Smartphone Policy Version Comparison

There are 15 differences between versions v1 r6 (Nov. 23, 2011) (the "left" version) and v1 r8 (Oct. 26, 2012) (the "right" version).

Check WIR-SPP-020 was added to the benchmark in the "right" version.

This check's original form is available here.

Title

All non-core applications on the smartphone must be approved by the DAA or the Command IT Configuration Control Board.

Check Content

Core applications are applications included in the smartphone operating system. Applications added by the wireless carrier are not considered core applications. All non-core applications on the smartphone must be approved by the DAA or the Command IT Configuration Control Board. -Select 3-4 random devices managed by the site to review. -Make a list of non-core applications on each device. --Have the user log into the device. View all App icons on the home screen or in folders on the home screen. --If an App is not in the list of core Apps (see below), then note the name of the App. --Verify the site has written approval to use the App from the DAA or site IT CCB. -Mark as a finding if any App has not been approved. A list of standard core mobile OS applications can be found in the mobile device manual from the handset manual.

Discussion

Non-approved applications can contain malware. Approved applications should be reviewed and tested by the approving authority to ensure they do not contain malware, spyware, or have unexpected features (e.g., send private information to a web site, track user actions, connect to a non-DoD management server). The DAA or Command IT Configuration Control Board is responsible for setting up procedures to review, test, and approve smartphone applications. It is expected the process will be similar to what is used to approve and manage applications on command PCs.

Fix

Have DAA or Command IT CCB review and approve all non-core applications on mobile OS devices.