Title

Google Android 10 must be configured to not allow backup of all applications and configuration data to remote systems. (Cat II impact)

Discussion

Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than the Google Android device. Where the remote backup involves a cloud-based solution, the backup capability is often used to synchronize data across multiple devices. In this case, DoD devices may synchronize DoD sensitive information to a user's personal device or other unauthorized computers that are vulnerable to breach. Disallowing remote backup mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #40

Check Content

Review Google Android device configuration settings to determine if the capability to back up to a remote system has been disabled. This validation procedure is performed on both the MDM Administration Console and the Android 10 device. On the MDM console, do the following: 1. Open User restrictions. 2. Ensure "Disallow backup servicer" is not selected. On the Android 10 device, do the following: 1. Go to Settings >> System. 2. Ensure Backup is set to "Off". If the MDM console device policy is not set to disable the capability to back up to a remote system or on the Android 10 device, the device policy is not set to disable the capability to back up to a remote system, this is a finding.

Fix Text

Configure the Google Android device to disable backup to remote systems (including commercial clouds). NOTE: On a Restrictions, data in the work profile cannot be backed up by default. On the MDM console: 1. Open User restrictions. 2. Ensure "Enable backup service" is not selected.

Additional Identifiers

Rule ID: SV-237015r852649_rule

Vulnerability ID: V-237015

Group Title: PP-MDF-301230

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.