Rule ID
SV-276650r1139472_rule
Version
V1R2
CCIs
CCI-001090
Backups to remote systems (including cloud backup) can leave data vulnerable to breach on the external systems, which often offer less protection than the MOS. Where the remote backup involves a cloud-based solution, the backup capability is often used to synchronize data across multiple devices. In this case, DOD devices may synchronize DOD sensitive information to a user's personal device or other unauthorized computers that are vulnerable to breach. The Data Sync Framework allows apps to synchronize data between the mobile device and other web-based services. This uses accounts for services the user has added to the mobile device. Preventing the user from adding accounts to the device mitigates this risk. For COBO/COPE (work profile) data cannot be backed up remotely via Backup Services. Work (profile) data could be backed up thru adding an account to an app that supports the data sync framework; however, this is mitigated by preventing adding any accounts to the Work profile. SFR ID: FMT_SMF_EXT.1.1 #40 SFR ID: FMT_SMF.1.1 #40
Verify requirement KNOX-16-009200 (disallow modify accounts) has been implemented. If "disallow modify accounts" has not been implemented, this is a finding.
Disallow modify accounts (refer to requirement KNOX-16-009200). API: addUserRestriction, DISALLOW_MODIFY_ACCOUNTS