Google Android 12 must be configured to disable exceptions to the access control policy that prevent [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes].

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-250435	GOOG-12-008900	SV-250435r802669_rule		Medium

Description
App data sharing gives apps the ability to access the data of other apps for enhanced user functionality. However, sharing also poses a significant risk that unauthorized users or apps will obtain access to DoD sensitive information. To mitigate this risk, there are data sharing restrictions, primarily from sharing data from personal (unmanaged) apps and work (managed) apps. If a user is allowed to make exceptions to the data sharing restriction policy, the user could enable unauthorized sharing of data, leaving it vulnerable to breach. Limiting the granting of exceptions to either the Administrator or common application developer mitigates this risk. Copy/paste of data between applications in different application processes or groups of application processes is considered an exception to the access control policy and therefore, the Administrator must be able to enable/disable the feature. Other exceptions include allowing any data or application sharing between process groups. SFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2

Description

App data sharing gives apps the ability to access the data of other apps for enhanced user functionality. However, sharing also poses a significant risk that unauthorized users or apps will obtain access to DoD sensitive information. To mitigate this risk, there are data sharing restrictions, primarily from sharing data from personal (unmanaged) apps and work (managed) apps. If a user is allowed to make exceptions to the data sharing restriction policy, the user could enable unauthorized sharing of data, leaving it vulnerable to breach. Limiting the granting of exceptions to either the Administrator or common application developer mitigates this risk. Copy/paste of data between applications in different application processes or groups of application processes is considered an exception to the access control policy and therefore, the Administrator must be able to enable/disable the feature. Other exceptions include allowing any data or application sharing between process groups. SFR ID: FMT_SMF_EXT.1.1 #42, FDP_ACF_EXT.1.2

STIG	Date
Google Android 12 COPE Security Technical Implementation Guide	2021-09-17

Details

Check Text ( C-53870r802667_chk )
Review documentation on the managed Google Android 12 device and inspect the configuration on the Google Android device to verify the access control policy that prevents [selection: application processes] from accessing [selection: all] data stored by other [selection: application processes] is enabled. This validation procedure is performed only on the EMM Administration Console. On the EMM console: COPE: 1. Open "User restrictions". 2. Open "Set user restrictions". 3. Verify that "Disallow cross profile copy/paste" is toggled to ON. 4. Verify that "Disallow sharing data into the profile" is toggled to ON. If the EMM console device policy is not set to disable data sharing between profiles, this is a finding.

Check Text ( C-53870r802667_chk )

Review documentation on the managed Google Android 12 device and inspect the configuration on the Google Android device to verify the access control policy that prevents [selection: application processes] from accessing [selection: all] data stored by other [selection: application processes] is enabled.

This validation procedure is performed only on the EMM Administration Console.

On the EMM console:

COPE:

1. Open "User restrictions".
2. Open "Set user restrictions".
3. Verify that "Disallow cross profile copy/paste" is toggled to ON.
4. Verify that "Disallow sharing data into the profile" is toggled to ON.

If the EMM console device policy is not set to disable data sharing between profiles, this is a finding.

Fix Text (F-53824r802668_fix)
Configure the Google Android 12 device to enable the access control policy that prevents [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes]. Note: All application data is inherently sandboxed and isolated from other applications. In order to disable copy/paste on the EMM Console: COPE: 1. Open "User restrictions". 2. Open "Set user restrictions". 3. Toggle "Disallow cross profile copy/paste" to ON. 4. Toggle "Disallow sharing data into the profile" to ON.

Fix Text (F-53824r802668_fix)

Configure the Google Android 12 device to enable the access control policy that prevents [selection: application processes, groups of application processes] from accessing [selection: all, private] data stored by other [selection: application processes, groups of application processes].

Note: All application data is inherently sandboxed and isolated from other applications. In order to disable copy/paste on the EMM Console:

COPE:

1. Open "User restrictions".
2. Open "Set user restrictions".
3. Toggle "Disallow cross profile copy/paste" to ON.
4. Toggle "Disallow sharing data into the profile" to ON.