NIAP: Compliant Product
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Apple iOS 12

Certificate Date:  2019.03.14

Validation Report Number:  CCEVS-VR-VID10937-2019

Product Type:    Wireless LAN
   Virtual Private Network
   Mobility

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Extended Package for Mobile Device Management Agents Version 3.0
  PP-Module for VPN Client Version 2.1
  Protection Profile for Mobile Device Fundamentals Version 3.1
  Extended Package for Wireless LAN Client Version 1.0

CC Testing Lab:  atsec information security corporation

Maintenance Release:
CC Certificate [PDF] Security Target [PDF] * Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]


* This is the Security Target (ST) associated with the latest Maintenance Release.  To view previous STs for this TOE, click here.

Product Description

The Target of Evaluation (TOE) is Apple iOS 12 on iPhone and iPad devices using the A8/A8X processor (iPhone 6, iPhone 6 Plus, iPad mini 4, iPad Air 2), A9/A9X processor (iPhone 6s Plus, iPhone 6s, iPhone SE, iPad 9.7-inch, iPad Pro 12.9-inch), A10 Fusion/A10X Fusion processor (iPhone7 Plus, iPhone 7, iPad 9.7-inch, iPad Pro 12.9-inch, iPad Pro 10.5-inch), A11 Bionic processor (iPhone 8, iPhone 8 Plus, iPhone X), A12 Bionic (iPhone XS, iPhone XS Max, iPhone XR), A12X Bionic (iPad Pro 11-inch, iPad Pro 12.9-inch)


Evaluated Configuration

Devices Covered by the Evaluation

Processor

Device Name

Model Number

A8

iPhone 6

A1549

A1586

A1589

iPhone 6 Plus

A1522

A1524

A1593

iPad mini 4

A1538

A1550

A8X

iPad Air 2

A1566

A1567

A9

iPhone 6s

A1633

A1688

A1691 (China)

A1700 (China)

iPhone 6s Plus

A1634

A1687

A1690 (China)

A1699 (China)

iPhone SE

A1662

A1723 (China)

A1724 (China)

iPad 9.7-inch

(5th generation)

A1822

A1823

A9X

iPad Pro 12.9-inch

A1584

A1652

iPad Pro 9.7-inch

A1673

A1674

A1675

A10 Fusion

iPhone 7

 

A1660

A1779 (Japan)

A1780 (China)

A1778

iPhone 7 Plus

A1661

A1785 (Japan)

A1786 (China)

A1784

iPad 9.7-inch
(6th generation)

A1893

A1954

A10X Fusion

iPad Pro 12.9-inch (2nd generation)

A1670

A1671

A1821 (China)

iPad Pro 10.5-inch

A1701

A1852 (China)

A1709

A11 Bionic

iPhone 8

 

A1863

A1906 (Japan)

A1907

A1905 (GSM)

iPhone 8 Plus

A1864

A1898 (Japan)

A1899

A1897 (GSM)

iPhone X

A1865 (Japan)

A1902 (Japan)

A1903 (Japan)

A1901

A12 Bionic

iPhone XS

A1920 (US/CA/HK)

A2097

A2098 (Japan)

A2099 (Global)

A2100 (China)

iPhone XS Max

A1921 (US/CA)

A2101 (Global)

A2102 (Japan)

A2103 (Global)

A2104 (China/HK)

iPhone XR

A1984 (US/CA)

A2105 (Global)

A2106 (Japan)

A2107 (US/CA)

A2108 (HK/China)

A12X Bionic

iPad Pro 11-inch

A1934 (US/CA)

A1979 (China)

A1980

A2013 (US/CA)

iPad Pro 12.9-inch

A2014 (US/CA)

A1876

A1895

A1983 (China)


Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process. The criteria against which Apple iOS 12 were judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 R5. The evaluation methodology used by the evaluation team to conduct the evaluation was the Common Methodology for Information Technology Security Evaluation, Version 3.1 R5. The product, when delivered and configured as identified in the Apple iPad and iPhone Mobile Devices with iOS 12 Common Criteria Configuration Guide, meets the requirements of the Protection Profile for Mobile Device Fundamentals Version 3.1; the Extended Package for Mobile Device Management Agents Version 3.0; the Mobile Device Fundamentals Protection Profile Extended Package (EP) Wireless Local Area Network (WLAN) Client Version 1.0; the PP-Module for Virtual Private Network (VPN) Clients Version 2.1.

 

Apple iPad and iPhone Mobile Devices with iOS 12

The Apple iPad and iPhone Mobile Devices with iOS 12 Common Criteria Configuration Guide document satisfies all of the security functional requirements stated in the Apple iPad and iPhone Mobile Devices with iOS 12 Security Target V1.6. The evaluation project was subject to CCEVS Validator review. The evaluation was completed in March 2019. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report number CCEVS-VR-VID10937-2019, prepared by CCEVS.

 


Environmental Strengths

Cryptographic Support

The TOE provides cryptographic services for the encryption of data-at rest, for secure communication channels, and for use by applications. In addition, the TOE implements a number of cryptographic protocols that can be used to establish a trusted channel to other IT entities.

As noted in the Security Target, section 1.5.2.1 the TOE provides cryptographic services via the following cryptographic modules.

·         Apple CoreCrypto Cryptographic Module for ARM, v9.0 (User Space)

·         Apple CoreCrypto Cryptographic Kernel Module for ARM, v9.0 (Kernel Space)

·         Apple Secure Key Store Cryptographic Module, v9.0

Identification and Authentication

Except for making emergency calls, answering calls, using the cameras, and using the flashlight, users need to authenticate using a passcode or a biometric authentication factor (BAF) (fingerprint or face). On power up, or after an update of iOS the user is required to use the passcode authentication mechanism.

The passcode can be configured for a minimum length, for dedicated passcode policies, and for a maximum life time. When entered, passcodes are obscured and the frequency of entering passcodes is limited as well as the number of consecutive failed attempts of entering the passcode.

The TOE also enters a locked state after a (configurable) time of user inactivity and the user is required to either enter the passcode or use biometric authentication (fingerprint or face) to unlock the TOE.

External entities connecting to the TOE via a secure protocol (Extensible Authentication Protocol Transport Layer Security (EAP-TLS), Transport Layer Security (TLS) and IPsec can be authenticated using X.509 certificates.

User Data Protection

User data in files is protected using cryptographic functions, ensuring this data remains protected even if the device gets lost or is stolen. Critical data, like passcodes used by applications or application defined cryptographic keys, can be stored in the key chain, which provides additional protection. Passcode protection and encryption ensure that data-at-rest remains protected even in the case of the device being lost or stolen.

The Secure Enclave Processor (SEP), a separate CPU that executes a stand-alone operating system and has separate memory, provides protection for critical security data such as keys.

Data can also be protected such that only the application that owns the data can access it.

Security Management

The security functions listed in the Security Target can be managed either by the user or by an authorized administrator through a Mobile Device Management (MDM) system. The Security Target identifies the functions that can be managed and indicates if the management can be performed by the user, by the authorized administrator, or both.

TOE Security Functionality (TSF) Protection

Some of the functions the TOE implements to protect the TSF and TSF data are:

·         Protection of cryptographic keyskeys used for TOE internal key wrapping and for the protection of data-at-rest are not exportable. There are provisions for fast and secure wiping of key material.

·         Use of memory protection and processor states to separate applications and protect the TSF from unauthorized access to TSF resourcesin addition, each device includes a separate system called the "secure enclave" which is the only system that can use the Root Encryption Key (REK). The secure enclave is a separate CPU that executes a stand-alone operating system and has separate memory.

·         Digital signature protection of the TSF imageall updates to the TSF need to be digitally signed.

·         Software/firmware integrity self-test upon start-upthe TOE will not go operational when this test fails.

·         Digital signature verification for applications

·         Access to defined TSF data and TSF services only when the TOE is unlocked

TOE Access

The TSF provides functions to lock the TOE upon request and after an administrator-configurable time of inactivity.

Access to the TOE via a wireless network is controlled by user/administrator defined policy.

Trusted Path/Channels

The TOE supports the use of the following cryptographic protocols that define a trusted channel between itself and another trusted IT product:

·         IEEE 802.11-2012

·         IEEE 802.1X

·         EAP-TLS (1.0, 1.1, 1.2)

·         TLS (1.2)

·         IPsec

·         Bluetooth (4.0, 4.2, 5.0)

Security Audit

The TOE provides the ability for responses to be sent from the MDM Device Agent to the MDM Server. These responses are configurable by the organization using a scripting language given in the Over-the-Air Profile Delivery and Configuration document.


Vendor Information


Apple Inc.
Shawn Geddis
1 (669) 227-3579
1 (866) 315-1954
geddis@apple.com

www.apple.com
Site Map              Contact Us              Home