Sophia Antipolis, 12 January 2024
In a significant step highlighting the critical importance of security for mobile device users, the French National Cybersecurity Agency (ANSSI) has certified ETSI's Consumer Mobile Device Protection Profile under the Common Criteria global certification framework. This represents the first certification by a national administration of a comprehensive suite of specifications for assessing the security of smartphones.
Recognizing the vulnerability of consumer mobile devices to a growing range of cybersecurity threats, the standard identifies key security and privacy risks facing users. It also provides appropriate protection to minimize privacy risks, protect users' data and maximize confidence in the security of consumers’ mobile devices.
The standard aims to support mobile device manufacturers in achieving security certification in their new products. It also offers a common methodology for evaluators to assess the security of consumer mobile devices. Defining security assurance requirements based on Common Criteria, the standard is suitable for certification initiatives such as the future European Cyber Resilience Act.
Originally published in 2021 as TS 103 732, ETSI’s Protection Profile for Consumer Mobile Devices has subsequently been revised and expanded as a multi-part specification.
In addition to addressing basic requirements (TS 103 732-1), it now spans the increasing use of biometric authentication (TS 103 732-2) in consumer mobile devices. A third Technical Specification complements this Protection Profile, defining the evaluation configuration (TS 103 932-1) and merging the requirements of the two other documents so the product can be evaluated as a whole.
The suite of specifications has been developed by ETSI with the contribution of stakeholders right across the mobile communications ecosystem, including leading OS developers, smartphone manufacturers, network operators, regulatory authorities and user associations. The new standards build on previous foundational work by ETSI – published in 2020 as European Standard EN 303 645 – that defines baseline requirements for cybersecurity of consumer IoT (Internet of Things) devices which can be applied to a variety of specific verticals.
"Smartphones and tablets are central to our everyday lives" says Alex Leadbeater, Chair of ETSI’s Cybersecurity Technical Committee that has overseen development of the groundbreaking specifications. "They’re also a goldmine of apps, data and personal information that bad actors are increasingly keen to exploit through any means they can, including malware and network eavesdropping".
"Research by GSMA indicates that nine out of ten consumers globally are concerned over smartphone data security and privacy, with 64% of consumers citing security as being 'very important' in their criteria for buying a smartphone" continues Leadbeater. "We are pleased that France’s national cybersecurity authority has officially certified ETSI’s Protection Profile for Consumer Mobile Devices using biometric authentication."
The ANSSI Certification Report is publicly available (in French language) at the following link: ANSSI-CC-PP-2023_02fr.pdf (cyber.gouv.fr).
About ETSI
ETSI provides members with an open and inclusive environment to support the development, ratification and testing of globally applicable standards for ICT systems and services across all sectors of industry and society. We are a non-profit body, with more than 950 member organizations worldwide, drawn from 64 countries and five continents. The members comprise a diversified pool of large and small private companies, research entities, academia, government, and public organizations. ETSI is officially recognized by the EU as a European Standards Organization (ESO). For more information, please visit us at https://www.etsi.org/
Contact
Email: Press@etsi.org