Scope and Field of Application
|
The intention of this work item is to deliver a set of security and evaluation requirements to be used in consumer mobile devices security assessment. Increasing services and features on consumer mobile devices make them more attractive for attackers. It is necessary to identify key assets on the consumer mobile devices to be protected and the main security threats to these key assets in consumer scenario. The specification will also define security objectives, that when fulfilled, the security threats could be dramatically decreased. Security functions should be implemented by the consumer mobile device, in order to protect key assets, address the security threats and fulfill the security objectives. The requirements for these security functions will also be defined in the specification. At last, security assurance requirements are needed for testing and assessment of mobile device security.
The work item will take provisions in TS 103 645 / EN 303 645 which are applicable to consumer mobile devices as high level guidance and will define detailed security requirements following those provisions. In addition, this work item will also define requirements which are not covered by TS 103 645 / EN 303 645.
Radio aspects as well as features specific to some network technologies (e.g. use of UICC in 3GPP) are excluded from the scope of this WI.
Similar works in other SDOs (e.g. ISO/IEC JTC1 SC17, GSMA) will be considered to ensure consistency.
The specification should be structured as following: ToE definition and usage; Security threats (e.g. network eavesdropping, physical assess, flawed applications); Security objectives (e.g. protected communications, protected storage, mobile device integrity, end user privacy); Security functional requirements (e.g. TLS support, key management, data anonymization, authentication, application isolation, secure boot); Security assurance requirement (e.g. guidance documentation, lifecycle support, independent testing); Additional information, optional requirements, use cases, etc.
This document is intended for consumer mobile device manufacturer, implementing those best practices recommendations, and as a guideline for 3rd parties, looking to assess the security functions on mobile consumer devices, e.g. evaluators.
In the context of this work item the term consumer mobile device refers to a class of devices with mobile connectivity capabilities, high computation power and rich user interface such as smartphones or tablets used for personal purpose by the individual owner.
|