Check: GOOG-09-003700
Google Android 9.x STIG:
GOOG-09-003700
(in versions v2 r1 through v1 r1)
Title
The Google Android Pie must be configured to not allow backup of [all applications, configuration data] to locally connected systems. (Cat II impact)
Discussion
Data on mobile devices is protected by numerous mechanisms, including user authentication, access control, and cryptography. When the data is backed up to an external system (either locally connected or cloud-based), many if not all of these mechanisms are no longer present. This leaves the backed-up data vulnerable to attack. Disabling backup to external systems mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #40
Check Content
Review Google Android device configuration settings to determine if the capability to back up to a locally connected system has been disabled. This validation procedure is performed on both the MDM Administration Console and the Android Pie device. On the MDM console, do the following: 1. Open Device Restrictions. 2. Open Restrictions Settings. 3. Ensure "Disallow usb file transfer" is selected. On the Android Pie device, do the following: 1. Plug in USB cable into Android Pie device and connect to a non-DoD network-managed PC. 2. Go to Settings >> Connected devices >> USB 3. Ensure No data transfer is selected. If the MDM console device policy is not set to disable the capability to back up to a locally connected system or on the Android Pie device, the device policy is not set to disable the capability to back up to a locally connected system, this is a finding.
Fix Text
Configure the Google Android device to disable backup to locally connected systems. NOTE: On Restrictions, the backup features for Google are not in the framework. On the MDM console: 1. Open Device Restrictions. 2. Open Restrictions Settings. 3. Select "Disallow usb file transfer".
Additional Identifiers
Rule ID: SV-106437r1_rule
Vulnerability ID: V-97333
Group Title: PP-MDF-301220
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000097 |
The organization restricts or prohibits the use of organization-controlled portable storage devices by authorized individuals on external information systems. |
Controls
Number | Title |
---|---|
AC-20 (2) |
Portable Storage Devices |