The LG Android 5.0 platform must be configured to disable the capability for an operating system update to be automatically downloaded and installed on the mobile device.

From LG Android 5.x Interim Security Configuration Guide

Part of PP-MDF-991000

Associated with: CCI-000366

SV-73263r1_rule The LG Android 5.0 platform must be configured to disable the capability for an operating system update to be automatically downloaded and installed on the mobile device.

Vulnerability discussion

FOTA allows the user to download and install firmware updates over-the-air. These updates can include OS upgrades, security patches, bug fixes, new features and applications. Since the updates are controlled by the carriers, DoD will not have an opportunity to review and update policies prior to update availability to end users. Disabling FOTA will mitigate the risk of allowing users access to applications that could compromise DoD sensitive data. After reviewing the update and adjusting any necessary policies (i.e. disabling applications determined to pose risk), the administrator can re-enable FOTA.SFR ID: FMT_SMF.1.1 #42

Check content

This validation procedure is performed on both the MDM Administration Console and the LG Android device. Check whether the appropriate setting is configured on the MDM Administration Console: 1. Ask the MDM administrator to display the list of unapproved core and preinstalled applications in the "Application Blacklist (prevent launch of blacklist apps)" setting in the MDM console. 2. Verify the LGDMSclient package is on the list. On the LG Android device: 1. Unlock the device 2. Open the device settings. 3. Navigate to the System updates setting: Settings >> System updates 4. Verify the System updates menu is not running and the following message is displayed: Application is disabled by server policy. If the LGDMSclient package setting is enabled, or the "System updates" setting can be launched, this is a finding.

Fix text

Configure the mobile device to disable the FOTA client. On the MDM Administration Console, set the LGDMSclient package as Application Blacklist (prevent launch of blacklist apps).

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer