Compliant Product - VMware Workspace ONE Boxer Email Client 5.4
Certificate Date: 2019.06.27CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID10840-2019
Product Type: Application Software
Conformance Claim: Protection Profile Compliant
PP Identifier: Extended Package for Email Clients v2.0
Protection Profile for Application Software Version 1.2
CC Testing Lab: Booz Allen Hamilton Common Criteria Testing Laboratory
Boxer is an email client application software product that is installed on a mobile device platform. The Boxer application containerizes enterprise data from personal data that resides on the user’s mobile device. Boxer supports the use of Exchange, Office 365, Outlook, Gmail, Yahoo and Cloud email services. Enterprise management support only applies to the use of Exchange.
The TOE is the VMware Workspace ONE Boxer Email Client product installed on a mobile device.
In the evaluated configuration, the TOE is installed on a mobile device running iOS 11 (VID10851) as well as a mobile device host running Android 8.0 (VID10898). The mobile device that the TOE is installed on is managed by a Mobile Device Management software product called VMware Workspace ONE Unified Endpoint Management (UEM). UEM consists of a server and an agent that resides on the mobile device. The UEM agent is used to enroll the mobile device with the UEM server so that it can be managed by the UEM server. Also, the UEM agent consumes policy and configuration information for the device and VMware applications, such as Boxer, operating on the device, as well as providing status and policy information about the mobile device to the UEM server. The operating system, UEM agent, and UEM server are considered part of the operational environment.
Boxer uses ActiveSync to communicate with the Exchange server and is protected using TLS v1.2. The Exchange server resides in the operational environment and is for sending and receiving enterprise data such as email, calendar information and appointment data. When the TOE is installed on an iOS device, it invokes the mobile device platform to validate X.509v3 certificates using OCSP. When installed on an Android device, the TOE uses its OpenSSL module to validate the certificates using OCSP. The OCSP responder is also considered part of the operational environment.
The following lists components and applications in the environment that the TOE relies upon in order to function properly:
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. VMware Workspace ONE Boxer Email Client 5.4 was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 4. The product, when installed and configured per the instructions provided in the preparative guidance, satisfies all of the security functional requirements stated in the VMware Workspace ONE Boxer Email Client 5.4 Security Target Version 1.0. The evaluation underwent CCEVS Validator review. The evaluation was completed in June 2019. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
Depending on which OS the application is installed on, the TOE either invokes the underlying platform or implements its own cryptographic module to perform cryptographic services. All cryptographic mechanisms, whether platform or application provided, use DRBG functionality to support cryptographic operations. Cryptographic functionality includes encryption/decryption services, credential/key storage, key establishment, key destruction, hashing services, signature services, key-hashed message authentication, and key chaining using a password-based derivation function.
Cryptographic services for the application’s S/MIME functionality and TLS communications are provided by the underlying platform when the application is installed on a device running the iOS. When installed on a device running the Android OS, the TOE invokes the underlying platform cryptographic libraries for TLS communications and implements an OpenSSL cryptographic module to perform the cryptographic functionality required to support S/MIME (consolidated Certificate number C631).
User Data Protection
The TOE uses S/MIME to digitally sign, verify, decrypt, and encrypt email messages. The TOE stores all application data in an encrypted Boxer database which is created on the mobile device during installation. The TOE requires that the host platform have full disk encryption enabled to securely store the data. The TOE restricts its network access and provides user awareness when it attempts to access hardware resources and sensitive data stored on the host platform. The TOE displays notification icons that show S/MIME status. Each status is shown as a different color so that the user can quickly identify any issues.
The TOE validates X.509v3 certificates for TLS communication to the Exchange server. X.509v3 certificates are also used for signing and encrypting emails for S/MIME. The TOE application, regardless of platform, performs the certificate validation using OCSP.
The TOE enforces the application’s enterprise policy set by the UEM administrator pushed out to the managed devices. The TOE does not use default passwords, and automatically installs and configures the application to protect itself and its data from unauthorized access while also implementing the recommended platform security mechanisms. Changing one’s own password from the application is the only management function that can be performed by the owner/user of the mobile device with the TOE installed.
The TOE does not transmit any personally identifiable information (PII) over the network unless voluntarily sent via free text email.
Protection of the TSF
The TOE does not support the installation of trusted or untrusted add-ons. The user is able to navigate the platform to check the version of the TOE and also check for updates to the application. All updates come from the Google Play Store (Android) or Apple Store (iOS). The digital signature of the updates is verified by the mobile device platform prior to being installed. The TOE does not replace or modify its own binaries without user interaction. The TOE implements anti-exploitation features, such as stack-based overflow protection, is compatible with security features provided by the OS, and will only use documented APIs and libraries.
The TOE invokes the platform to provide the trusted communication channel between the TOE and the Exchange server. Communications is protected with TLS v1.2. Communication to the Exchange server uses ActiveSync to send and receive emails. The TOE, in conjunction with the platform, supports mutual authentication using X.509v3 certificates for TLS communications.