NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Avast Workspace v3.4

Certificate Date:  2017.06.01

Validation Report Number:  CCEVS-VR-VID10779-2017

Product Type:    Application Software

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for Application Software Version 1.2

CC Testing Lab:  Gossamer Security Solutions

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

A Virtual Mobile Platform (VMP) client streams standard mobile apps to any device-- hosting the data on a secure server.  Mobile applications run on the secure server and no data is transferred from the server and stored on the physical mobile device.  The VMP client presents only the interface offered by the VMP server and ensures that communication with the server utilizes secured protocols.

The TOE when executed, connects to the specified Avast Virtual Mobile Infrastructure (VMI) server, authenticating the server's certificate received while negotiating the HTTPS or TLS session.  The TOE is responsible only for protecting data-in-transit between the physical mobile device and the VMP server.

Evaluated Configuration

The evaluated configuration consists of the the Avast Virtual Mobile Platform (VMP) Client, version 3.4.  The TOE is the Virtual Mobile Platform Client application for Android and iOS platforms.  The TOE is a thin client providing access to an Avast Virtual Mobile Infrastructure (VMI) server from a mobile device.  The TOE runs on evaluated Samsung Galaxy S7, S7 Edge, S6, S6 Edge, Note 4, Note 5, Note Edge and Tab S2 devices running Android 6.0.1.  The TOE also runs on evaluated Apple iOS 9.3.2 on iPhone and iPad devices using the A7 or A8 processor.

Security Evaluation Summary

The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target.  The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 4, September 2012. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 4, July 2012.  The product, when delivered and configured as identified in the Avast Avast Workspace User’s Guide, Version 3.4, May 2017 document, satisfies all of the security functional requirements stated in the Avast Virtual Mobile Platform Client (ASPP12) Security Target, Version 0.5, May 30, 2017.  The project underwent CCEVS Validator review.  The evaluation was completed in May 2017.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-10779-2017) prepared by CCEVS.

Environmental Strengths

The logical boundaries of the Avast Virtual Mobile Platform Client are realized in the security functions that it implements. Each of these security functions is summarized below.

Cryptographic support:

The VMP client utilizes platform APIs to provide secure network communication using the HTTPS and TLS protocols. 

User data protection:

The VMP client does not store sensitive data in local files.  The VMP client can access most physical resources on the mobile device, but none of the logical data repositories. 

Identification and authentication:

The VMP client utilizes platform provided functionality to verify certificates authenticating network endpoints.  The iOS platform support Online Certificate Status Protocol (OCSP) while the Android platform supports both OSCP and Certificate Revocation List (CRL).

Security management:

The VMP client does not include any predefined or default credentials, and utilize the platform recommended storage process for configuration options.


The VMP client does not collect any Personally Identifiable Information (PII) and does not transmit any PII over a network.

Protection of the TSF:

The VMP client relies on the physical boundary of the evaluated platform as well as the Android and iOS operating system for the protection of the TOE’s application components.  The VMP client also makes use of specific 3rd party libraries to support WebRTC.  All compiled VMP client code is designed to utilize compiler provided anti-exploitation capabilities.  The VMP client application is available through the Google Playstore and the Apple store.

Trusted path/channels:

The VMP client utilizes platform API to establish HTTPS and TLS connections to a VMP server.

Vendor Information

Avast Software, Inc
Michael Ichiriu
Site Map              Contact Us              Home