NIAP: Assurance Continuity
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Product Entry  »»  Assurance Continuity  
Assurance Continuity - ASSURANCE CONTINUITY MAINTENANCE REPORT FOR Apple iOS 11 VPN Client on iPhone and iPad

Date of Maintenance Completion:  2018.07.17

Product Type:    Virtual Private Network

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for IPsec Virtual Private Network (VPN) Clients Version 1.4

Original Evaluated TOE:  2018.05.10 - Apple iOS 11 VPN Client on iPhone and iPad

CC Certificate [PDF] Validation Report [PDF] Assurance Activity [PDF]

Administrative Guide [PDF]

Please note:  The above files are for the Original Evaluated TOE.  Consequently, they do not refer to this maintained version, although they apply to the maintained version. 

Security Target [PDF] * Assurance Continuity Maintenance Report [PDF] Administrative Guidance [PDF]

Please note:  This serves as an addendum to the VR for the Original Evaluated TOE. 

* This is the Security Target (ST) associated with this latest Maintenance Release.  To view previous STs for this TOE, click here.

Readers are reminded that the certification of this product (TOE) is the result of maintenance, rather than an actual re-evaluation of the product.  Maintenance only considers the affect of TOE changes on the assurance baseline (i.e. the original evaluated TOE); maintenance is not intended to provide assurance in regard to the resistance of the TOE to new vulnerabilities or attack methods discovered since the date of the initial certificate.  Such assurance can only be gained through re-evaluation. 

Using a security impact analysis of the changes made to the TOE, which was provided by the developer, the CCEVS has determined that the impact of changes on the TOE are considered minor and that independent evaluator analysis was not necessary.  A summary of the results can be found in the Maintenance Report, which is written in relation to the product's original validation report and Security Target.  Readers are therefore reminded to read the Security Target, Validation Report, and the Assurance Maintenance Report to fully understand the meaning of what a maintained certificate represents. 

Product Description

The vendor provided evidence on the equivalency of the additional devices to those devices that were included in the original evaluation. Based on that equivalency, the vendor requested the additional devices be included as platforms in the VID 10876 evaluation as follows:

·         The Apple iPad 9.7-inch (models A1893 and A1954) were released after the TOE was evaluated and therefore could not be included in the original evaluation. The devices have the latest version of iOS 11 and contain the A10 Fusion processor, the same processor used by the iPhone 7 and iPhone 7 Plus which were included in the tests for the original evaluation. 

·         The Apple iPad Pro 9.7-inch (model A1675) was mistakenly omitted from the device list provided by the vendor in the original evaluation. The iPad Pro 9.7” model A1675 is almost identical to the model A1674 which was evaluated in the original evaluation with the following difference. The A1675 uses a removable SIM while the A1674 uses an embedded SIM. This omission was found in the process of gathering information to add the 2018 iPad 9.7-inch described above.

·         The iPhone 8 Plus model A1899 is almost identical to the A1898 that was in the original evaluation with the exception that the A1898 supports a reduced number of cellular bands. 

·         The iPhone 8 model A1907 is almost identical to the previously included A1906 with the exception that the A1907 supports a reduced number of cellular bands.

The VPN Client software (TOE) originally evaluated under VID10876 was not changed. No security relevant changes were made to the TOE and the inclusion of the additional hardware devices does not impact any of the security functions claimed in the Security Target.  The hardware models were added to an existing series of evaluated and supported models. As the additional models use the same processors as devices tested under the original evaluation, no new NIST CAVP certificates are required.  The new radios have received WIFI certification. 

The impact on assurance is considered minor due to the following:

1.      The changes are outside of the TOE boundary.

2.      The TOE software does not need to be updated to accommodate the additional platforms.

3.      The new hardware components do not introduce new security relevant components or functions.

The evaluation evidence consists of the Impact Analysis Report (IAR) and supporting vulnerability analysis update, dated June 20, 2018. 

Changes to TOE: 

There were no changes made to the TOE, VPN Client software. However, additional hardware platforms that support the TOE were added. The major change in the new hardware platform is the inclusion of the A10 processor in an iPad form factor. This processor is included in the original validation and was tested. Otherwise, the form factor is identical to the iPad Pro 9.7 already included in the original evaluation.

Affected Developer Evidence:

The affected developer evidence consists of the Security Target and Administrative Guidance to add the hardware models to the platform list.  

Regression Testing:

The vendor performed automated regression testing on the new platforms to ensure correct operation. This is standard practice.

Vulnerability Analysis:

An updated vulnerability analysis was conducted 06.20.2018 and no outstanding vulnerabilities were found related to the platform devices being added to the evaluation. This search was done using https://nvd.nist.gov.  The vulnerability search focused on new vulnerabilities found after the submission of the previous IAR. This vulnerability analysis found that there are no new vulnerabilities for the product. It is noted that the Apple had previously addressed Spectre and Meltdown via mitigations that were included in the Apple iOS versions 11.2 and 11.3 releases.

Vendor Information


Apple Inc.
Shawn Geddis
669-227-3579
geddis@apple.com

apple.com
Site Map              Contact Us              Home