Compliant Product - Nubo Software Thin Client v2.0
Certificate Date: 2018.07.23CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID10886-2018
Product Type: Application Software
Conformance Claim: Protection Profile Compliant
PP Identifier: Protection Profile for Application Software Version 1.2
CC Testing Lab: Acumen Security
The TOE (Nubo Software Thin Client v2.0) is classified as a thin client executing on mobile devices that provides the user interface to virtual mobile applications executing on Nubo Software’s VMI servers. The TOE runs on evaluated Samsung Galaxy S7 and S7 Edge devices running Android 6.0.1. The TOE is an application from the Google Play store installed and executing on a mobile device. Thus, the TOE is considered to be a thin client, Virtual Mobile Infrastructure (VMI) and Application Software as defined in PP_APP_v1.2.
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Nubo Software Thin Client was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 5. Acumen Security determined that the evaluation of this product is both Common Criteria Part 2 Extended and Part 3 Conformant, and meets the assurance requirements defined in the Protection Profile for Application Software Version 1.2 . The product, when delivered configured as identified in the Nubo Software Thin Client Thin Client Common Criteria Addendum V1.2, satisfies all of the security functional requirements stated in the Security Target. The project underwent CCEVS Validator review. The evaluation was completed in June 2018. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The logical boundary of the TOE includes those security functions implemented exclusively by the TOE.
The TOE relies on underlying cryptographic functionality provided by the platform for all of its cryptographic operations. In the evaluated configuration the TOE will be running on the following CC validated platforms such as Samsung Galaxy S7 and S7 Edge (VID10739).
User Data Protection
The TOE does not store sensitive data in local files. The TOE can access physical resources on the mobile device, but does not access any of the logical data repositories.
Identification and Authentication
The TOE utilizes underlying Android functionality to authenticate certificates for the Management Server and Gateway.
The TOE does not come with any default credentials, and no user credentials are stored by the TOE.
Protection of the TSF
The TOE implements anti-exploitation measures to protect against compromise during execution. The Android platform also provides protection for the TOE. Secure delivery of the TOE is accomplished through delivery via the Google Play store.
The TOE requests PII including, first and last name when creating a new Nubo account. A warning is displayed on the page indicating that this information will be transferred over the network. The user may additionally supply PII when interacting with applications in the Nubo VMI, but the TOE simply transparently transmits this data and is unaware of the nature of the data.
The TOE establishes trusted channels using HTTPS/TLS to the Management Server and Gateway.
Nubo Software Inc