NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - HTC A9, Secured by D4

Certificate Date:  2017.05.25

Validation Report Number:  CCEVS-VR-VID10776-2017

Product Type:    Mobility

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for Mobile Device Fundamentals Version 2.0

CC Testing Lab:  Gossamer Security Solutions

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

The Target of Evaluation (TOE) is the HTC A9 Secured by Cog Systems D4 Secure Mobile device.  The D4 Secure is a smartphone based upon HTC A9 hardware, which uses Qualcomm System on a Chip (SoC) (Snapdragon 617, MSM8952).  This is a custom built smartphone intended to support military and civil service users.

Evaluated Configuration

The evaluated configuration consists of one D4 Secure smartphone based upon HTC A9 hardware which uses Qualcomm SoCs (Snapdragon 617, MSM8952).



Security SW Version

OS Version

HTC Software Version Number




Android v6.0.1


Security Evaluation Summary

The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target.  The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 4, September 2012. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 4, July 2012.  Gossamer Security Solutions determined that the evaluation assurance level (EAL) for the TOE is EAL 1.  The product, when delivered and configured as identified in the HTC A9, Secured By D4 Administrator Guide Instructions, Version 0.34, 6 March 2017 document, satisfies all of the security functional requirements stated in the HTC A9, Secured by Cog Systems D4 (MDFPP20) Security Target, Version 0.5, May 12, 2017.  The project underwent CCEVS validator review.  The evaluation was completed in May 2017.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID10776-2017) prepared by CCEVS.

Environmental Strengths

The logical boundaries of the HTC A9, Secured by Cog Systems D4 are realized in the security functions that it implements. Each of these security functions is summarized below.

Cryptographic support:

The TOE includes multiple instances of the OpenSSL cryptographic library with CAVP validated algorithms supporting a range of cryptographic functions including: asymmetric key generation and establishment, symmetric key generation, encryption/decryption, cryptographic hashing and keyed-hash message authentication. These functions are supported with random bit generation, key derivation, salt generation, initialization vector generation, secure key storage, and key and protected data destruction. These primitive cryptographic functions are used to implement security protocols such as TLS and HTTPS and to encrypt the media (including the generation and protection of data, keys, and key encryption keys) used by the TOE. Many of these cryptographic functions are also accessible as services to applications running on the TOE.

User data protection:

The TOE controls access to system services by hosted applications, including protection of the Trust Anchor Database. Additionally, the TOE protects user and other sensitive data using encryption so that even if a device is physically lost, the data remains protected.

Identification and authentication:

The TOE supports features related to identification and authentication. From a user perspective, except for limited functions such as making phone calls to an emergency number and receiving notifications, a password (i.e., Password Authentication Factor) must be correctly entered to unlock the TOE. Also, even if the TOE is unlocked the password must be re-entered to change the password. Passwords are obscured when entered so they cannot be read from the TOE's display. The TOE limits the frequency of password entry such that when a pre-configured number of login failures is exceeded, the TOE performs a full wipe of protected content. Passwords can be constructed using upper and lower case characters, numbers, and special characters. Passwords up to 14 characters in length are supported.

The TOE serves as an IEEE 802.1X supplicant and can use X509v3 certificates and perform certificate validation for a functions such as EAP-TLS, TLS, and HTTPS exchanges.

Security management:

The TOE provides all the interfaces necessary to manage the security functions claimed in the corresponding Security Target (and conforming to the MDFPP requirements) as well as other functions commonly found in mobile devices. Some functions are available only to the mobile device users while others are restricted to administrators operating through a Mobile Device Management (MDM) solution if the TOE has been enrolled in an MDM. Once the TOE has been enrolled and then un-enrolled, it performs a full wipe of protected data to complete the un-enrollment.

Protection of the TSF:

The TOE implements features to protect itself to ensure the reliability and integrity of its security features. It protects sensitive data such as cryptographic keys so that they are not accessible or exportable. It has access to a timing mechanism to ensure that reliable time information is available (e.g., for cryptographic operations and user accountability). It enforces read, write, and execute memory page protections, uses address space layout randomization and stack-based buffer overflow protections to minimize the potential to exploit application flaws. Those features help to protect the TOE from modification by applications as well as to isolate the address spaces of applications from one another to protect those applications. The TOE employs a Secure Boot process that uses cryptographic signatures to ensure the authenticity and integrity of the bootloader, and the secure boot partition produced by Cog.  The cryptographic signatures utilize data fused into the device processor.

The TOE includes functions to perform self-tests and software/firmware integrity checking so that it might detect if it is failing or corrupt. If any self-test fails, the TOE does not enter an operational mode. The TOE includes mechanisms (i.e., verification of the digital signature of each new image) so that the TOE itself can be updated while ensuring that the updates will not introduce malicious or other unexpected changes in the TOE. Digital signature checking also extends to verifying applications prior to their installation.

TOE Access:

The TOE can be locked, either by a user or after a configured interval of inactivity, thereby obscuring its display. The TOE has the capability to display an advisory message (banner) when users unlock the TOE for use.

The TOE is able to attempt to connect to wireless networks as configured.

Trusted path/channels:

The TOE supports the use of IEEE 802.11-2012, IEEE 802.1X, and/or EAP-TLS to secure communications channels between itself and other trusted network devices.

Vendor Information

Cog Systems
Dan Potts
+1-855-662-7234 (US)
1300-061864 (AUS)
Site Map              Contact Us              Home