Assurance Continuity - Samsung Galaxy Devices on Android 10 - Spring
Date of Maintenance Completion: 2020.10.12CC Certificate Validation Report Assurance Activity
Product Type: Virtual Private Network
Conformance Claim: Protection Profile Compliant
PP Identifier: PP-Module for VPN Client Version 2.1
Protection Profile for Mobile Device Fundamentals Version 3.1
Extended Package for Wireless LAN Client Version 1.0
Original Evaluated TOE: 2020.04.30 - Samsung Galaxy Devices on Android 10 - Spring
Please note: The above files are for the Original Evaluated TOE. Consequently, they do not refer to this maintained version, although they apply to the maintained version.
Security Target * Assurance Continuity Maintenance Report Administrative Guide
Please note: This serves as an addendum to the VR for the Original Evaluated TOE.
* This is the Security Target (ST) associated with this latest Maintenance Release. To view previous STs for this TOE, click here.
Readers are reminded that the certification of this product (TOE) is the result of maintenance, rather than an actual re-evaluation of the product. Maintenance only considers the affect of TOE changes on the assurance baseline (i.e. the original evaluated TOE); maintenance is not intended to provide assurance in regard to the resistance of the TOE to new vulnerabilities or attack methods discovered since the date of the initial certificate. Such assurance can only be gained through re-evaluation.
Using a security impact analysis of the changes made to the TOE, which was provided by the developer, the CCEVS has determined that the impact of changes on the TOE are considered minor and that independent evaluator analysis was not necessary. A summary of the results can be found in the Maintenance Report, which is written in relation to the product's original validation report and Security Target. Readers are therefore reminded to read the Security Target, Validation Report, and the Assurance Maintenance Report to fully understand the meaning of what a maintained certificate represents.
Samsung added several device models to the evaluated TOE. The following table summarizes the devices that were originally evaluated:
Table 1 Samsung Galaxy devices originally evaluated
In addition, a prior assurance maintenance action added the following device models to the list of already-approved devices above: Galaxy Note20 Ultra 5G (SM-N986), Galaxy Note20 Ultra (SM-N985), Galaxy Note20 5G (SM-N981), Galaxy Note20 (SM-N980), the Galaxy Tab S7+ (SM-T97x), Galaxy Tab S7 (SM-T87x), Galaxy Z Fold2 (SM-F916) and Galaxy Z Flip 5G (SM-F707).
This assurance maintenance action adds the following device models: Galaxy S20 FE (Fan Edition) with Qualcomm and Samsung processors (models SM-G781 and SM-G780, respectively). The following table shows the complete list of products, including the prior evaluated products and the newly added products.
Table 2 Complete list of devices covered by assurance maintenance
The differences between the devices that were originally evaluated and those that were added as part of this maintenance action are primarily hardware related. These include differences in form factor (screen size and battery size), input capabilities (Samsung S-Pen), and wireless radios (cellular and Wi-Fi). The Z Fold2 and the Z Flip 5G are foldable devices with multiple displays. The S20 FE device models added as part of this maintenance action differ from the earlier S20 series devices in screen size and screen resolution.
Some of the devices have also been updated to support different fingerprint biometric authentication subsystems to accommodate the various form factors and screen sizes of the various device models (as summarized in the following table). The biometric hardware and software components remain unchanged from the ones that were part of the original evaluation.
Table 3 Biometrics capabilities on claimed devices
The major change undertaken with this maintenance action is to add a set of devices to the already-evaluated products, with hardware changes that do not affect the evaluated security functional requirements. As described earlier, these hardware changes relate to form factor and screen resolution.
The firmware and system software on the devices have been periodically updated as part of Samsung’s normal update process, which covers both planned and emergency updates that address both security and functionality aspects of the devices. These changes do not affect the SFRs and are not covered by this assurance maintenance action. There were no other relevant changes to the devices because all other changes to application software are out of scope of the evaluation and do not affect the originally evaluated security functional requirements. Samsung has performed extensive regression testing on the updated firmware and system software as part of their quality assurance process. This includes consulting a variety of sources of vulnerability data, such as CVE and National Vulnerability Database (NVD) current as of September 18, 2020, and performing vulnerability testing of the updated software, with coverage of the relevant SFRs. Vulnerability searches were done using the same search terms used in the Assurance Activity Report of the original evaluation, updated to reflect the version numbers and product models cited in this ACMR.
Samsung Electronics Co., Ltd.