Apple iOS 7 STIG

This STIG contains technical security controls required for the use of Apple iOS 7 devices (iPhone and iPad) in the DoD environment when managed by an approved mobile management server. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]

Details

Version / Release: V1R2

Published: 2014-08-26

Updated At: 2018-09-23 02:02:02

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-55953r1_rule AIOS-01-000002 CCI-000057 MEDIUM Apple iOS must lock the device after 15 minutes of inactivity. The device lock function prevents further access to the system by initiating a session lock after a period of inactivity or upon receiving a request from a user. The device lock is retained until the user re-establishes access using established identifica
    SV-55955r1_rule AIOS-01-000004 CCI-000205 MEDIUM Apple iOS must enforce a minimum length of 6 for the device unlock password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do
    SV-55956r1_rule AIOS-03-000001 CCI-001159 MEDIUM Only DoD PKI issued or DoD approved server authentication certificates must be installed on DoD mobile operating system devices. If unauthorized device authentication certificates are installed on the device, there is the potential that the device may connect to a rogue device or network. Rogue devices can mimic the behavior of authorized equipment to trick the user into providing
    SV-55957r1_rule AIOS-01-000005 CCI-000366 MEDIUM Apple iOS must wipe all storage media after 10 consecutive, unsuccessful attempts to unlock the mobile device. Mobile devices present additional risks related to attempted unauthorized access. If they are lost, stolen, or misplaced, attempts can be made to unlock the device by guessing the password. Once unlocked, an adversary may be able to obtain sensitive data
    SV-55958r1_rule AIOS-00-000053 CCI-000370 MEDIUM Apple iOS must employ mobile device management services to centrally manage security relevant configuration and policy settings. Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of atta
    SV-55959r1_rule AIOS-01-000006 CCI-001200 MEDIUM Apple iOS must require a valid password be successfully entered before the mobile device data is unencrypted. Encryption is only effective if the decryption procedure is protected. If an adversary can easily access the private key (either directly or through a software application), sensitive DoD data is likely to be disclosed. Password protection is one method t
    SV-55960r1_rule AIOS-02-000011 CCI-000366 MEDIUM Apple iOS must disable voice-activated assistant functionality when the device is locked (Siri). On iOS devices, users can access the device's contact database or calendar to obtain phone numbers and other information using a human voice even when the mobile device is locked. Often this information is personally identifiable information (PII), which
    SV-55961r1_rule AIOS-02-000012 CCI-000366 MEDIUM Apple iOS must disable voice-activated assistant functionality when the device is locked (Voice Dialing). On iOS devices, users can access the device's contact database or calendar to obtain phone numbers and other information using a human voice even when the mobile device is locked. Often this information is personally identifiable information (PII), which
    SV-55963r1_rule AIOS-02-000002 CCI-000366 MEDIUM Apple iOS must have the cloud backup feature disabled. A cloud backup feature may gather user's information such as PII, or sensitive documents. With this feature enabled, sensitive information will be backed up to the manufacturer's servers and database. This data is stored at a location which has unauthoriz
    SV-55964r1_rule AIOS-02-000003 CCI-000366 MEDIUM Apple iOS must have cloud document syncing features disabled. A cloud document syncing feature may gather user's information, such as PII or sensitive documents. With this feature enabled, sensitive information will be backed up to the manufacturer's servers and database. This data is stored at a location which has
    SV-55965r1_rule AIOS-02-000004 CCI-000366 MEDIUM Apple iOS must have cloud keychain syncing features disabled. The iCloud Keychain is an iOS function that will store users' account names and passwords in iCloud, then sync this data between the users' Macs, iPhones, and iPads. An adversary may use any of the stored iCloud keychain passwords after unlocking one of t
    SV-55966r1_rule AIOS-02-000005 CCI-000366 MEDIUM Apple iOS must not automatically upload new photos to iCloud. A cloud photo sharing feature may gather user's information such as PII, or sensitive photos. With this feature enabled, sensitive photos will be backed up to the manufacturer's servers and database. This data is stored at a location which has unauthorize
    SV-55967r1_rule AIOS-02-000006 CCI-000366 MEDIUM Apple iOS must not create photo streams to share with other people, or subscribe to other peoples shared photo streams. A cloud photo stream is a shared photo folder that other users may access at any time. A cloud photo streaming feature may gather the user's sensitive photos. With this feature enabled, sensitive photos will be added to a shared folder and backed up to th
    SV-55968r1_rule AIOS-02-000009 CCI-000366 MEDIUM Apple iOS must not display notifications while the device is locked. If the mobile operating system were to display notifications or calendar information on the lock screen, an adversary may be able to gather sensitive data without needing to unlock the device. This adversary may use this gathered intelligence to plan futu
    SV-55969r1_rule AIOS-02-000010 CCI-000366 MEDIUM Apple iOS must not display calendar information while the device is locked. If the mobile operating system were to display notifications or calendar information on the lock screen, an adversary may be able to gather sensitive data without needing to unlock the device. This adversary may use this gathered intelligence to plan futu
    SV-55970r1_rule AIOS-02-000013 CCI-000366 MEDIUM Apple iOS must not allow the device to be unlocked using a fingerprint. TouchID is a fingerprint reader that has been installed on the iPhone 5s. This fingerprint reader can be used to authenticate the user in order to unlock the mobile device. At this time, no biometric reader has been approved for DoD use on mobile devices.
    SV-55971r1_rule AIOS-02-000014 CCI-000366 MEDIUM Apple iOS must not allow non-DoD applications to access DoD data. Managed apps have been approved for the handling of DoD sensitive information. Unmanaged apps are provided for productivity and morale purposes, but are not approved to handle DoD sensitive information. Examples of unmanaged apps include apps for news se
    SV-55972r1_rule AIOS-02-000017 CCI-000366 MEDIUM Apple iOS must encrypt iTunes backups. When syncing an iOS device to a computer running iTunes, iTunes will prompt the user to back up the iOS device. If the performed backup is not encrypted, this could lead to the unauthorized disclosure of DoD sensitive information if non-DoD personnel are
    SV-55973r1_rule AIOS-05-000001 CCI-000366 MEDIUM Apple iOS must have Airdrop disabled. An Airdrop feature is a way to send contact information or photos to other users with this same feature enabled. This feature enables a possible attack vector for adversaries to exploit. Once the attacker has gained access to the information broadcast by
    SV-55974r2_rule AIOS-06-000001 CCI-000048 MEDIUM An iOS app must display the DoD notice and consent banner exactly as specified at startup device unlock. To ensure notice of and consent to the terms of the DoD standard user agreement, the iOS device must contain an app that displays the DoD notice and consent banner. To best ensure the investigative and prosecutorial purposes of notice and consent are met,
    SV-55975r2_rule AIOS-06-000002 CCI-000050 LOW An iOS app must retain the notice and consent banner on the screen until the user executes a positive action to manifest agreement by selecting a box indicating acceptance. To ensure notice of and consent to the terms of the DoD standard user agreement, an iOS app must display a consent banner. Additionally, the app must prevent further activity in the application unless and until the user executes a positive action to mani
    SV-55976r1_rule AIOS-05-000002 CCI-000160 LOW Apple iOS must synchronize the internal clock at least once every 24 hours with an authoritative time server or the Global Positioning System. Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events. Periodically synchronizing internal clocks with an authoritative time source is needed in ord
    SV-55977r1_rule AIOS-02-000001 CCI-000366 LOW Apple iOS must disable screen capture. By allowing the screen capture function, a user has the ability to capture a screen containing sensitive information and then transfer it to an application not authorized to store or process that type of information. For example, the unauthorized app may
    SV-55978r1_rule AIOS-02-000007 CCI-000366 LOW Apple iOS must not allow diagnostic data to be sent to an organization other than DoD. The sending of diagnostic data back to the manufacturer is prohibited in the DoD. Sending this data to an organization other than DoD is termed a “phone-home” vulnerability. This setting may enable the device manufacturer to gather sensitive location
    SV-55979r1_rule AIOS-02-000008 CCI-000366 LOW Apple iOS must limit advertisers tracking abilities. Advertisers tracking abilities refers to the advertisers ability to categorize the device and spam the user with ads that are most relevant to the users preferences. By not “Force limiting ad tracking”, advertising companies are able to gather informa
    SV-55980r1_rule AIOS-02-000015 CCI-000366 LOW Apple iOS must not allow DoD applications to access non-DoD data. Managed apps have been approved for the handling of DoD sensitive information. Unmanaged apps are provided for productivity and morale purposes, but are not approved to handle DoD sensitive information. Examples of unmanaged apps include apps for news s
    SV-55981r1_rule AIOS-02-000016 CCI-000366 LOW Apple iOS must disable automatic completion of Safari browser passcodes. The AutoFill functionality in the Safari web browser allows the user to complete a form that contains sensitive information, such as PII, without previous knowledge of the information. By allowing the use of an AutoFill functionality, an adversary who lea
    SV-55982r2_rule AIOS-06-000003 MEDIUM The iOS app used to support the DoD notice and consent banner must either prevent access to a frequently used service or notify another device that acceptance of the user agreement has occurred. If a user is able to deny either that he or she has used the app or that he or she provided the requisite consent within the app, then the app will not properly support the investigative and prosecutorial purposes of notice and consent. Without notice an
    SV-56642r1_rule AIOS-01-000007 MEDIUM Apple iOS must disallow more than an organizationally-defined quantity of sequential numbers (e.g., 456) in the device unlock password. Password complexity or strength refers to how difficult it is to determine a password using a dictionary or brute-force attack. Passwords with sequential numbers (e.g., 456 or 987) are considered easier to crack than random patterns. Therefore, disallowin