LG Android 6.x Security Technical Implementation Guide

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]

Details

Version / Release: V1R2

Published: 2019-02-21

Updated At: 2019-05-03 21:23:55

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-81295r2_rule LGA6-20-100101 CCI-002476 HIGH LG Android 6.x must require a valid password be successfully entered before the mobile device data is unencrypted. Passwords provide a form of access control that prevents unauthorized individuals from accessing computing resources and sensitive data. Passwords may also be a source of entropy for generation of key encryption or data encryption keys. If a password is n
    SV-81297r2_rule LGA6-20-100201 CCI-000205 LOW LG Android 6.x must enforce a minimum password length of 6 characters. Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, an
    SV-81299r2_rule LGA6-20-100301 CCI-000057 MEDIUM LG Android 6.x must lock the display after 15 minutes (or less) of inactivity. The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain physical access to the mobile device through loss, theft, et
    SV-81301r2_rule LGA6-20-100401 CCI-000366 LOW LG Android 6.x must not allow passwords that include more than two repeating or sequential characters. Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. Passwords that contain repeating or sequential characters are significantly easier to guess than those that do not contain repeating or sequen
    SV-81303r2_rule LGA6-20-100501 CCI-000044 LOW LG Android 6.x must not allow more than 10 consecutive failed authentication attempts. The more attempts an adversary has to guess a password, the more likely the adversary will enter the correct password and gain access to resources on the device. Setting a limit on the number of attempts mitigates this risk. Setting the limit at 10 gives
    SV-81305r2_rule LGA6-20-100601 CCI-000366 MEDIUM LG Android 6.x must enforce an application installation policy by specifying one or more authorized application repositories by disabling Google Play. Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing such installations and executions could cause a compromise
    SV-81307r2_rule LGA6-20-100701 CCI-000366 MEDIUM LG Android 6.x must enforce an application installation policy by specifying an application whitelist. Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unaut
    SV-81309r2_rule LGA6-20-100801 CCI-000062 MEDIUM LG Android 6.x must not display notifications when the device is locked. Many mobile devices display notifications on the lock screen so that users can obtain relevant information in a timely manner without having to frequently unlock the phone to determine if there are new notifications. However, in many cases, these notifica
    SV-81311r2_rule LGA6-20-101001 CCI-000381 MEDIUM LG Android 6.x must not allow use of developer modes. Developer modes expose features of the mobile operating system that are not available during standard operation. An adversary may leverage a vulnerability inherently in developer mode to compromise the confidentiality, integrity, and availability of DoD-s
    SV-81313r2_rule LGA6-20-101101 CCI-001199 HIGH LG Android 6.x must protect data at rest on built-in storage media. The mobile operating system must ensure the data being written to the mobile device's built-in storage media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permi
    SV-81315r2_rule LGA6-20-101201 CCI-001199 HIGH LG Android 6.x must protect data at rest on removable storage media. The mobile operating system must ensure the data being written to the mobile device's removable media is protected from unauthorized access. If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions
    SV-81317r2_rule LGA6-20-101501 CCI-000048 LOW LG Android 6.x must display the DoD advisory warning message at start-up or each time the user unlocks the device. The mobile operating system is required to display the DoD-approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, direct
    SV-81319r2_rule LGA6-20-101601 CCI-000381 MEDIUM LG Android 6.x must not allow a USB mass storage mode. USB mass storage mode enables the transfer of data and software from one device to another. This software can include malware. When USB mass storage is enabled on a mobile device, it becomes a potential vector for malware and unauthorized data exfiltratio
    SV-81321r2_rule LGA6-20-101701 CCI-000097 MEDIUM LG Android 6.x must not allow backup to locally connected systems. Data on mobile devices is protected by numerous mechanisms, including user authentication, access control, and cryptography. When the data is backed up to an external system (either locally connected or cloud-based), many if not all of these mechanisms ar
    SV-81323r2_rule LGA6-20-101801 CCI-000366 MEDIUM LG Android 6.x must not allow backup to remote systems. Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than the mobile operating system. Where the remote backup involves a cloud-based solution, the backup capabil
    SV-81325r2_rule LGA6-20-102101 CCI-000381 LOW LG Android 6.x must disable automatic transfer of diagnostic data to an external device other than an MDM service with which the device has enrolled. Many software systems automatically send diagnostic data to the manufacturer or a third party. This data enables the developers to understand real world field behavior and improve the product based on that information. Unfortunately, it can also reveal in
    SV-81327r2_rule LGA6-20-102201 CCI-000381 MEDIUM LG Android 6.x must disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor: Disable fingerprint. Many mobile devices now permit a user to unlock the user's device by presenting a fingerprint to an embedded fingerprint reader. Other biometrics and token-based systems are feasible as well. None of these alternatives are currently evaluated in a Common
    SV-81329r2_rule LGA6-20-102501 CCI-000366 LOW LG Android 6.x must enable VPN protection. A key characteristic of a mobile device is that they typically will communicate wirelessly and are often expected to reside in locations outside the physical security perimeter of a DoD facility. In these circumstances, the threat of eavesdropping is subs
    SV-81331r2_rule LGA6-20-102601 CCI-000366 MEDIUM LG Android 6.x whitelist must not include applications with the following characteristics: -backup MD data to non-DoD cloud servers (including user and application access to cloud backup services); -transmit MD diagnostic data to non-DoD servers; -voice assistant application if available when MD is locked; -voice dialing application if available when MD is locked; -allows synchronization of data or applications between devices associated with user; -payment processing; and -allows unencrypted (or encrypte Requiring all authorized applications to be in an application whitelist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the whitelist. Failure to configure an application whitelist properly could allow unaut
    SV-81333r2_rule LGA6-20-102701 CCI-000366 MEDIUM LG Android 6.x must be configured to implement the management setting: Disable Bluetooth Data Transfer. Some Bluetooth profiles provide the capability for remote transfer of sensitive DoD data without encryption or otherwise do not meet DoD IT security policies and therefore should be disabled. SFR ID: FMT_SMF_EXT.1.1 #20
    SV-81335r2_rule LGA6-20-102901 CCI-000366 MEDIUM LG Android 6.x must be configured to disable VPN split-tunneling. Spilt-tunneling allows multiple simultaneous remote connections to the mobile device. Without VPN split-tunneling disabled, malicious applications can covertly off-load device data to a third-party server or set up a trusted tunnel between a non-DoD third
    SV-81351r2_rule LGA6-20-103101 CCI-000366 MEDIUM LG Android 6.x must be configured to disable automatic updates of system software. FOTA allows the user to download and install firmware updates over-the-air. These updates can include OS upgrades, security patches, bug fixes, new features and applications. Since the updates are controlled by the carriers, DoD will not have an opportuni
    SV-81353r2_rule LGA6-99-100001 CCI-000366 MEDIUM LG Android 6.x must implement the management setting: Install CA certificate. Without implementing the desired security configuration settings, the mobile operating system will have known weaknesses that adversaries could exploit to disrupt the confidentiality, integrity, and availability of the DoD data accessed on and through the
    SV-81355r2_rule LGA6-20-100602 CCI-000366 MEDIUM LG Android 6.x must enforce an application installation policy by specifying one or more authorized application repositories by disabling unknown sources. Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing such installations and executions could cause a compromise
    SV-81357r2_rule LGA6-20-100902 CCI-000063 MEDIUM LG Android 6.x must not allow protocols supporting wireless remote access connections: Bluetooth tethering. Having wireless remote access connections enabled could allow establishment of unauthorized remote access connections, which may give an adversary unintended capabilities. These remote access connections would expose the mobile device to additional risk,
    SV-81359r2_rule LGA6-20-102202 CCI-000381 MEDIUM LG Android 6.x must disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor: Disable Smart Lock. Many mobile devices now permit a user to unlock the user's device by presenting a fingerprint to an embedded fingerprint reader. Other biometrics and token-based systems are feasible as well. None of these alternatives are currently evaluated in a Common
    SV-81361r2_rule LGA6-20-100903 CCI-000063 MEDIUM LG Android 6.x must not allow protocols supporting wireless remote access connections: USB tethering. Having wireless remote access connections enabled could allow establishment of unauthorized remote access connections, which may give an adversary unintended capabilities. These remote access connections would expose the mobile device to additional risk,
    SV-81363r2_rule LGA6-99-100003 CCI-000366 MEDIUM LG Android 6.x must implement the management setting: Disable USB host storage. The USB host storage feature allows the device to connect to select USB devices (e.g., USB flash drives, USB mouse, USB keyboard) using a micro USB to USB adapter cable. A user can copy sensitive DoD information to external USB storage unencrypted, result
    SV-81365r2_rule LGA6-99-100004 CCI-000366 LOW LG Android 6.x must implement the management setting: Disable Voice Command. On mobile operating system devices, users (may be able to) access the device's contact database or calendar to obtain phone numbers and other information using a human voice even when the mobile device is locked. Often this information is personally ident
    SV-81367r2_rule LGA6-99-100005 CCI-000366 LOW LG Android 6.x must implement the management setting: Disable NFC. NFC is a wireless technology that transmits small amounts of information from the device to the NFC reader. Any data transmitted can be potentially compromised. Disabling this feature mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #45
    SV-81369r2_rule LGA6-99-100006 CCI-000366 MEDIUM LG Android 6.x must implement the management setting: Disable Nearby devices. The Nearby devices feature allows the user to share files with other devices that are connected on the same Wi-Fi access point using the DLNA technology. Even though the user must allow requests from other devices, this feature can potentially result in u
    SV-81371r2_rule LGA6-99-100007 CCI-000366 MEDIUM LG Android 6.x must implement the management setting: Disable Removal of device administrator rights. Security-related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not implemented, the system may be vulnerable to a variety of atta
    SV-81373r2_rule LGA6-99-100008 CCI-000366 MEDIUM LG Android 6.x must implement the management setting: Disable System Time Changes. Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events. Periodically synchronizing internal clocks with an authoritative time source is needed in orde
    SV-81375r2_rule LGA6-99-100009 CCI-000366 HIGH LG Android 6.x must implement the management setting: Enable CC mode. CC mode implements several security controls required by the Mobile Device Functional Protection Profile (MDFPP). If CC mode is not implemented, DoD data is more at risk of being compromised, and the MD is more at risk of being compromised if lost or stol
    SV-81377r2_rule LGA6-99-100010 CCI-000366 MEDIUM LG Android 6.x must implement the management setting: Disable all non-approved preinstalled applications. Applications from various sources (including the vendor, the carrier, and Google) are installed on the device at the time of manufacture. Core apps are apps preinstalled by Google. Third-party preinstalled apps included apps from the vendor and carrier. S
    SV-81379r2_rule LGA6-99-100012 CCI-000366 MEDIUM LG Android 6.x must be configured to implement the management setting: Disable LG browser and Chrome browser. Note: This requirement is Not Applicable for the COPE#2 activation type. The native browser includes encryption modules that are not FIPS 140-2 validated. DoD policy requires all encryption modules used in DoD IT systems be FIPS 140-2 validated. SFR ID: FMT_SMF_EXT.1.1 #45
    SV-81381r2_rule LGA6-99-100014 CCI-000366 MEDIUM LG Android 6.x must not allow Google Auto sync. Synchronization of data between devices associated with one user permits a user of a mobile operating system device to transition user activities from one device to another. This feature passes sufficient information between the devices to describe the ac
    SV-81383r2_rule LGA6-99-100015 CCI-000366 MEDIUM LG Android 6.x must be configured to implement the management settings: Disable Android Beam. Android Beam provides the capability for Android devices to transfer data between them. Data transfer is not encrypted using FIPS-validated encryption mechanisms. Sensitive DoD information could be compromised if Android beam is enabled. SFR ID: FMT_SMF_
    SV-81385r2_rule LGA6-99-100018 CCI-000366 MEDIUM LG Android 6.x must be configured to disable download mode. Download mode allows the firmware of the device to be flashed (updated) by the user. All updates should be controlled by the system administrator to ensure configuration control of the security baseline of the device. SFR ID: FMT_SMF_EXT.1.1 #45
    SV-81387r2_rule LGA6-99-100051 CCI-000366 MEDIUM LG Android 6.x must implement the management setting: Disallow addition of Google Accounts (for Work Profile). This requirement is only valid for activation type COPE#2. A Google account may gather a user's information, such as PII, or sensitive documents. With this feature enabled, sensitive information will be backed up to the manufacturer's servers and database. This data is stored at a location that has unauthorized e
    SV-81389r1_rule LGA6-99-100052 CCI-000366 MEDIUM LG Android 6.x must implement the management setting: list approved apps on the Whitelisted Android Apps (for Work Profile). This requirement is only valid for activation type COPE#2. This setting enables an application whitelist in the Work Profile. Failure to specify which applications are approved could allow unauthorized and malicious applications to be downloaded, installed, and/or executed on the mobile device, causing a compromi
    SV-81391r2_rule LGA6-99-100055 CCI-000366 LOW LG Android 6.x must implement the management setting: Set uninstall not allowed for mandatory Work Profile apps. This requirement is only valid for activation type COPE#2. This setting will block the removal of required applications. The Approving Authority may determine that a specific set of apps are required to meet mission needs. Key mission capabilities may be degraded if required apps are removed. SFR ID: FMT_SMF_EXT
    SV-81393r2_rule LGA6-99-100057 CCI-000366 MEDIUM LG Android 6.x must implement the management setting: Install CA certificate (for Work Profile). This requirement is only valid for activation type COPE#2. Unauthorized applications pose a variety of risks to DoD information and systems. Digital signature (or public key) technology enables strong assurance of application source and integrity. However, these assurance characteristics are only present when the
    SV-81395r2_rule LGA6-99-100058 CCI-000366 MEDIUM LG Android 6.x must implement the management setting: Disable content sharing (for Work Profile). This requirement is only valid for activation type COPE#2. Allowing movement of files between the container and personal side will result in both personal data and sensitive DoD data being placed in the same space. This can potentially result in DoD data being transmitted to non-authorized recipients via personal
    SV-81397r2_rule LGA6-99-100060 CCI-000366 MEDIUM LG Android 6.x must implement the management setting: Disable allow copy and paste between Work Profile and personal space. This requirement is only valid for activation type COPE#2. Allowing movement of data between the container and personal side will result in both personal data and sensitive DoD data being placed in the same space. This can potentially result in DoD data being transmitted to non-authorized recipients via personal
    SV-101885r1_rule LGA6-20-109999 HIGH Only authorized versions of the LG Android OS must be used. The LG Android OS 6 is no longer supported by LG and therefore, may contain security vulnerabilities. The LG Android OS 6 is not authorized within the DoD.