An error occurred:

Check: AIOS-02-000016

Apple iOS 7 STIG: AIOS-02-000016 (in version v1 r2)

Title

Apple iOS must disable automatic completion of Safari browser passcodes. (Cat III impact)

Discussion

The AutoFill functionality in the Safari web browser allows the user to complete a form that contains sensitive information, such as PII, without previous knowledge of the information. By allowing the use of an AutoFill functionality, an adversary who learns a user's iOS device passcode, or who otherwise is able to unlock the device, may be able to further breach other systems by relying on Auto-Fill feature to provide information unknown to the adversary. By disabling the AutoFill functionality, the risk of an adversary gaining further information about the device's user or comprising other systems is significantly mitigated.

Check Content

This check procedure is performed on the iOS Over-the-Air management tool. Note: If an organization has multiple configuration profiles, then the check procedure must be performed on the relevant configuration profiles applicable to the scope of the review. In the iOS Over-the-Air management tool, verify "Enable auto fill" is unchecked. For example, in Mobile Iron Admin Portal: 1. Ask the MDM administrator to display the "POLICIES & CONFIGS". 2. Click or tap on the word "Configurations". 3. Click or tap the configuration name. 4. Expand "Details" under "App Setting Details". 5. Verify "Enable auto fill" is set to "false". Alternatively, verify the text "<key>safariAllowAutoFill</key><false>" appears in the configuration profile (.mobileconfig file). On the iOS device: 1. Open the Settings app. 2. Tap "Safari". 3. Verify "Passwords & AutoFill" is grayed out. If "Enable auto fill" is checked in the iOS Over-the-Air management tool, or "<key>safariAllowAutoFill</key><true>" appears in the configuration profile, or "Passwords & Auto fill" is not grayed out on the iOS device, this is a finding.

Fix Text

Configure Apple iOS not to allow AutoFill capability in the Safari app. In the iOS Over-the-Air management tool, uncheck "Enable auto fill". For example, in Mobile Iron Admin Portal, edit the configuration and deselect "Enable auto fill".

Additional Identifiers

Rule ID:

Vulnerability ID: V-43233

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

The organization implements the security configuration settings.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings