Military personnel used banned apps on DOD-issued mobile devices, IG finds
Fantasy football apps. Dating apps. Secretive, encrypted messaging apps. An app for dealing luxury yachts. Even a pair of apps developed by a Chinese commercial drone manufacturer.
These are but a few of the types of unauthorized mobile apps that the Pentagon inspector general recently found on Defense Department personnel’s DOD-issued mobile devices meant to be used for official business only, the IG revealed in a new report Thursday.
And according to that report, though the use of the apps is in violation of DOD policy, in many cases, the users didn’t necessarily circumvent department device management controls to download the unauthorized applications — they were readily available to be downloaded.
The Defense Information Systems Agency’s DOD Mobility Unclassified Capability (DMUC) — a service that many DOD components subscribe to for mobile device management — allows users “unrestricted access to public application stores” in addition to the app stores created by DISA for Pentagon-authorized applications, per the IG. As of late 2021, DISA claimed there were more than 140,000 users of DMUC across the department.
“DOD Components, including at least 26 Components that use the DMUC, offered DOD mobile device users unrestricted access to public application stores, allowing personnel to download unauthorized unmanaged mobile applications to their DOD mobile devices,” the report states.
“Public application stores offer a wide variety of applications for mobile devices, such as games, news, travel, and messaging applications. These applications may include unnecessarily invasive permissions that require access to user contact lists and photos, and access to the device’s sensors, such as the camera, microphone, or GPS. Unauthorized unmanaged applications may also contain malicious code,” it added.
Two such apps “were from a Chinese commercial off-the-shelf drone manufacturer that allow users to fly drones and capture, edit, and share images,” the IG discovered.
The report comes amid heightened concerns from government officials, lawmakers and others over the popular TikTok app — the Chinese-owned social media platform that many, including the FBI, believe can be used to spy on mobile devices. The IG report refers to “applications with potentially inappropriate content includ[ing] applications for the creation of short-form videos,” which is precisely what TikTok allows users to do, but it does not name the app.
It also comes after reports last year that former DOD officials deleted messaging records regarding the Jan. 6, 2021, attack on the U.S. Capitol. Though Deputy Secretary of Defense Kathleen Hicks issued a new policy for digital record retention as a corrective measure, the DOD is unable to track messaging on applications that it does not directly manage, which the IG keys in on in its report.
While it may seem to be a security oversight that users could access unauthorized apps so easily, the IG says it’s in accordance with a policy from the Pentagon’s CIO, which “does not require DOD Components to conduct operational or cybersecurity assessments of unmanaged applications if the mobile devices meet requirements in the DOD CIO memorandum,” the IG states. DISA defines unmanaged apps as those that are downloaded from a public app store not actively managed by the Defense Department. Such apps come in two categories: authorized unmanaged apps, or those that are approved for personal use — but not official business — on DOD devices; and unauthorized unmanaged apps, which are forbidden from use on DOD devices.
“The DOD CIO memorandum states that unmanaged applications will only be permitted on properly configured DOD mobile devices capable of segregating managed and unmanaged applications and their data,” the report says. “The memorandum also requires users to sign a user agreement stating that they have received training regarding the operational security concerns of unmanaged applications. If DOD Components and users meet the memorandum’s requirements, the DOD CIO does not require further evaluation of unmanaged applications before installation on DOD mobile devices. As a result, the DOD CIO allows users to have unrestricted access to unauthorized unmanaged applications from public application stores without security assessments.”
DISA’s CIO told the IG in review of the report that the DMUC allows the download of unmanaged apps “to support DoD mission requirements. These applications include airline, hotel, and other travel applications for employees traveling on official DoD business; and, video, voice, or text messaging applications, to support DoD training.” Likewise, unmanaged apps are OK on the devices of “military and civilian personnel on extended deployment and when approved by theater commanders.”
But in doing so, the IG states, “unmanaged applications, as well as all the applications in the public application stores [including unauthorized ones], are available to all DMUC users, regardless of deployment status.”
According to the IG, DISA policy for unmanaged apps in the DMUC resulted in frustration for some DOD component officials. One official complained in an interview that “the DMUC does not offer Components visibility into the mobile device data of their personnel” and they must rely on DISA “to determine that an application is an operational or cybersecurity risk and for DISA to identify the users who have downloaded the application.”
In concluding the report, among other things, the IG calls for DOD to develop a comprehensive mobile device and mobile application policy for components with common terminology for different applications.
On top of this, the watchdog recommends that the DOD Office of the CIO order all components “to forward a complete copy of all official DoD messages generated over unmanaged electronic messaging applications to an official electronic messaging account” and to then remove any unauthorized apps, assess the security of any other authorized unmanaged apps, and finally “assess mobile device users’ access to public application stores and remove access of those without a justifiable need.”
The office agreed, stating that the CIO has drafted a memo “to address the operational security risk posed by the unapproved use of mobile applications that may result in the unauthorized disclosure of DOD information,” per the IG. The CIO also agreed to take “corrective actions” for any official messaging conducted over unauthorized applications.