NIAP: Compliant Product
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Samsung Galaxy VPN Client on Android 6

Certificate Date:  2016.06.13

Validation Report Number:  CCEVS-VR-VID10727-2016

Product Type:    Virtual Private Network

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for IPsec Virtual Private Network (VPN) Clients Version 1.4

CC Testing Lab:  Gossamer Security Solutions


CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Administrative Guide [PDF]


Product Description

The Target of Evaluation (TOE) is the Samsung Electronics Co., Ltd. Samsung Galaxy VPN Client on Android 6. 
The TOE is a VPN client that runs on a mobile operating system based on Android 6.0.1 with modifications made to increase the level of security provided to end users and enterprises. The TOE is intended to be used as part of an enterprise messaging solution providing mobile staff with enterprise connectivity.
The TOE platform includes a Common Criteria mode (or “CC mode”) that an administrator can invoke through the use of an MDM or through the installation and use of the administrative application, CCMode.apk (see the Guidance for instructions to obtain the application).  The TOE must be configured as follows in order for an administrator to transition the TOE to CC mode.
·    Require a screen lock password (swipe, PIN, pattern, or facial recognition screen locks are not allowed).
·    The maximum password failure retry policy should be less than or equal to ten.
·    Device encryption must be enabled.
·    SDCard encryption must be enabled (if the device supports SD cards).
·    Revocation checking must be enabled.
When CC mode has been enabled, the TOE behaves as follows.
·    The TOE restricts the available VPN configurations to those evaluated as part of this evaluation.
·    The TOE restricts the use of IKEv1 and IKEv2 IPsec cipher suites to only those conformant with the requirements of the IVPNCPP14.
·    The TOE verifies the VPN Gateway’s Subject Alternative Name (either IP or DNS) matches the expected.


Evaluated Configuration

The evaluated configuration consists of the following devices:

Device Name

Base Model
Number

Android
Version

Kernel Version

Build Number

Carrier Models

Galaxy S7 (Qualcomm)

SM-G930

6.0.1

3.18.20

MMB29M

T, P, R4, V, A

Galaxy S7 (System LSI)

SM-G930

6.0.1

3.18.14

MMB29K

F, S, K, L

Galaxy S7 Edge (Qualcomm)

GM-G935

6.0.1

3.18.20

MMB29M

A, T, P, R4, V

Galaxy S7 Edge (System LSI)

GM-G935

6.0.1

3.18.14

MMB29K

F, S, K, L

Galaxy S7 Active

SM-G891

6.0.1

3.18.20

MMB29M

A, None

Galaxy S6 Edge+

SM-G928

6.0.1

3.10.61

MMB29K

F, I, A, T, P, R4, V, S, K, L

Galaxy Note 5

SM-N920

6.0.1

3.10.61

MMB29K

I, A, T, P, R4, V, S, K, L

Galaxy S6

SM-G920

6.0.1

3.10.61

MMB29K

F, I, A, T, P, R4, V, S, K, L

Galaxy S6 Edge

SM-G925

6.0.1

3.10.61

MMB29K

F, I, A, T, P, R4, V, S, K, L

Galaxy S6 Active

SM-G890

6.0.1

3.10.61

MMB29K

A, None

Galaxy Tab S2 8” Wi-Fi

SM-T710

6.0.1

3.10.9

MMB29K

None

Galaxy Tab S2 8” LTE (EU Open)

SM-T715

6.0.1

3.10.9

MMB29K

None

Galaxy Tab S2 10” Wi-Fi

SM-T810

6.0.1

3.10.9

MMB29K

None

Galaxy Tab S2 10” LTE (EU/AU Open)

SM-T815

6.0.1

3.10.9

MMB29K

None

Galaxy Tab S2 10” LTE (US Models)

SM-T817

6.0.1

3.10.9

MMB29K

A, T, V

Galaxy Note 4 (Qualcomm)

SM-N910

6.0.1

3.10.40

MMB29M

F, A, T, P, R4, V

Galaxy Note 4 (System LSI)

SM-N910

6.0.1

3.10.9

MMB29K

C, S, K, L

Galaxy Note Edge (Qualcomm)

SM-N915

6.0.1

3.10.40

MMB29M

F, A, T, P, R4, V

Galaxy Note Edge (System LSI)

SM-N915

6.0.1

3.10.9

MMB29K

S, K, L

The following table shows the Security software versions for all the devices.

Device Name

MDF Version

MDF Release

VPN v1.4 Release

KNOX Release

Galaxy Note 4

2.0

6

6.0

2.6


Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Samsung Galaxy Devices VPN Client was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 4.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 4.    The product, when delivered and configured as identified in the Samsung VPN Client on Galaxy Devices Guidance documentation, Version 2.3, April 19, 2016   document, satisfies all of the security functional requirements stated in the Samsung Electronics Co., Ltd. Samsung Galaxy VPN Client on Android 6  (IVPNCPP14) Security Target, Version 0.2, April 21, 2016.  The project underwent CCEVS Validator review.  The evaluation was completed in June 2016.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID10727-2016) prepared by CCEVS.


Environmental Strengths

The logical boundaries of the Samsung Galaxy VPN Client on Android 6 TOE are realized in the security functions that it implements. Each of these security functions is summarized below.

Cryptographic Support - The IPsec implementation is the primary function of the TOE.  IPSec is used by the TOE to protect communication between itself and a VPN Gateway over an unprotected network. With the exception of the IPsec implementation, the TOE relies upon its underlying platform (evaluated against the Protection Profile For Mobile Device Fundamentals) for the cryptographic services.

User Data Protection - The TOE ensures that residual information is protected from potential reuse in accessible objects such as network packets.

Identification and Authentication - The TOE provides the ability to use, store, and protect X.509 certificates and pre-shared keys that are used for IPsec Virtual Private Network (VPN) connections.

Security Management - The TOE provides all the interfaces necessary to manage the security functions identified throughout the Samsung Galaxy VPN Client on Android 6 (IVPNCPP14) Security Target. In particular, the IPsec VPN is fully configurable by a combination of functions provided directly by The TOE and those available to the associated VPN gateway.

TSF Protection - The TOE relies upon its underlying platform to perform self-tests that cover the TOE as well as the functions necessary to securely update the TOE.

Trusted Path/Channels - The TOE acts as a VPN client using IPsec to established secure channels to corresponding VPN gateways.


Vendor Information

Logo
Samsung Electronics Co., Ltd.
Brian Wood
908-809-7939
908-809-7974
be.wood@sta.samsung.com

www.samsung.com
Site Map              Contact Us              Home