{"stig":{"title":"Google Android 13 BYOAD Security Technical Implementation Guide","version":"1","release":"3"},"checks":[{"vulnId":"V-258475","ruleId":"SV-258475r1120908_rule","severity":"low","ruleTitle":"Google Android 13 must prohibit DOD VPN profiles in the Personal Profile.","description":"If DOD VPN profiles are configured in the Personal Profile DOD sensitive data world be at risk of compromise and the DOD network could be at risk of being attacked by malware installed on the device.\n\nSFR ID: FMT_SMF_EXT.1.1 #3","checkContent":"Review the list of VPN profiles in the Personal Profile and determine if any VPN profiles are listed. If so, verify the VPN profiles are not configured with a DOD network VPN profile. \n\nIf any VPN profiles are installed in the Personal Profile and they have a DOD network VPN profile configured, this is a finding.\n\nNote: This setting cannot be managed by the MDM administrator and is a User-Based Enforcement (UBE) requirement.","fixText":"Do not configure DOD VPN profiles in the Personal Profile.","ccis":["CCI-000366","CCI-000370"]},{"vulnId":"V-258476","ruleId":"SV-258476r985624_rule","severity":"medium","ruleTitle":"Google Android 13 must be configured to enforce a minimum password length of six characters and not allow passwords that include more than four repeating or sequential characters.","description":"Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space. Having a too-short minimum password length significantly reduces password strength, increasing the chance of password compromise and resulting device and data compromise.\n\nSatisfies: PP-MDF-333024, PP-MDF-333025\n\nSFR ID: FMT_SMF_EXT.1.1 #1a","checkContent":"Review managed Google Android 13 device configuration settings to determine if the mobile device is enforcing a high password quality for the device and standard DOD password complexity rules for the Work Profile (at least six-character length and prevent passwords from containing more than four repeating or sequential characters).\n\n1. Verify the device password configuration:\n\nOn the EMM console:\na. Open \"Lock screen\" settings.\nb. Open \"Set required password complexity on parent\".\nc. Verify \"High\" is selected.\n\n2. Verify the Work Profile password configuration:\n\nOn the EMM console (for the work profile):\n1. Open \"Lock screen\" settings.\n2. Open \"Password constraints\".\n3. Open \"Minimum password quality\".\n4. Verify Numeric Complex, Alphabetic, Alphanumeric, or Complex is selected.\n5. Open \"Minimum password length\".\n6. Verify \"6\" is set for number of characters.\n\nIf the device password quality is not set to High or the Work Profile password length is not set to six characters or the password quality is not set as required, this is a finding.\n\nNote: verifying the OneLock configuration is not required because the use of OneLock is optional.","fixText":"Configure the Google Android 13 device to enforce high password quality for the device and standard DOD password complexity rules for the Work Profile (at least six-character length and prevent passwords from containing more than four repeating or sequential characters). In addition, enable OneLock so the user only must enter their device password to unlock the Work Profile. Note: enabling OneLock is optional and is a two-step process: configuration on the EMM and configuration by the user on the phone. If OneLock is not used, the user will always need to enter separate passwords to unlock the device and to unlock the Work Profile.\n\n1. Set the password on the whole device:\nSet device password complexity to \"HIGH\" (requires (at minimum) an eight numeric character password, or six alphabetic character password, or a six alphanumeric character password)\n\nOn the EMM console:\na. Open \"Lock screen\" settings.\nb. Open \"Set required password complexity on parent\".\nc. Select \"High\".\n\n2. Set DOD password for the Work Profile.\n\nOn the EMM console:\na. Open \"Lock screen\" settings.\nb. Open \"Password constraints\".\nc. Open \"Minimum password quality\".\nd. Choose Numeric Complex, Alphabetic, Alphanumeric, or Complex.\ne. Open \"Minimum password length\".\nf. Enter in the number of characters as \"6\".\n\n3. Enable OneLock on the EMM.\n\nOn the MDM console:\na. Disable the following Android API: \"DISALLOW_UNIFIED_PASSWORD\". The exact procedure will depend on the EMM product.\nNote: this control may be called \"Require separate challenge\".\n\n4. Train users to implement OneLock with the following User Based Enforcement (UBE): procedure:\n\na. Open Settings >> Security & privacy >> More security settings.\nb. Enable \"Use one lock\".","ccis":["CCI-000205"]},{"vulnId":"V-258478","ruleId":"SV-258478r971318_rule","severity":"medium","ruleTitle":"Google Android 13 must be configured to lock the display after 15 minutes (or less) of inactivity.","description":"The screen lock timeout must be set to a value that helps protect the device from unauthorized access. Having a too-long timeout would increase the window of opportunity for adversaries who gain physical access to the mobile device through loss, theft, etc. Such devices are much more likely to be in an unlocked state when acquired by an adversary, thus granting immediate access to the data on the mobile device. The maximum timeout period of 15 minutes has been selected to balance functionality and security; shorter timeout periods may be appropriate depending on the risks posed to the mobile device.\n\nSFR ID: FMT_SMF_EXT.1.1 #2b","checkContent":"Review managed Google Android device configuration settings to determine if the mobile device is enforcing a screen-lock policy that will lock the display after a period of 15 minutes or less of inactivity.\n\nNote: Google Android 13 does not support the 15-minute increment. The available allowable selection is 10 minutes, then increases to 30 minutes. Therefore, the control should be set to 10 minutes.\n\nThis validation procedure is performed on both the EMM Administration Console and the Android 13 device.\n\nOn the EMM console:\n\n1. Open \"Lock screen restrictions\".\n2. Verify that \"Max time to screen lock\" is set to \"600\".\nNote: The units are in seconds.\n\nOn the managed Google Android 13 device:\n\n1. Open Settings >> Display.\n2. Tap \"Screen timeout\".\n3. Ensure the Screen timeout value is set to \"600\" seconds or less.\n\nIf the EMM console device policy is not set to enable a screen-lock policy that will lock the display after a period of inactivity of 600 seconds or less, this is a finding.","fixText":"Configure the Google Android 13 device to enable a screen-lock policy of 15 minutes for the max period of inactivity.\n\nNote: Google Android 13 does not support the 15 minute increment. The available allowable selection is 10 minutes, then increases to 30 minutes. Therefore, the control will be set to 10 minutes.\n\nOn the EMM console:\n\n1. Open \"Lock screen restrictions\".\n2. Set \"Max time to screen lock\" to \"600\".\nNote: The units are in seconds.","ccis":["CCI-000057"]},{"vulnId":"V-258479","ruleId":"SV-258479r958388_rule","severity":"medium","ruleTitle":"Google Android 13 must be configured to not allow more than 10 consecutive failed authentication attempts.","description":"The more attempts an adversary makes to guess a password, the more likely the adversary will enter the correct password and gain access to resources on the device. Setting a limit on the number of attempts mitigates this risk. Setting the limit at 10 or less gives authorized users the ability to make a few mistakes when entering the password but still provides adequate protection against dictionary or brute force attacks on the password.\n\nSFR ID: FMT_SMF_EXT.1.1 #2c, FIA_AFL_EXT.1.5","checkContent":"Review managed Google Android 13 device configuration settings to determine if the work profile has the maximum number of consecutive failed authentication attempts set at 10 or fewer.\n\nThis validation procedure is performed on both the EMM Administration Console and the managed Google Android 13 device.\n\nOn the EMM console:\n\n1. Open \"Lock screen\" settings.\n2. Open \"Lock screen restrictions\".\n3. Verify that \"Max password failures for local wipe\" is set to a number between 1 and 10.\n\nOn the managed Google Android 13 device:\n\n1. Lock the device screen.\n2. Attempt to unlock the device and validate that the device autowipes the Work Profile after specified number of invalid entries. Note: Perform this verification only with a test phone set up with a production profile.\n3. Attempt to unlock the Work Profile and validate that the device autowipes the Work Profile after specified number of invalid entries. Note: Perform this verification only with a test phone set up with a production profile.\n\nIf the EMM console device policy is not set to the maximum number of consecutive failed authentication attempts at 10 or fewer, or if on the managed Google Android 13 device the device policy is not set to the maximum number of consecutive failed authentication attempts at 10 or fewer, this is a finding.","fixText":"Configure the Google Android 13 device to allow only 10 or fewer consecutive failed authentication attempts.\n\nNote: Work Profile will be wiped.\n\nOn the EMM console:\n\n1. Open \"Lock screen\" settings.\n2. Open \"Lock screen restrictions\".\n3. Set \"Max password failures for local wipe\" to a number between 1 and 10.","ccis":["CCI-000044"]},{"vulnId":"V-258480","ruleId":"SV-258480r959010_rule","severity":"medium","ruleTitle":"Google Android 13 must be configured to enforce an application installation policy by specifying one or more authorized application repositories.","description":"Forcing all applications to be installed from authorized application repositories can prevent unauthorized and malicious applications from being installed and executed on mobile devices. Allowing such installations and executions could cause a compromise of DOD data accessible by these unauthorized/malicious applications.\n\nSFR ID: FMT_SMF_EXT.1.1 #8a","checkContent":"Review managed Google Android 13 device configuration settings to determine if the mobile device has only approved application repositories.\n\nThis validation procedure is performed on both the EMM Administration Console and the managed Google Android 13 device.\n\nOn the EMM console:\n\n1. Open \"Set user restrictions\".\n2. Verify that \"Disallow install unknown sources\" is toggled to \"ON\".\n3. Verify that \"Disallow installs from unknown sources globally\" is toggled to \"ON\".\n\nOn the Google Android 13 device:\n\n1. Open Settings >> Apps >> Special app access.\n2. Open Install unknown apps.\n3. Ensure the list of apps is blank or if an app is on the list, \"Disabled\" is listed under the app name.\n\nIf the EMM console device policy is not set to allow connections to only approved application repositories or on the managed Google Android 13 device, the device policy is not set to allow connections to only approved application repositories, this is a finding.","fixText":"Configure the Google Android 13 device to disable unauthorized application repositories.\n\nOn the EMM console:\n\n1. Open \"Set user restrictions\".\n2. Toggle \"Disallow install unknown sources\" to \"ON\".\n3. Toggle \"Disallow installs from unknown sources globally\" to \"ON\".","ccis":["CCI-000366"]},{"vulnId":"V-258481","ruleId":"SV-258481r958804_rule","severity":"medium","ruleTitle":"Google Android 13 must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].","description":"The application allowlist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and preinstalled applications, or the MD must provide an alternate method of restricting user access/execution to core and preinstalled applications.\n\nCore application: Any application integrated into the OS by the OS or MD vendors.\n\nPreinstalled application: Additional noncore applications included in the OS build by the OS vendor, MD vendor, or wireless carrier.\n\nRequiring all authorized applications to be in an application allowlist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the allowlist. Failure to configure an application allowlist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DOD data accessible by these applications.\n\nThe application allowlist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core applications (included in the OS by the OS vendor) and preinstalled applications (provided by the MD vendor and wireless carrier), or the MD must provide an alternate method of restricting user access/execution to core and preinstalled applications.\n\nSFR ID: FMT_SMF_EXT.1.1 #8b","checkContent":"Review managed Google Android 13 device configuration settings to determine if the mobile device has an application allowlist configured. Verify all applications listed on the allowlist have been approved by the Approving Official (AO).\n\nOn the EMM console:\n\n1. Go to the Android app catalog for managed Google Play.\n2. Verify all selected apps are AO approved.\n\nOn the managed Google Android 13 device:\n\n1. Open the managed Google Play Store.\n2. Verify that only the approved apps are visible.\n\nNote: Managed Google Play is an allowed App Store.\n\nIf the EMM console list of selected managed Google Play apps includes nonapproved apps, this is a finding.\n\nNote: The application allowlist will only include approved core applications (included in the OS by the OS vendor) and pre-installed applications (provided by the MD vendor and wireless carrier), or the MD must provide an alternate method of restricting user access/execution to core and pre-installed applications. For Google Android, there are no pre-installed applications.","fixText":"Configure the Google Android 13 device to use an application allowlist.\n\nOn the EMM console:\n\n1. Go to the Android app catalog for managed Google Play.\n2. Select apps to be available (only approved apps).\n3. Push updated policy to the device.\n\nNote: Managed Google Play is an allowed App Store.","ccis":["CCI-001764"]},{"vulnId":"V-258482","ruleId":"SV-258482r1032950_rule","severity":"medium","ruleTitle":"Google Android 13 allowlist must be configured to not include applications with the following characteristics (work profile only):\n\n1. Back up mobile device (MD) data to non-DOD cloud servers (including user and application access to cloud backup services);\n2. Transmit MD diagnostic data to non-DOD servers;\n3. Voice assistant application if available when MD is locked;\n4. Voice dialing application if available when MD is locked;\n5. Allows synchronization of data or applications between devices associated with user; and\n6. Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers.","description":"Requiring all authorized applications to be in an application allowlist prevents the execution of any applications (e.g., unauthorized, malicious) that are not part of the allowlist. Failure to configure an application allowlist properly could allow unauthorized and malicious applications to be downloaded, installed, and executed on the mobile device, causing a compromise of DOD data accessible by these applications. Applications with the listed characteristics have features that can cause the compromise of sensitive DOD data or have features with no known application in the DOD environment.\n\nApplication Note: The application allowlist, in addition to controlling the installation of applications on the MD, must control user access/execution of all core and preinstalled applications, or the MD must provide an alternate method of restricting user access/execution to core and preinstalled applications.\n\nCore application: Any application integrated into the OS by the OS or MD vendors.\n\nPreinstalled application: Additional noncore applications included in the OS build by the OS vendor, MD vendor, or wireless carrier.\n\nSFR ID: FMT_SMF_EXT.1.1 #8b","checkContent":"Review managed Google Android 13 device configuration settings to determine if the mobile device has an application allowlist configured and that the application allowlist does not include applications with the following characteristics:\n\n- Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services);\n- Transmit MD diagnostic data to non-DOD servers;\n- Voice assistant application if available when MD is locked;\n- Voice dialing application if available when MD is locked;\n- Allows synchronization of data or applications between devices associated with user;\n- Payment processing; and\n- Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs, display screens (screen mirroring), or printers.\n\nThis validation procedure is performed only on the EMM Administration Console.\n\nOn the EMM console:\n\n1. Review the list of selected Managed Google Play apps.\n2. Review the details and privacy policy of each selected app to ensure the app does not include prohibited characteristics.\n\nIf the EMM console device policy includes applications with unauthorized characteristics, this is a finding.","fixText":"Configure the Google Android 13 device application allowlist to exclude applications with the following characteristics:\n\n- Back up MD data to non-DOD cloud servers (including user and application access to cloud backup services);\n- Transmit MD diagnostic data to non-DOD servers;\n- Voice assistant application if available when MD is locked;\n- Voice dialing application if available when MD is locked;\n- Allows synchronization of data or applications between devices associated with user;\n- Payment processing; and\n- Allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs, display screens (screen mirroring), or printers.\n\nOn the EMM console:\n\n1. Go to the Android app catalog for managed Google Play.\n2. Before selecting an app, review the app details and privacy policy to ensure the app does not include prohibited characteristics.","ccis":["CCI-000366"]},{"vulnId":"V-258483","ruleId":"SV-258483r958404_rule","severity":"medium","ruleTitle":"Google Android 13 must be configured to not display the following (work profile) notifications when the device is locked: [selection:\na. email notifications \nb. calendar appointments \nc. contact associated with phone call notification \nd. text message notification\ne. other application-based notifications\nf. all notifications].","description":"Many mobile devices display notifications on the lock screen so that users can obtain relevant information in a timely manner without having to frequently unlock the phone to determine if there are new notifications. However, in many cases, these notifications can contain sensitive information. When they are available on the lock screen, an adversary can see them merely by being in close physical proximity to the device. Configuring the mobile operating system (MOS) to not send notifications to the lock screen mitigates this risk.\n\nSFR ID: FMT_SMF_EXT.1.1 #18","checkContent":"Review managed Google Android 13 device settings to determine if the Google Android 13 device displays (work profile) notifications on the lock screen. Notifications of incoming phone calls are acceptable even when the device is locked. \n\nThis validation procedure is performed on both the EMM Administration Console and the managed Google Android 13 device. \n\nOn the EMM console:\n\n1. Open \"Lock screen\" settings.\n2. Open \"Lock screen restrictions\".\n3. Verify that \"Disable unredacted notifications\" is toggled to \"ON\".\n\nOn the managed Google Android 13 device:\n\n1. Go to Settings >> Display >> Lock screen.\n2. Tap on \"When work profile is locked\".\n3. Verify that \"Hide sensitive work content\" is selected.\n\nIf the EMM console device policy allows work notifications on the lock screen, or the managed Google Android 13 device allows work notifications on the lock screen, this is a finding.","fixText":"Configure the Google Android 13 device to not display (work profile) notifications when the device is locked.\n\nOn the EMM console:\n\n1. Open \"Lock screen\" settings.\n2. Open \"Lock screen restrictions\".\n3. Toggle \"Disable unredacted notifications\".","ccis":["CCI-000060"]},{"vulnId":"V-258484","ruleId":"SV-258484r985628_rule","severity":"medium","ruleTitle":"Google Android 13 must be configured to disable trust agents.","description":"Trust agents allow a user to unlock a mobile device without entering a passcode when the mobile device is, for example, connected to a user-selected Bluetooth device or in a user-selected location. This technology would allow unauthorized users to have access to DOD sensitive data if compromised. By not permitting the use of nonpassword authentication mechanisms, users are forced to use passcodes that meet DOD passcode requirements.\n\nSFR ID: FMT_SMF_EXT.1.1 #22, FIA_UAU.5.1","checkContent":"Review device configuration settings to confirm that trust agents are disabled at the same location where the DOD password is implemented (device or work profile).\n\nThis procedure is performed on both the EMM Administration console and the managed Google Android 13 device.\n \nOn the EMM console:\n1. Open \"Lock screen restrictions\".\n2. Select \"Personal Profile\".\n3. Verify that \"Disable trust agents\" is toggled to \"ON\".\n4. Open \"Lock screen restrictions\".\n5. Select \"Work Profile\".\n6. Verify that \"Disable trust agents\" is toggled to \"ON\".\n\nOn the managed Google Android 13 device: \n\n1. Open Settings.\n2. Tap \"Security & privacy\". \n3. Tap \"More security settings\". \n4. Tap \"Trust agents\". \n5. Verify that all listed trust agents are disabled and cannot be enabled.\n \nIf on the EMM console, \"disable trust agents\" is not selected, or on the managed Google Android 13 device a trust agent can be enabled, this is a finding.","fixText":"Configure the Google Android 13 device to disable trust agents at the same location where the DOD password is implemented (device or work profile).\n \nOn the EMM console:\n\n1. Open \"Lock screen restrictions\".\n2. Select \"Personal Profile\".\n3. Toggle \"Disable trust agents\" to \"ON\".\n4. Open \"Lock screen restrictions\".\n5. Select \"Work Profile\".\n6. Toggle \"Disable trust agents\" to \"ON\".","ccis":["CCI-000767"]},{"vulnId":"V-258485","ruleId":"SV-258485r958390_rule","severity":"low","ruleTitle":"Google Android 13 must be configured to display the DOD advisory warning message at startup or each time the user unlocks the Work Profile.","description":"Before granting access to the system, the mobile operating system is required to display the DOD-approved system use notification message or banner that provides privacy and security notices consistent with applicable Federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Required banners help ensure that DOD can audit and monitor the activities of mobile device users without legal restriction.\n\nSystem use notification messages can be displayed when individuals first access or unlock the mobile device. The banner must be implemented as a \"click-through\" banner at device unlock (to the extent permitted by the operating system). A \"click-through\" banner prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating \"OK\".\n\nThe approved DOD text must be used exactly as required in the Knowledge Service referenced in DODI 8500.01. For devices accommodating banners of 1300 characters, the banner text is: \n\nYou are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. \nBy using this IS (which includes any device attached to this IS), you consent to the following conditions: \n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\n\nFor devices with severe character limitations, the banner text is:\n\nI've read & consent to terms in IS user agreem't.\n\nThe administrator must configure the banner text exactly as written without any changes.\n\nSFR ID: FMT_SMF_EXT.1.1 #36","checkContent":"The DOD warning banner can be displayed using the following method (required text is found in the Vulnerability Discussion):\n\nBy placing the DOD warning banner text in the user agreement signed by each managed Android 13 device user (preferred method).\n\nNote: It is not possible for the EMM to force a warning banner be placed on the device screen when using \"work profile for employee-owned devices (BYOD)\" deployment mode.\n\nReview the signed user agreements for several Google Android 13 device users and verify the agreement includes the required DOD warning banner text.\n\nIf the required warning banner text is not on all signed user agreements reviewed, this is a finding.","fixText":"Configure the DOD warning banner by the following method (required text is found in the Vulnerability Discussion):\n\nBy placing the DOD warning banner text in the user agreement signed by each Google Android 13 device user (preferred method).\n\nNote: It is not possible for the EMM to force a warning banner be placed on the device screen when using \"work profile for employee-owned devices (BYOD)\" deployment mode.","ccis":["CCI-000048"]},{"vulnId":"V-258486","ruleId":"SV-258486r1117267_rule","severity":"medium","ruleTitle":"Google Android 13 must be configured to not allow backup of all work profile applications to remote systems.","description":"Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than the mobile operating system (MOS). Where the remote backup involves a cloud-based solution, the backup capability is often used to synchronize data across multiple devices. In this case, DOD devices may synchronize DOD sensitive information to a user's personal device or other unauthorized computers that are vulnerable to breach. Disallowing remote backup mitigates this risk.\n\nSFR ID: FMT_SMF_EXT.1.1 #40","checkContent":"Review managed Google Android 13 device configuration settings to determine if the capability to back up to a remote system has been disabled.\n\nNote: Since personal accounts cannot be added to the work profile (GOOG-13-710100), this control only impacts personal accounts, this setting is used to prevent violations within the work profile for backing up data. This is not applicable to the personal profile.\n\nThis validation procedure is performed on both the EMM Administration Console and the managed Google Android 13 device. \n\nOn the EMM console:\n\n1. Open \"Device owner management\".\n2. Verify \"Enable backup service\" is toggled to \"OFF\".\n\nOn the managed Google Android 13 device:\n\n1. Go to Settings >> System >> System >> Backup.\n2. Select \"Work\".\n3. Verify Backup settings is \"Not available\".\n\nIf backup service for the work profile has not been disabled, this is a finding.","fixText":"Configure the Google Android 13 device to disable backup to remote systems (including commercial clouds).\n\nOn the EMM console:\n\n1. Open \"Device owner management\".\n2. Toggle \"Enable backup service\" to \"OFF\".","ccis":["CCI-001090"]},{"vulnId":"V-258487","ruleId":"SV-258487r1117274_rule","severity":"medium","ruleTitle":"Google Android 13 must be configured to disable exceptions to the access control policy that prevent [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes].","description":"App data sharing gives apps the ability to access the data of other apps for enhanced user functionality. However, sharing also poses a significant risk that unauthorized users or apps will obtain access to DOD sensitive information. To mitigate this risk, there are data sharing restrictions, primarily from sharing data from personal (unmanaged) apps and work (managed) apps. If a user is allowed to make exceptions to the data sharing restriction policy, the user could enable unauthorized sharing of data, leaving it vulnerable to breach. Limiting the granting of exceptions to either the Administrator or common application developer mitigates this risk.\n\nCopy/paste of data between applications in different application processes or groups of application processes is considered an exception to the access control policy and therefore, the Administrator must be able to enable/disable the feature. Other exceptions include allowing any data or application sharing between process groups.\n\nSFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2","checkContent":"Review documentation on the managed Google Android 13 device and inspect the configuration on the Google Android device to verify the access control policy that prevents [selection: application processes] from accessing [selection: all] data stored by other [selection: application processes] is enabled.\n\nThis validation procedure is performed only on the EMM Administration Console. \n\nOn the EMM console:\n\n1. Open \"User restrictions\".\n2. Open \"Set user restrictions\".\n3. Verify that \"Disallow cross profile copy/paste\" is toggled to \"ON\".\n4. Verify that \"Disallow sharing data into the profile\" is toggled to \"ON\".\n\nIf the EMM console device policy is not set to disable data sharing between profiles, this is a finding.","fixText":"Configure the Google Android 13 device to enable the access control policy that prevents [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes].\n\nNote: All application data is inherently sandboxed and isolated from other applications. To disable copy/paste on the EMM console:\n\n1. Open \"User restrictions\".\n2. Open \"Set user restrictions\".\n3. Toggle \"Disallow cross profile copy/paste\" to \"ON\".\n4. Toggle \"Disallow sharing data into the profile\" to \"ON\".","ccis":["CCI-002233","CCI-002530"]},{"vulnId":"V-258488","ruleId":"SV-258488r959010_rule","severity":"medium","ruleTitle":"Google Android 13 users must complete required training.","description":"The security posture of Google devices requires the device user to configure several required policy rules on their device. User-Based Enforcement (UBE) is required for these controls. In addition, if the Authorizing Official (AO) has approved the use of an unmanaged personal space, the user must receive training on risks. If a user is not aware of their responsibilities and does not comply with UBE requirements, the security posture of the Google mobile device and DOD sensitive data may become compromised.\n\nSFR ID: NA","checkContent":"Review a sample of site User Agreements for Google Android 13 device users or similar training records and training course content. \n \nVerify the Google Android 13 device users have completed the required training. The intent is that required training is renewed on a periodic basis in a time period determined by the AO. \n \nIf any Google Android 13 device user has not completed the required training, this is a finding.","fixText":"All Google Android 13 device users must complete training on the following training topics (users must acknowledge that they have reviewed training via a signed User Agreement or similar written record): \n- Operational security concerns introduced by unmanaged applications/unmanaged personal space, including applications using global positioning system (GPS) tracking.\n- The need to ensure no DOD data is saved to the personal space or transmitted from a personal app (for example, from personal email). \n- If the Purebred key management app is used, users are responsible for always maintaining positive control of their credentialed device. The DOD PKI certificate policy requires subscribers to maintain positive control of the devices that contain private keys and to report any loss of control so the credentials can be revoked. Upon device retirement, turn-in, or reassignment, ensure that a factory data reset is performed prior to device hand-off. Follow mobility service provider decommissioning procedures as applicable.\n- How to configure the following UBE controls (users must configure the control) on the Google device: \n **Do not remove DOD intermediate and root PKI digital certificates \n **Do not configure a DOD network (work) VPN profile on any third-party VPN client installed in the personal space \n- How to implement OneLock.\n- Screenshots will not be taken of any “work” related managed data.-Screenshots will not be taken of any “work” related managed data.","ccis":["CCI-000366"]},{"vulnId":"V-258489","ruleId":"SV-258489r959010_rule","severity":"medium","ruleTitle":"Google Android 13 must have the DOD root and intermediate PKI certificates installed (work profile only).","description":"DOD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the root and intermediate certificates are not available, an adversary could falsely sign a certificate in such a way that it could not be detected. Providing access to the DOD root and intermediate PKI certificates greatly diminishes the risk of this attack.\n\nSFR ID: FMT_SMF_EXT.1.1 #47","checkContent":"Review device configuration settings to confirm that the DOD root and intermediate PKI certificates are installed (work profile only).\n \nThis procedure is performed on both the EMM Administration console and the managed Google Android 13 device. \n \nThe current DOD root and intermediate PKI certificates may be obtained in self-extracting zip files at http://cyber.mil/pki-pke (for NIPRNet). \n \nOn the EMM console verify that the DOD root and intermediate certificates are part of a device and/or work profile that is being pushed down to the devices.\n \nOn the managed Google Android 13 device: \n\n1. Open Settings. \n2. Tap \"Security & privacy\". \n3. Tap \"More security settings\".\n4. Tap \"Encryption & credentials\".\n5. Tap \"Trusted credentials\".\n6. Verify that DOD root and intermediate PKI certificates are listed under the User tab in the Work section.\n \nIf on the EMM console the DOD root and intermediate certificates are not listed in a profile, or the managed Android 13 device does not list the DOD root and intermediate certificates under the user tab, this is a finding.","fixText":"Configure the Google Android 13 device to install DOD root and intermediate certificates (work profile only). \n \nOn the EMM console upload DOD root and intermediate certificates as part of the work profile.\n \nThe current DOD root and intermediate PKI certificates may be obtained in self-extracting zip files at http://cyber.mil/pki-pke (for NIPRNet).","ccis":["CCI-000366"]},{"vulnId":"V-258490","ruleId":"SV-258490r959010_rule","severity":"medium","ruleTitle":"The Google Android 13 work profile must be configured to prevent users from adding personal email accounts to the work email app.","description":"If the user can add a personal email account (POP3, IMAP, EAS) to the work email app, it could be used to forward sensitive DOD data to unauthorized recipients. Restricting email account addition to the administrator or restricting email account addition to allowlisted accounts mitigates this vulnerability.\n\nSFR ID: FMT_SMF_EXT.1.1 #47","checkContent":"Review the managed Google Android 13 work profile configuration settings to confirm that users are prevented from adding personal email accounts to the work email app. \n \nThis procedure is performed on both the EMM Administrator console and the managed Google Android 13 device. \n \nOn the EMM console:\n\n1. Open \"Set user restrictions\".\n2. Verify \"Disallow modify accounts\" is toggled to \"ON\".\n\nOn the managed Google Android 13 device: \n\n1. Open Settings.\n2. Tap \"Passwords & accounts\".\n3. Select \"Work\".\n4. Tap \"Add account\".\n5. Verify a message is displayed to the user stating, \"Blocked by your IT admin\".\n \nIf on the EMM console the restriction to \"Disallow modify accounts\" is not set, or on the managed Android 13 device the user is able to add an account in the Work section, this is a finding.","fixText":"Configure the Google Android 13 device to prevent users from adding personal email accounts to the work email app. \n \nOn the EMM console: \n\n1. Open \"Set user restrictions\".\n2. Toggle \"Disallow modify accounts\" to \"ON\".\n\nRefer to the EMM documentation to determine how to provision users' work email accounts for the work email app.","ccis":["CCI-000366"]},{"vulnId":"V-258491","ruleId":"SV-258491r959010_rule","severity":"medium","ruleTitle":"The Google Android 13 work profile must be configured to enforce the system application disable list (work profile only).","description":"The system application disables list controls user access to/execution of all core and preinstalled applications. \n \nCore application: Any application integrated into Google Android 13 by Google. \n \nPreinstalled application: Additional noncore applications included in the Google Android 13 build by Google or the wireless carrier. \n \nSome system applications can compromise DOD data or upload users' information to non-DOD-approved servers. A user must be blocked from using such applications that exhibit behavior that can result in compromise of DOD data or DOD user information. \n \nThe site administrator must analyze all preinstalled applications on the device and disable all applications not approved for DOD use by configuring the system application disable list.\n\nSFR ID: FMT_SMF_EXT.1.1 #47","checkContent":"Review the managed Google Android 13 work profile configuration settings to confirm the system application disable list is enforced (work profile only). This setting is enforced by default. Verify only approved system apps have been placed on the core allowlist.\n \nThis procedure is performed on the EMM Administrator console. \n \nReview the system app allowlist and verify only approved apps are on the list.\n\n1. Open \"Apps management\" section.\n2. Select \"Hide apps on parent\".\n3. Verify package names of apps are listed.\n\nIf on the EMM console the system app allowlist contains unapproved core apps, this is a finding.","fixText":"Configure the Google Android 13 device to enforce the system application disable list (work profile only). \n\nThe required configuration is the default configuration when the device is enrolled. If the device configuration is changed, use the following procedure to bring the device back into compliance:\n\nOn the EMM console:\n\n1. Open \"Apps management\" section.\n2. Select \"Hide apps on parent\".\n3. Enter package names of apps to hide.\n\nConfigure a list of approved Google core and preinstalled apps in the core app allowlist.","ccis":["CCI-000366"]},{"vulnId":"V-258492","ruleId":"SV-258492r959010_rule","severity":"medium","ruleTitle":"Google Android 13 must be provisioned as a BYOAD device (Android work profile for employee-owned devices [BYOD]).","description":"The Android work profile for employee-owned devices (BYOD) is the designated application group for the BYOAD use case.\n\nSFR ID: FMT_SMF_EXT.1.1 #47","checkContent":"Review that managed Google Android 13 is configured for BYOD (work profile for employee-owned devices [BYOD]).\n \nThis procedure is performed on both the EMM Administrator console and the managed Google Android 13 device. \n \nOn the EMM console, configure the default enrollment as work profile for employee-owned devices (BYOD).\n \nOn the managed Google Android 13 device: \n\n1. Go to the application drawer.\n2. Ensure a Personal tab and a Work tab are present.\n\nIf on the EMM console, the default enrollment is not set for BYOD (work profile for employee-owned devices [BYOD]), or if on the managed Android 13 device, the user does not have a Work tab, this is a finding.","fixText":"Configure the Google Android 13 device for BYOD (work profile for employee-owned devices [BYOD]).\n\nOn the EMM console, configure the default enrollment as work profile for employee-owned devices (BYOD).\n\nRefer to the EMM documentation to determine how to configure the device.","ccis":["CCI-000366"]},{"vulnId":"V-258493","ruleId":"SV-258493r959010_rule","severity":"medium","ruleTitle":"The Google Android 13 work profile must be configured to disable automatic completion of workspace internet browser text input.","description":"The autofill functionality in the web browser allows the user to complete a form that contains sensitive information, such as personally identifiable information (PII), without previous knowledge of the information. By allowing the use of autofill functionality, an adversary who learns a user's Android 13 device password, or who otherwise can unlock the device, may be able to further breach other systems by relying on the autofill feature to provide information unknown to the adversary. By disabling the autofill functionality, the risk of an adversary gaining further information about the device's user or compromising other systems is significantly mitigated.\n\nSFR ID: FMT_SMF_EXT.1.1 #47","checkContent":"Review the work profile Chrome Browser app on the Google Android 13 autofill setting.\n\nThis procedure is performed only on the EMM Administrator console. \n \nOn the EMM console:\n\n1. Open \"Managed Configurations\" section.\n2. Select the Chrome Browser version from the work profile.\n3. Verify \"SearchSuggestEnabled\" is turned \"OFF\".\n \nIf on the EMM console autofill is set to \"On\" in the Chrome Browser Settings, this is a finding.","fixText":"Configure the Chrome browser on the Google Android 13 device work profile to disable autofill.\n \nOn the EMM console:\n\n1. Open \"Managed Configurations\" section.\n2. Select the Chrome Browser version from the work profile.\n3. Ensure \"SearchSuggestEnabled\" is turned \"OFF\".\n\nRefer to the EMM documentation to determine how to configure Chrome Browser Settings.","ccis":["CCI-000366"]},{"vulnId":"V-258494","ruleId":"SV-258494r959010_rule","severity":"medium","ruleTitle":"The Google Android 13 work profile must be configured to disable the autofill services.","description":"The autofill services allow the user to complete text inputs that could contain sensitive information, such as personally identifiable information (PII), without previous knowledge of the information. By allowing the use of autofill services, an adversary who learns a user's Android 13 device password, or who otherwise can unlock the device, may be able to further breach other systems by relying on the autofill services to provide information unknown to the adversary. By disabling the autofill services, the risk of an adversary gaining further information about the device's user or compromising other systems is significantly mitigated. \n \nExamples of apps that offer autofill services include Samsung Pass, Google, Dashlane, LastPass, and 1Password.\n\nSFR ID: FMT_SMF_EXT.1.1 #47","checkContent":"Review the Google Android 13 work profile configuration settings to confirm that autofill services are disabled. \n \nThis procedure is performed only on the EMM Administration console. \n \nOn the EMM console:\n\n1. Open \"Set user restrictions\".\n2. Verify \"Disallow autofill\" is toggled to \"ON\".\n \nIf on the EMM console \"disallow autofill\" is not selected, this is a finding.","fixText":"Configure the Google Android 13 device work profile to disable the autofill services. \n \nOn the EMM console:\n\n1. Open \"Set user restrictions\".\n2. Toggle \"Disallow autofill\" to \"ON\".","ccis":["CCI-000366"]},{"vulnId":"V-258495","ruleId":"SV-258495r959010_rule","severity":"high","ruleTitle":"Android 13 devices must have the latest available Google Android 13 operating system installed.","description":"Required security features are not available in earlier operating system versions. In addition, earlier versions may have known vulnerabilities.\n\nSFR ID: FMT_SMF_EXT.1.1 #47","checkContent":"Review device configuration settings to confirm the Google Android device has the most recently released version of managed Google Android 13 installed. \n \nThis procedure is performed on both the EMM console and the managed Google Android 13 device.\n \nIn the EMM management console, review the version of Google Android 13 installed on a sample of managed devices. This procedure will vary depending on the EMM product. \n \nTo determine the installed operating system version on the managed Google Android 13 device: \n\n1. Open Settings.\n2. Tap \"About phone\".\n3. Verify \"Build number\".\n \nIf the installed version of the Google Android 13 operating system on any reviewed device is not the latest released by Google, this is a finding. \n\nGoogle's Android operating system patch website: https://source.android.com/security/bulletin/\n\nAndroid versions for Pixel devices: https://developers.google.com/android/images","fixText":"Install the latest released version of the Google Android 13 operating system on all managed Google devices.\n \nNote: Google Android device operating system updates are released directly by Google or can be distributed via the EMM. Check each device manufacturer and/or carriers for current updates.","ccis":["CCI-000366"]},{"vulnId":"V-258496","ruleId":"SV-258496r959010_rule","severity":"low","ruleTitle":"Android 13 devices must be configured to disable the use of third-party keyboards (work profile only).","description":"Many third-party keyboard applications are known to contain malware.\n\nSFR ID: FMT_SMF_EXT.1.1 #47","checkContent":"Review the managed Google Android 13 configuration settings to confirm that no third-party keyboards are enabled (work profile only). \n \nThis procedure is performed on the EMM console.\n \nOn the EMM console:\n\n1. Open \"Input methods\".\n2. Tap \"Set input methods\".\n3. Verify only the approved keyboards are selected.\n\nIf unapproved third-party keyboards are allowed in the work profile, this is a finding.","fixText":"Configure the Google Android 13 device to disallow the use of third-party keyboards (work profile only). \n \nOn the EMM console:\n\n1. Open \"Input methods\".\n2. Tap \"Set input methods\".\n3. Select only the approved keyboards.\n\nAdditionally, admins can configure application allowlists for Google Play so no third-party keyboards are available for user installation.","ccis":["CCI-000366"]},{"vulnId":"V-258497","ruleId":"SV-258497r959010_rule","severity":"medium","ruleTitle":"The Google Android 13 must allow only the administrator (EMM) to install/remove DOD root and intermediate PKI certificates (work profile).","description":"DOD root and intermediate PKI certificates are used to verify the authenticity of PKI certificates of users and web services. If the user is allowed to remove root and intermediate certificates, the user could allow an adversary to falsely sign a certificate in such a way that it could not be detected. Restricting the ability to remove DOD root and intermediate PKI certificates to the Administrator mitigates this risk.\n\nSFR ID: FMT_MOF_EXT.1.2 #47","checkContent":"Review the device configuration to confirm that the user is unable to remove DOD root and intermediate PKI certificates (work profile).\n\nOn the EMM console:\n\n1. Open \"Set user restrictions\".\n2. Verify \"Disallow config credentials\" is toggled to \"ON\".\n\nOn the Google Android 13 device:\n\n1. Open Settings.\n2. Tap \"Security and privacy\".\n3. Tap \"More security settings\".\n4. Tap \"Encryption & credentials\".\n5. Tap \"Trusted credentials\".\n6. Verify the user is unable to untrust or remove any work certificates.\n \nIf the user can remove certificates on the Google Android 13 device, this is a finding.","fixText":"Configure Google Android 13 device to prevent a user from removing DOD root and intermediate PKI certificates (work profile).\n\nOn the EMM console:\n\n1. Open \"Set user restrictions\".\n2. Toggle \"Disallow config credentials\" to \"ON\".","ccis":["CCI-000366","CCI-000370"]},{"vulnId":"V-276957","ruleId":"SV-276957r1134303_rule","severity":"high","ruleTitle":"All Google Android 13 BYOAD installations must be removed.","description":"Google Android 13 BYOAD is no longer supported by Google and therefore may contain security vulnerabilities.\n\nSatisfies: FMT_MOF_EXT.1.2 #47\nReference: PP-MDF-990000","checkContent":"Verify there are no installations of Google Android 13 BYOAD at the site.\n\nIf Google Android 13 BYOAD is being used at the site, this is a finding.","fixText":"Remove all installations of Google Android 13 BYOAD.","ccis":["CCI-000366"]}]}