Title

LG Android 6.x must not allow use of developer modes. (Cat II impact)

Discussion

Developer modes expose features of the mobile operating system that are not available during standard operation. An adversary may leverage a vulnerability inherently in developer mode to compromise the confidentiality, integrity, and availability of DoD-sensitive information. Disabling developer modes mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #24

Check Content

This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Allow developer modes" setting in the MDM console. 2. Verify the setting is disabled. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Unlock the device. 2. Navigate to Settings >> General >> About Phone >> Software info >> Build number. 3. Push "Build number" multiple times until a pop-up menu display indicates developer option unavailable by server policy. If on the MDM console and the "Allow developer modes" setting is enabled or on the LG Android device the developer mode is available, this is a finding.

Fix Text

Configure the mobile operating system to disable developer modes. On the MDM Administration Console, disable "Allow Developer Modes".

Additional Identifiers

Rule ID: SV-81311r2_rule

Vulnerability ID: V-66821

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.