Title

Location services must be turned off on the smartphone during device provisioning. (Cat III impact)

Discussion

Smartphone location services allow applications to gather information about the location of the handheld device and possibly forward it to servers located on the Internet. This is an operational security issue for DoD smartphones devices.

Check Content

Location based services is a User Based Enforcement (UBE) service. On a sample of 3-4 devices managed by the site, verify Android Location Services is disabled for all applications unless the site has a letter/memo stating the DAA or the Command Application Configuration Control Board (CCB) has approved location-based services.. Go to Settings > Location & security settings > Use GPS satellites And Settings > Location & security settings > Use assisted GPS Verify both services are off, unless GPS services have been approved for use. Mark as a finding if configuration is not set as required.

Fix Text

Turn off location services during device provisioning and users will not enable the service unless approved for use.

Additional Identifiers

Rule ID: SV-35000r1_rule

Vulnerability ID: V-25051

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.