Check: GOOG-09-003900
Google Android 9.x STIG:
GOOG-09-003900
(in versions v2 r1 through v1 r1)
Title
The Google Android Pie must be configured to not allow backup of all applications and configuration data to remote systems. (Cat II impact)
Discussion
Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than the Google Android device. Where the remote backup involves a cloud-based solution, the backup capability is often used to synchronize data across multiple devices. In this case, DoD devices may synchronize DoD sensitive information to a user's personal device or other unauthorized computers that are vulnerable to breach. Disallowing remote backup mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #40
Check Content
Review Google Android device configuration settings to determine if the capability to back up to a remote system has been disabled. This validation procedure is performed on both the MDM Administration Console and the Android Pie device. On the MDM console, do the following: 1. Open Device Restrictions. 2. Open Restrictions Settings. 3. Ensure "Disallow backup servicer" is not selected. On the Android Pie device, do the following: 1. Go to Settings >> System. 2. Ensure Backup is set to "Off". If the MDM console device policy is not set to disable the capability to back up to a remote system or on the Android Pie device, the device policy is not set to disable the capability to back up to a remote system, this is a finding.
Fix Text
Configure the Google Android device to disable backup to remote systems (including commercial clouds). NOTE: On a Restrictions, data in the work profile cannot be backed up by default. On the MDM console: 1. Open Device Restrictions. 2. Open Restrictions Settings. 3. Ensure "Enable backup service" is not selected.
Additional Identifiers
Rule ID: SV-106439r1_rule
Vulnerability ID: V-97335
Group Title: PP-MDF-301230
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002338 |
The organization restricts or prohibits the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information. |
Controls
Number | Title |
---|---|
AC-20 (3) |
Non-Organizationally Owned Systems / Components / Devices |