ETSI Protection Profile for securing smartphones gains world-first certification from French Cybersecurity Agency
January 2024 by Marc Jacob
In a significant step highlighting the critical importance of security for mobile device users, the French National Cybersecurity Agency (ANSSI) has certified ETSI’s Consumer Mobile Device Protection Profile under the Common Criteria global certification framework. This represents the first certification by a national administration of a comprehensive suite of specifications for assessing the security of smartphones.
Recognizing the vulnerability of consumer mobile devices to a growing range of cybersecurity threats, the standard identifies key security and privacy risks facing users. It also provides appropriate protection to minimize privacy risks, protect users’ data and maximize confidence in the security of consumers’ mobile devices.
The standard aims to support mobile device manufacturers in achieving security certification in their new products. It also offers a common methodology for evaluators to assess the security of consumer mobile devices. Defining security assurance requirements based on Common Criteria, the standard is suitable for certification initiatives such as the future European Cyber Resilience Act.
Originally published in 2021 as TS 103 732, ETSI’s Protection Profile for Consumer Mobile Devices has subsequently been revised and expanded as a multi-part specification. In addition to addressing basic requirements (TS 103 732-1), it now spans the increasing use of biometric authentication (TS 103 732-2) in consumer mobile devices. A third Technical Specification complements this Protection Profile, defining the evaluation configuration (TS 103 932-1) and merging the requirements of the two other documents so the product can be evaluated as a whole.
The suite of specifications has been developed by ETSI with the contribution of stakeholders right across the mobile communications ecosystem, including leading OS developers, smartphone manufacturers, network operators, regulatory authorities and user associations. The new standards build on previous foundational work by ETSI – published in 2020 as European Standard EN 303 645 – that defines baseline requirements for cybersecurity of consumer IoT (Internet of Things) devices which can be applied to a variety of specific verticals.
"Smartphones and tablets are central to our everyday lives" says Alex Leadbeater, Chair of ETSI’s Cybersecurity Technical Committee that has overseen development of the groundbreaking specifications. "They’re also a goldmine of apps, data and personal information that bad actors are increasingly keen to exploit through any means they can, including malware and network eavesdropping".
"Research by GSMA indicates that nine out of ten consumers globally are concerned over smartphone data security and privacy, with 64% of consumers citing security as being ’very important’ in their criteria for buying a smartphone" continues Leadbeater. "We are pleased that France’s national cybersecurity authority has officially certified ETSI’s Protection Profile for Consumer Mobile Devices using biometric authentication."
The ANSSI Certification Report is publicly available (in French language) at the following link: ANSSI-CC-PP-2023_02fr.pdf (cyber.gouv.fr).