scope:

The present document defines a PP for Consumer Mobile Device (CMD), which is typically a user-customisable device utilising an operating system, supporting installation and maintenance of applications, with wireless internet connectivity, high computation power and rich user interface, such as smartphones or tablets, used for various purposes by the individual owner.

The present document identifies key assets of the CMD to be protected and identifies the threats associated to them and the functional capabilities (objectives and security functional requirements) that are required to mitigate those threats. Finally, the present document specifies the security assurance requirements against which the CMD security can be assessed in a CC security evaluation.

The present document is intended for CMD manufacturers implementing those security requirements for device certification and for third parties looking to assess the security functions on CMD such as evaluators.

The Target Of Evaluation (TOE) described by the present document is a consumer mobile device. The following items are excluded from the scope:

• all applications (apps) downloaded by a human user and pre-installed non-system permission apps which can be uninstalled by the human user;

• all peripheral devices, including any data residing on these devices and any services associated with these devices, for example memory card;

• CMD features related to cellular mobile communication, including secure element which stores user credentials for cellular mobile communication, for example UICC [i.6];

• features related to multiple authenticated human users using the same CMD.