Title

The Google Android Pie must be configured to not allow backup of [all applications, configuration data] to locally connected systems. (Cat II impact)

Discussion

Data on mobile devices is protected by numerous mechanisms, including user authentication, access control, and cryptography. When the data is backed up to an external system (either locally connected or cloud-based), many if not all of these mechanisms are no longer present. This leaves the backed-up data vulnerable to attack. Disabling backup to external systems mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #40

Check Content

Review Google Android device configuration settings to determine if the capability to back up to a locally connected system has been disabled. This validation procedure is performed on both the MDM Administration Console and the Android Pie device. On the MDM console, do the following: 1. Open Device Restrictions. 2. Open Restrictions Settings. 3. Ensure "Disallow usb file transfer" is selected. On the Android Pie device, do the following: 1. Plug in USB cable into Android Pie device and connect to a non-DoD network-managed PC. 2. Go to Settings >> Connected devices >> USB 3. Ensure No data transfer is selected. If the MDM console device policy is not set to disable the capability to back up to a locally connected system or on the Android Pie device, the device policy is not set to disable the capability to back up to a locally connected system, this is a finding.

Fix Text

Configure the Google Android device to disable backup to locally connected systems. NOTE: On Restrictions, the backup features for Google are not in the framework. On the MDM console: 1. Open Device Restrictions. 2. Open Restrictions Settings. 3. Select "Disallow usb file transfer".

Additional Identifiers

Rule ID: SV-106437r1_rule

Vulnerability ID: V-97333

Group Title: PP-MDF-301220

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.