.
Check Content
From the Work Space, navigate to "Settings >> Security and Privacy >> Application Permissions" and select "All" in the "Permissions" dropdown box. For each application, ensure the requested permissions (e.g., Location, Contacts, Shared Files, etc.) are set to "On" only for AO authorized permissions. Otherwise, this is a finding. NOTE: If no applications are installed, this requirement is NA.
Fix Text
From the Work Space, navigate to "Settings >> Security and Privacy >> Application Permissions" and select "All" in "Permissions" dropdown box. For each application, set requested permission (e.g. Location, Contacts, Shared Files, etc.) to "On" or "Off" as identified by the AO.
Additional Identifiers
Rule ID:
Vulnerability ID: V-47201
Group Title:
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000366 |
The organization implements the security configuration settings. |
| CCI-001157 |
The information system associates organization-defined security attributes with information exchanged between information systems. |