NIAP: Compliant Product
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Apple iOS 14 and iPadOS 14: Safari

Certificate Date:  2021.08.20

Validation Report Number:  CCEVS-VR-VID11192-2021

Product Type:    Application Software

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for Application Software Version 1.3
  Extended Package for Web Browsers v2.0

CC Testing Lab:  Acumen Security


CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]


Product Description

The TOE is the Apple iOS and iPadOS Safari application which runs on iPad and iPhone devices. The product provides access to HTTPS/TLS connections via a browser for user connectivity.

Note: The TOE is the Safari software only. The Apple iOS and iPadOS operating systems have been separately validated.

The TOE is an application on a mobile operating system. The TOE is the Safari browser application only. The Apple iOS and iPadOS operating systems have been separately validated against the Protection Profile for Application Software v1.3 and Application Software Extended Package for Web Browsers v2.0. The mobile operating system and hardware platforms are part of the TOE environment. The evaluated version of the TOE is version 14.6.


Evaluated Configuration


Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Apple iOS 14 and iPadOS 14: Safari was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5.  The product, when delivered configured as identified in the Apple iOS 14 and iPadOS 14: Safari Common Criteria Guide, satisfies all of the security functional requirements stated in the Apple iOS 14 and iPadOS 14: Safari Security Target. The project underwent CCEVS Validator review.  The evaluation was completed in August 2021.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.


Environmental Strengths

The TOE provides the security functions required by the Protection Profile for Application Software Version 1.3 (PP_APP_v1.3) and Extended Package for Web Browsers Version 2.0 (PP_APP_WEBBROWSER_EP_v2.0).

 

Cryptographic Support

The platform provides TLS/HTTPS connectivity for users attempting to communicate with secure URLs. The TOE does not directly perform any cryptographic functions. The TOE invokes the platform cryptography for secure credential storage.

 

User Data Protection

The TOE requests access to network connectivity, camera, microphone, location services, and address book, and communicates with the wireless network when invoked by the user. The TOE runs inside of a sandbox where each browser tab is isolated. In addition, the TOE supports blocking of third-party cookies. When a cookie has been set with the ‘secure’ attribute, the TOE will only send the cookie over HTTPS.

 

Identification and Authentication

The TOE uses platform-provided X.509 certificate validation functions to verify the validity and revocation status of HTTPS/TLS server certificates.

 

Security Management

The platform provides the ability to configure the TOE. No credentials are installed by default.

 

Privacy

The TOE itself does not request personally identifiable information (PII) from the user. Websites the TOE renders may request PII from the user; however, web page content is considered a general data field. Web page content may be transmitted over the network to a web server. If the user logs into their iCloud Account on two or more devices, two devices within Bluetooth range of each other have the ability to automatically “continue” browsing with the same URL provided via iCloud.

 

Protection of the TSF

The TOE does not permit web pages to initiate automatic downloads. All downloads are at the request of a user and require approval. The TOE does not support add-ons or mobile code. The TOE supports JavaScript; however, this is not considered mobile code. No third-party libraries are leveraged by the TOE. The TOE platform verifies all software updates via digital signature.

 

Trusted Path/Channels

The TOE is a software application. The TOE leverages the platform to establish HTTPS/TLS protected communications.


Vendor Information


Apple Inc.
Fiona Pattinson
+1 669 227 3579
security-certifications@Apple.com

www.apple.com
Site Map              Contact Us              Home