GSMA has designed and specified the requirements for a “Mobile Device Security Certification (MDSCert)” scheme. In such MDSCert schemes “mobile devices are evaluated against the GSMA MDSCert Security Requirements for the security evaluation of mobile devices, which are based on the ETSI Consumer Mobile Device Protection Profile ([ETSI TS 103 732] series)”.

As described in [FS.53], [FS.54], [FS.55] and [FS.56], this scheme design is intended “to be implemented by any scheme owner”, in this case TrustCB as scheme owner and operator.

Thus the MDSCert scheme checks conformance of consumer devices against [ETSI 103 7032].

The TOE-type is a consumer device complying to [ETSI TS 103 732], usually a “handheld device produced by a Mobile Device Manufacturer used to make and receive phone calls and mobile messages, support voicemail and connect to the Internet over Wi-Fi or a cellular network” or derived device such as tablet, chromebook, and TV running these mobile OSes.

The security functionality required from these mobile devices is expressed in the [ETSI TS 103 732] Protection Profile.

Summarized as per [FS.53]: “The security baseline, and the product evaluations to assess compliance with it, address:

• Hardware.
• Firmware.
• Operating system.
• Pre-loaded software.
• In-life software updates.

The security surfaces include:

• Physical interfaces
• Logical interfaces

The following are excluded as they are typically addressed by other existing dedicated schemes:

• 3GPP Mobile Radio interfaces (e.g. 5G RAN).
• UICC and/or eUICC” (e.g. GSMA eSA).”

“The certification of a Mobile Device applies to the factory specification product. The certification does not apply to:

• Third-party software or applications added (intentionally or unintentionally) post-production, including additions by users and/or supply chain participants (e.g. retail stores, mobile operators, etc.).
• Modifications made to the originally provided software (intentionally or unintentionally), post-production.
• Physical modifications made to the product, post-production.
• Repaired products where such repairs are not carried out using Mobile Device Manufacturer certified parts and by a Mobile Device Manufacturer approved repair facility.

The certificate does not apply to user behaviour which has the potential to compromise mobile device security, such as:

• Providing passwords or other security credentials to third parties (intentionally or unintentionally).
• Failing to install in a timely manner or blocking installation of security-critical updates.
• Failing to keep third-party applications up to date.
• Connecting insecure peripherals (e.g. Bluetooth headphones).
• Intentionally or unintentionally granting insecure permissions to applications which were blocked by default in the certified configuration.
• Using the product over insecure / high risk networks (e.g. airport Wi-Fi).”

For details of TrustCB’s procedures for this scheme, refer to the MDSCert scheme specific procedures and the TrustCB shared scheme procedures.

Details of the ITSEFs that have been licensed by TrustCB to perform MIFARE evaluations labs can be found under Labs.