| V-43820 | Medium | Apple iOS must disallow more than an organizationally-defined quantity of sequential numbers (e.g., 456) in the device unlock password.
| Password complexity or strength refers to how difficult it is to determine a password using a dictionary or brute-force attack. Passwords with sequential numbers (e.g., 456 or 987) are considered... |
| V-43223 | Medium | Apple iOS must not allow non-DoD applications to access DoD data. | Managed apps have been approved for the handling of DoD sensitive information. Unmanaged apps are provided for productivity and morale purposes, but are not approved to handle DoD sensitive... |
| V-43222 | Medium | Apple iOS must not allow the device to be unlocked using a fingerprint. | TouchID is a fingerprint reader that has been installed on the iPhone 5s. This fingerprint reader can be used to authenticate the user in order to unlock the mobile device. At this time, no... |
| V-43221 | Medium | Apple iOS must not display calendar information while the device is locked. | If the mobile operating system were to display notifications or calendar information on the lock screen, an adversary may be able to gather sensitive data without needing to unlock the device.... |
| V-43220 | Medium | Apple iOS must not display notifications while the device is locked. | If the mobile operating system were to display notifications or calendar information on the lock screen, an adversary may be able to gather sensitive data without needing to unlock the device.... |
| V-43209 | Medium | Apple iOS must wipe all storage media after 10 consecutive, unsuccessful attempts to unlock the mobile device. | Mobile devices present additional risks related to attempted unauthorized access. If they are lost, stolen, or misplaced, attempts can be made to unlock the device by guessing the password. Once... |
| V-43208 | Medium | Only DoD PKI issued or DoD approved server authentication certificates must be installed on DoD mobile operating system devices. | If unauthorized device authentication certificates are installed on the device, there is the potential that the device may connect to a rogue device or network. Rogue devices can mimic the... |
| V-43225 | Medium | Apple iOS must have Airdrop disabled. | An Airdrop feature is a way to send contact information or photos to other users with this same feature enabled. This feature enables a possible attack vector for adversaries to exploit. Once the... |
| V-43224 | Medium | Apple iOS must encrypt iTunes backups. | When syncing an iOS device to a computer running iTunes, iTunes will prompt the user to back up the iOS device. If the performed backup is not encrypted, this could lead to the unauthorized... |
| V-43205 | Medium | Apple iOS must lock the device after 15 minutes of inactivity. | The device lock function prevents further access to the system by initiating a session lock after a period of inactivity or upon receiving a request from a user. The device lock is retained until... |
| V-43207 | Medium | Apple iOS must enforce a minimum length of 6 for the device unlock password. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts... |
| V-43218 | Medium | Apple iOS must not automatically upload new photos to iCloud.
| A cloud photo sharing feature may gather user's information such as PII, or sensitive photos. With this feature enabled, sensitive photos will be backed up to the manufacturer's servers and... |
| V-43219 | Medium | Apple iOS must not create photo streams to share with other people, or subscribe to other peoples shared photo streams.
| A cloud photo stream is a shared photo folder that other users may access at any time. A cloud photo streaming feature may gather the user's sensitive photos. With this feature enabled, sensitive... |
| V-43226 | Medium | An iOS app must display the DoD notice and consent banner exactly as specified at startup device unlock. | To ensure notice of and consent to the terms of the DoD standard user agreement, the iOS device must contain an app that displays the DoD notice and consent banner. To best ensure the... |
| V-43234 | Medium | The iOS app used to support the DoD notice and consent banner must either prevent access to a frequently used service or notify another device that acceptance of the user agreement has occurred. | If a user is able to deny either that he or she has used the app or that he or she provided the requisite consent within the app, then the app will not properly support the investigative and... |
| V-43212 | Medium | Apple iOS must disable voice-activated assistant functionality when the device is locked (Siri). | On iOS devices, users can access the device's contact database or calendar to obtain phone numbers and other information using a human voice even when the mobile device is locked. Often this... |
| V-43213 | Medium | Apple iOS must disable voice-activated assistant functionality when the device is locked (Voice Dialing). | On iOS devices, users can access the device's contact database or calendar to obtain phone numbers and other information using a human voice even when the mobile device is locked. Often this... |
| V-43210 | Medium | Apple iOS must employ mobile device management services to centrally manage security relevant configuration and policy settings. | Security related parameters are those parameters impacting the security state of the system and include parameters related to the implementation of other IA controls. If these controls are not... |
| V-43211 | Medium | Apple iOS must require a valid password be successfully entered before the mobile device data is unencrypted. | Encryption is only effective if the decryption procedure is protected. If an adversary can easily access the private key (either directly or through a software application), sensitive DoD data is... |
| V-43216 | Medium | Apple iOS must have cloud document syncing features disabled. | A cloud document syncing feature may gather user's information, such as PII or sensitive documents. With this feature enabled, sensitive information will be backed up to the manufacturer's servers... |
| V-43217 | Medium | Apple iOS must have cloud keychain syncing features disabled. | The iCloud Keychain is an iOS function that will store users' account names and passwords in iCloud, then sync this data between the users' Macs, iPhones, and iPads. An adversary may use any of... |
| V-43215 | Medium | Apple iOS must have the cloud backup feature disabled. | A cloud backup feature may gather user's information such as PII, or sensitive documents. With this feature enabled, sensitive information will be backed up to the manufacturer's servers and... |
| V-43228 | Low | Apple iOS must synchronize the internal clock at least once every 24 hours with an authoritative time server or the Global Positioning System. | Determining the correct time a particular application event occurred on a system is critical when conducting forensic analysis and investigating system events.
Periodically synchronizing... |
| V-43227 | Low | An iOS app must retain the notice and consent banner on the screen until the user executes a positive action to manifest agreement by selecting a box indicating acceptance. | To ensure notice of and consent to the terms of the DoD standard user agreement, an iOS app must display a consent banner. Additionally, the app must prevent further activity in the application... |
| V-43230 | Low | Apple iOS must not allow diagnostic data to be sent to an organization other than DoD. | The sending of diagnostic data back to the manufacturer is prohibited in the DoD. Sending this data to an organization other than DoD is termed a “phone-home” vulnerability. This setting may... |
| V-43231 | Low | Apple iOS must limit advertisers tracking abilities. | Advertisers tracking abilities refers to the advertisers ability to categorize the device and spam the user with ads that are most relevant to the users preferences. By not “Force limiting ad... |
| V-43232 | Low | Apple iOS must not allow DoD applications to access non-DoD data. | Managed apps have been approved for the handling of DoD sensitive information. Unmanaged apps are provided for productivity and morale purposes, but are not approved to handle DoD sensitive... |
| V-43233 | Low | Apple iOS must disable automatic completion of Safari browser passcodes. | The AutoFill functionality in the Safari web browser allows the user to complete a form that contains sensitive information, such as PII, without previous knowledge of the information. By allowing... |
| V-43229 | Low | Apple iOS must disable screen capture. | By allowing the screen capture function, a user has the ability to capture a screen containing sensitive information and then transfer it to an application not authorized to store or process that... |
