Title

LG Android 6.x must not allow backup to locally connected systems. (Cat II impact)

Discussion

Data on mobile devices is protected by numerous mechanisms, including user authentication, access control, and cryptography. When the data is backed up to an external system (either locally connected or cloud-based), many if not all of these mechanisms are no longer present. This leaves the backed up data vulnerable to attack. Disabling backup to external systems mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #40

Check Content

This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM console, do the following: 1. Ask the MDM administrator to display the "Allow LG Backup" settings in the MDM console. 2. Verify the setting is disabled. 3. Verify the policy has been assigned to all groups. On the LG Android device: 1. Unlock the device. 2. Navigate to Settings >> General >> Backup & reset. 3. Select "LG Backup" and verify it is unavailable by server policy. If on the MDM console the "Allow LG Backup" setting is enabled and on the LG Android device the setting "LG Backup" is available, this is a finding.

Fix Text

Configure the mobile operating system to disable backup to locally connected systems. On the MDM Administration Console, disable the "Allow LG Backup" setting. Note: LGA6-201016-01 may be used together to make disabling the USB connection to a locally connected system like a PC.

Additional Identifiers

Rule ID: SV-81321r2_rule

Vulnerability ID: V-66831

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.