Compliant Product - Wickr Enterprise Client 6.10
Certificate Date: 2023.04.07CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11320-2023
Product Type: Application Software
Conformance Claim: Protection Profile Compliant
PP Identifier: Protection Profile for Application Software Version 1.4
CC Testing Lab: Leidos Common Criteria Testing Laboratory
Administrative Guide: Version 426151b
Administrative Guide: Wickr Enterprise Client Common Criteria Evaluated Configuration Guide (CCECG)
Administrative Guide: Desktop User Guide Version 6.10
Administrative Guide: Wickr Enterprise NIAP Version Installation and Maintenance Version 1.30.0
The Target of Evaluation (TOE) is Wickr Enterprise Client 6.10. The TOE is an on-premise application providing communication with remote peers. It is the client component of a client-server solution that interacts with the Wickr Enterprise Server application. Collectively, they make up the Wickr Enterprise solution.
Wickr Enterprise is an end-to-end encrypted service that provides communication services for client devices in a closed-loop, zero-trust environment. All Wickr Clients communicate through Wickr Servers for client-to-client communication.
The TOE comprises the Wickr Enterprise Client application and includes versions that may be deployed on Windows, Android, iOS, and macOS platforms.
Wickr Enterprise Client 6.10. The platform-specific versions of the TOE include:
1. Wickr Enterprise Client for Windows 6.10.2
Evaluated on Microsoft Windows 10.
2. Wickr Enterprise Client for macOS 6.10.2
Evaluated on macOS 12.4 Monterey.
3. Wickr Enterprise Client for iOS 6.10.0
Evaluated on iOS 15.5.
4. Wickr Enterprise Client for Android 6.10.0
Evaluated on Android 12.
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme for the Protection Profile for Application Software, Version 1.4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 release 5. The product, when delivered and configured as identified in the guidance documentation, satisfies all of the security functional requirements stated in the Wickr Enterprise Client 6.10 Security Target. The evaluation was completed in March 2023. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The TOE uses NIST-validated cryptographic algorithms to secure messaging data in transit. The cryptographic functions for this are supplied by the host platform. All platform versions of the TOE also implement their own NIST-validated cryptographic algorithms through OpenSSL to support the protection of credential data at rest. The TOE relies on platform-provided entropy for random number generator seeding.
The TOE uses cryptographic functionality to protect stored credential data. This is done through a combination of TSF-provided cryptography and platform cryptography for all platform versions.
User Data Protection
The TOE provides cryptographic functionality and also leverages functionality provided by its underlying OS platforms to secure sensitive data at rest. The TOE uses network resources provided by the underlying platforms. All platform services are invoked at the direction of the user.
The TOE uses network connectivity to interact with a Wickr Server to establish connections with other Wickr Clients. The TOE or its platform, depending on platform version, check for updates from an update server.
Identification and Authentication
The TOE relies on platform-provided functionality to validate X.509 certificates used to authenticate TLS servers when establishing trusted communications except in the case where the desktop platform versions of the TOE (macOS, Windows) are responsible for validating the crlsign bit on any certificate used to sign a CRL. Certificate validation is performed in accordance with RFC 5280 and CRLs are used for revocation checking in all cases except for iOS, which uses OCSP.
Wickr Client configuration data is stored locally using mechanisms that are recommended by the respective platform vendors. The TOE is not installed with default credentials. The Wickr Client applies configuration settings it obtains from the Wickr Server.
The TOE does not process any personally identifiable information (PII). No transmission of PII occurs that is not in direct response to user activity.
Protection of the TSF
The TOE includes measures to integrate securely with its underlying OS platform. The TOE does not perform explicit memory mapping, nor does it allocate any memory region with both write and execute permissions. Similarly, the TOE does not write user-modifiable data to directories that contain executable files. The TOE is compatible with its supported host OS platform when configured in a secure manner. All platform versions of the TOE are compiled with stack overflow protection.
The TOE uses a well-defined set of platform APIs and third-party libraries.
The TOE provides the ability for a user to check its version. The TOE platform is used to apply updates. Updates are delivered in a format that is appropriate for the TOE’s platform. Updates to the TOE are digitally signed, and the signature is validated prior to installation. The TOE does not modify its own code. Removal of the application removes all executable code associated with the TOE.
The TOE uses trusted channels to secure data in transit between itself and external entities. The TOE communicates with the Wickr Server for messaging services and authentication using platform provided TLS.