Title

Apple iOS must not share location data through iCloud. (Cat II impact)

Discussion

Sharing of location data is an OPSEC risk because it potentially allows an adversary to determine a DoD user's location and movements and patterns in those movements over time. An adversary could use this information to target the user or to gather intelligence on the user's likely activities. Using commercial cloud services to store and handle location data could leave the data vulnerable to breach, particularly by sophisticated adversaries. Disabling the use of such services mitigates this risk. SFR ID: FMT_SMF.1.1 #42

Check Content

Review configuration settings to confirm "Share My Location" is disabled. This check procedure is performed on the iOS device only. On the iOS device: 1. Open the Settings app. 2. Tap "Privacy". 3. Tap "Location Services". 4. Tap "Share My Location". 5. Verify "Share My Location" is off. If "Share My Location" is toggled to the right and appears green on the iOS device, this is a finding.

Fix Text

The user must configure iOS to disable location sharing through iCloud.

Additional Identifiers

Rule ID:

Vulnerability ID: V-54295

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.