Check: AIOS-02-000005
Apple iOS 7 STIG:
AIOS-02-000005
(in version v1 r2)
Title
Apple iOS must not automatically upload new photos to iCloud. (Cat II impact)
Discussion
A cloud photo sharing feature may gather user's information such as PII, or sensitive photos. With this feature enabled, sensitive photos will be backed up to the manufacturer's servers and database. This data is stored at a location which has unauthorized employees accessing this data. This data is stored on a server which has an unknown location to the DoD. Disabling this feature mitigates the risk of a backup feature that stores sensitive data on a server which has the ability to be located in a country other than the United States.
Check Content
This check procedure is performed on the iOS Over-the-Air management tool and the iOS device. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. In the iOS Over-the-Air management tool, verify "Allow Photo Steam" is unchecked. For example, in Mobile Iron Admin Portal: 1. Ask the MDM administrator to display the "POLICIES & CONFIGS". 2. Click or tap on the word "Configurations". 3. Click or tap the configuration name. 4. Expand "Details" under "App Setting Details". 5. Verify "Allow Photo Stream" is set to "false" Alternatively, verify the text "<key>allowPhotoStream</key><false/>" appears in the configuration profile (.mobileconfig file). On the iOS device: 1. Open the Settings app. 2. Tap "iCloud". 3. Verify "Photos" is not listed. If "Allow Photo Stream" is checked in the iOS Over-the-Air management tool, "<key>allowPhotoStream</key> <true/>" appears in the configuration profile, or if "Photos" is listed on the iOS device under iCloud, this is a finding.
Fix Text
Configure Apple iOS to disallow the use of iCloud Photo Stream. In the iOS Over-the-Air management tool, uncheck "Allow Photo Stream". For example, in Mobile Iron Admin Portal, edit the configuration and deselect "Allow Photo Stream" under "iCloud".
Additional Identifiers
Rule ID:
Vulnerability ID: V-43218
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |