In the previous post we reviewed the main technological solutions to secure mobile applications. Depending on the security solution (chip-based, cloud-based or TEE-based) and the target market, chip manufacturers and software developers can choose between various certification schemes applicable to their product.
Certification is not legally mandatory but could be an industry requirement to be part of the market (e.g. for payments) or a market differentiation strategy for new products (e.g. to demonstrate product security robustness).
Security Certification usually involve similar activities that must be performed by a recognized security evaluation laboratory, such as: testing & evaluations (for example, black box or white box), technical documentation review and, in some cases, facilities audits.
Let’s review the different certification options for each security solution:
Secure Elements, both embedded and removable, play a key role in the mobile environment, offering a tamper-resistant and reliable solution to secure processing and storage.
Chip-based solutions usually consist of three overlapped layers, the IC (chip hardware), the Platform (chip OS) and the applications. Each layer has different certification options, depending on the target market and the services offered:
Common Criteria Certification for Chip Products: Common Criteria evaluation is a robust security certification option widely-recognized in the industry for a wide range of end uses: Payment, Identification, Transport, Telecommunications, etc. There are well-defined CC protection profiles for each layer of the Secure Element, ICs (e.g. Security IC Platform PP with Augmentation Packages), OS Platforms (e.g. Java Card PP – Open Configuration) and embedded apps (e.g. e-Passport application). Its versatility makes it also a good choice for new types of products, as the security target and the scope of the evaluation are very adaptable. For example, a new protection profile was published in 2015 to evaluate Embedded UICC popularly known as eSIM. Even if there is no existing protection profile, a specific security target can be defined to conduct the CC evaluation. For example, Applus+ Laboratories has recently conducted a CC evaluation where no existing protection profile could be used, for Secure Flash Memory developed by Winbond.
EMVCo and Payment Schemes Certification for Chip Products: Chip-based mobile payment solutions (secure elements) must comply with payment schemes’ requirements in order to use their infrastructure. The main six payment brands participate in EMVCo, an organization that publishes test specifications and manages chip hardware (IC EMVCo Security Evaluation) and chip platforms (Platform EMVCo Security Evaluation) certification processes on behalf of the payment brands. The certification process of the final composite, with the payment app loaded, is managed directly by each payment scheme. Each payment brand (Visa, MasterCard, AMEX, Discover, JCB) has its own specific payment application and certification process (VCSP, CAST, Expresspay Mobile, J/Speedy, etc.) which also include additional functional tests on each layer of the Secure Element.
The Trusted Execution Environment (TEE) is a new solution based on software isolation but using some of the hardware resources of the device where it is installed (a typical architecture would be based on ARM Trustzone). At the moment TEE has two options for certification, which offer similar approaches but some practical differences.
GlobalPlatform Certification for TEE: In 2015, GlobalPlatform (GP) launched a new security certification scheme for TEE products based on the Common Criteria Protection Profile and following a methodology similar to Common Criteria. The GP approach focuses more on the testing of a complete TEE product (device or SoC with a TEE) but with more flexible requirements than for Common Criteria. For example, the documentation is not required to meet the Common Criteria standard. Less demanding conformity requirements also make the GlobalPlatform certification process shorter compared to Common Criteria. Evaluation time for GP TEE certification is 3 months.
Common Criteria Certification for TEE: TEE can also be certified under a classic Common Criteria evaluation process. Its main advantages are the recognition of Common Criteria in the industry and Common Criteria’s adaptability in determining the scope of the evaluation. In contrast with GP TEE, in Common Criteria the TEE (software) can be the only target of evaluation, without taking into account the hardware it will run on. This approach can be useful as TEE developers may want to certify its TEE product without depending on third-party hardware.
Common Criteria Certification for Trusted Apps: Within Common Criteria, it would be also possible to evaluate the trusted applications running under a Trusted Execution Environment implementation.
There are several alternatives to secure mobile applications without using a secure element or a TEE. When an application runs directly in the mobile handset OS, software security countermeasures like code obfuscation can be implemented. For security-critical applications like payment, additional software security features can be implemented via tokenization and cloud countermeasures
Common Criteria for mobile apps certification: Common Criteria is a perfect framework for evaluations of mobile applications, such as ID or Signature apps, that run directly on the mobile OS. Common Criteria provides a versatile, internationally-recognized methodology with different security evaluation levels. Mobile apps can be evaluated following an existing Protection Profile (e.g. the U.S. Government has developed a PP for application software) or by creating a new security target.
Payment Brands Certification programs for Cloud-based solutions: The payments industry has pioneered the use of cloud-based solution as an alternative to embedded chips for security-critical mobile applications. Taking advantage of the host card emulation architecture launched with Google Android 4.4, different payment schemes have published compliance processes for HCE payment solutions that include security evaluations. Applus+ Laboratories was one of the first laboratories to be recognized by Visa Ready Program for Cloud-based Payments and is now ready to conduct security evaluations for AMEX Enabled Program for HCE products and MasterCard Cloud Based Payments (MCBP).
Additionally, most certification schemes have similar testing requirements, making it possible to consider multiple security evaluation processes with a single laboratory. For example, CC and EMVCo certifications for IC or platforms have many similarities. A combined evaluation process may help to lower certification costs and times. TEE can also be evaluated at the same time under GP and CC schemes to obtain both certifications.
Applus+ Laboratories is a recognized laboratory, able to perform security evaluations for the different certification options mentioned in this article. Contact us to find out more about the scope of services or our recognitions and accreditations.