The Target of Evaluation (TOE) is BlackBerry SecuSUITE version 6.0 and BlackBerry Envoy version 6.0 Client.
\r\nUser Context
\r\nThe TOE user downloads the TOE from an app store (e.g., Apple Store, Google Play). On first use of the app, the user must go through a registration process in order to register to a specified BlackBerry SecuSUITE Server (identified by URI).
\r\nOnce registered, the user can place secure VoIP calls using the app with largely the same interactions as with a normal phone call. The SecuSUITE Client provides encryption of user call signaling and voice data.
\r\nUsers are typically invited to join SecuSUITE/Envoy service via an activation email initiated by their corporate IT administrator who adds users via the BlackBerry SecuSUITE Server administration portal. The activation email includes the activation credentials as well as the option to scan a QR code to initiate the registration with the SCA server.
\r\nSecuSUITE Context
\r\nThe TOE is part of the SecuSUITE Security Solution. The TOE does not work in isolation, but relies on BlackBerry SecuSUITE Server components to enable a secure VoIP communication.
\r\nVVoIP Client
\r\nThe SecuSUITE Client establishes a secure tunnel for voice communications with another SecuSUITE/Envoy client or the SecuSUITE Server. The tunnel provides confidentiality, integrity, and data authentication for information that travels across the public network. This occurs using the Secure Real-Time Transport Protocol (SRTP) that has been established using the Session Description Protocol (SDP) and the Security Descriptions for Media Streams (SDES) for SDP – the TOE supports SDES-SRTP.
\r\nThe TOE Client also protects communications between itself and the SIP Server by using a Transport Layer Security (TLS)-protected signaling channel. To register the TOE within the domain, the TOE is required to be password authenticated by the SIP Server. The TOE also makes use of certificates to authenticate both the SIP server end and the TOE itself through the TLS connection.
\r\nGroup/Conference Calls
\r\nBesides the peer-to-peer calls between two instances of the TOE, the SecuSUITE/Envoy solution also allows the setup of a secure conference call between a group of SecuSUITE users. For that, individual calls and trusted channels are established between all TOEs participating in the group call (for a group call between 4 participants, every TOE has 3 individual calls to the members of the group). The individual SIP and SRTP connections are established exactly the same way the peer-to-peer calls are setup via the SecuSUITE Server. They are encrypted end-2-end and the individually decrypted audio stream is mixed only locally by each client so that no clear text representations of the audio streams exist in a central component.
\r\nSecure Text Messaging
\r\nThe TOE client allows encrypted instant message transfer between client applications. Secure Text Messaging utilizes the same TLS protected communication channel that is used during initial SCA registration used to transfer client configuration settings and SIP credentials between SecuSUITE Server and client.
\r\nGroup Messaging
\r\nBesides the peer-to-peer text messaging between two instances of the TOE, the SecuSUITE/Envoy solution also allows the setup of messaging groups between an arbitrary number of SecuSUITE users. The messages are individually encrypted for all TOE users participating in the group messaging session the same way peer-to-peer messages are protected.
\r\nCalls Destined Beyond the SecuSUITE Server
\r\nThe TOE always encrypts the user’s call signaling and data (voice) transmitted to other TOE VoIP endpoints registered with the SecuSUITE Server and transmitted to the SecuSUITE Server itself. The SecuSUITE Server administrator can configure calling to additional endpoints which are reached through a PBX (another SIP server connected to local/internal landline phones and potentially connected to outside phone lines). If configured, the TOE can then place calls to additional endpoints beyond the SecuSUITE Server through the configured PBX; however, because the call signaling and call data travels beyond the SecuSUITE Server itself, its security lies beyond the TOE and SecuSUITE Server’s control.
\r\nWhile the ability of the SecuSUITE Server to route calls to additional endpoints through a PBX lies beyond the scope of this ASPP14/PKGTLS11/VVoIPAS10 evaluation, the TOE can indicate when a user’s call travels beyond the SecuSUITE Server.
\r\nThe SecuSUITE Server allows an administrator to configure (refer to BlackBerry SecuSUITE Server evaluation VID11634 against the Enterprise Session Controller Protection Profile) which phone number prefixes the administrator deems “land secure” and which calls “breakout” to external phone lines (with unknown security). By default, the SecuSUITE Server treats all calls routed to the PBX as “breakout” calls. These designations cause an image indicating this disposition of the call to appear on the TOE’s User Interface (UI) as described in the Common Criteria Configuration Guide. Again, while beyond the scope of this evaluation, the concepts of “Secure Landing” and “Breakout Calls” are useful for TOE users to understand, in the event that their administrator has configured their SecuSUITE Server to route calls to additional endpoints through a PBX.
\r\nEnvoy Client
\r\nThe Envoy Client is a branded version of the SecuSUITE client that is identical from functional and security implementation perspective. The Envoy client is distributed by BlackBerry and differs basically in the used UI assets and product publishing.
","evaluation_configuration":"The evaluated configuration is BlackBerry SecuSUITE version 6.0 and BlackBerry Envoy version 6.0 Client installed on Android 14, iOS 17 or iPadOS 17. Please note that the same TOE compiled for Apple platforms executes on both iOS and iPadOS.
\r\n","security_evaluation_summary":"
The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, April 2017. The product, when delivered and configured as identified in the BlackBerry SecuSUITE 6.0 Common Criteria Guide, Version 2 10a, Release 6.0 document, satisfies all of the security functional requirements stated in the BlackBerry SecuSUITE version 6.0 and BlackBerry Envoy version 6.0 Client Security Target, Version 0.6, February 17, 2026. The project underwent CCEVS Validator review. The evaluation was completed in February 2026. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID11640-2026) prepared by CCEVS.
\r\n","environmental_strengths":"
The logical boundaries of the SecuSUITE/Envoy Client are realized in the security functions that it implements. Each of these security functions is summarized below.
\r\nCommunication:
\r\nThe TOE utilizes the Opus codec by default to transmit voice media. The Opus codec utilizes a fixed bit-rate.
\r\nCryptographic support:
\r\nThe TOE includes its own cryptographic module to perform operations in support of authentication actions and network communications using the TLS and SRTP protocol. The TOE implements TLS version 1.2 with mutual authentication using elliptic-curve cryptography. The TOE also relies upon its platform for certain cryptographic operations, including providing random data to seed the TOE’s own DRBG. The TOE relies upon the platform (i.e., iOS, iPadOS, and Android) cryptographic libraries for operations related to protecting keys in platform offer storage (i.e., a key store).
\r\nUser data protection:
\r\nThe TOE enforces the media transmission policy when communicating with remote VVoIP endpoints which use TLS and SRTP protocols. The TOE also ensures that communication with an SCA server is protected using TLS. The TOE protects user data by utilizing platform services for data storage.
\r\nIdentification and authentication:
\r\nThe TOE authenticates TLS peers using X.509v3 certificates. It performs extensive X.509 certificate validation checks on these certificates, rejecting invalid or revoked certificates.
\r\nSecurity management:
\r\nThe TOE receives configuration setting during its registration with an SCA server. The client allows management operations that specify the SIP server to use for connections.
\r\nPrivacy:
\r\nThe TOE does not transmit Personally Identifiable Information over any network interfaces.
\r\nProtection of the TSF:
\r\nThe TOE relies on the physical boundary of the evaluated platform as well as the Android and iOS/iPadOS operating systems for the protection of the TOE’s application components.
\r\nThe TOE relies upon these platforms to indicate the current TOE version. If an update is needed, it is obtained from the platform’s application store. The TOE’s software is digitally signed in accordance with the requirements of each application store.
\r\nThe native Apple and Android cryptographic library, which provides some of the TOE’s cryptographic services, have built-in self-tests that are run at client start-up to ensure that the algorithms are correct. If any self-tests fail, the TOE will not be able to perform its cryptographic services. The TOE includes its own cryptographic library that also includes self-tests that are run when the client starts.
\r\nTOE access:
\r\nThe TOE includes a 15 second default timeout that can terminate idle voice/video transmission. This timeout value can be changed by the configuration obtained from the SCA server.
\r\nTrusted path/channels:
\r\nThe TOE encrypts all data transmitted with an Enterprise Session Controller and another VVoIP endpoint using TLS to protect HTTPS, SIP and SRTP communications. The TLS channel established with an ESC or VVoIP endpoint can be used to exchange SIP messages or to initiate the use of SRTP for voice/video traffic.
","features":[]}