Title

LG Android 6.x must protect data at rest on removable storage media. (Cat I impact)

Discussion

The mobile operating system must ensure the data being written to the mobile device's removable media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can read removable media directly, thereby circumventing operating system controls. Encrypting the data ensures confidentiality is protected even when the operating system is not running. SFR ID: FMT_SMF_EXT.1.1 #26

Check Content

This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Encryption" setting in the MDM console. 2. Verify "Storage Card Encryption" is enabled. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Unlock the device. 2. Navigate to Settings >> General >> Security (or Fingerprints & security). 3. Verify "Encrypt SD card storage" is enabled and cannot be disabled. If on the MDM console the "Storage Card Encryption" is not enabled or if LG Android device "Encrypt SD card storage" is not enabled and grayed out, this is a finding.

Fix Text

Configure the mobile operating system to enable data-at-rest protection for removable media. On the MDM Administration Console, enable "Storage Card Encryption" for removable media.

Additional Identifiers

Rule ID: SV-81315r2_rule

Vulnerability ID: V-66825

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.