and unpredictable output.
[C-1-7] MUST have tamper resistance, including resistance against physical penetration,
and glitching.
[C-1-8] MUST have side-channel resistance, including resistance against leaking
information via power, timing, electromagnetic radiation, and thermal radiation side
channels.
[C-1-9] MUST have secure storage which ensures confidentiality, integrity, authenticity,
consistency, and freshness of the contents. The storage MUST NOT be able to be read or
altered, except as permitted by the StrongBox APIs.
To validate compliance with [C-1-3] through [C-1-9], device implementations:
[C-1-10] MUST include the hardware that is certified against the Secure IC
Protection Profile
BSI-CC-PP-0084-2014
or evaluated by a nationally
accredited testing laboratory incorporating High attack potential vulnerability
assessment according to the
Common Criteria Application of Attack Potential
to Smartcards
.
[C-1-11] MUST include the firmware that is evaluated by a nationally
accredited testing laboratory incorporating High attack potential vulnerability
assessment according to the
Common Criteria Application of Attack Potential
to Smartcards
.
[C-SR] Are STRONGLY RECOMMENDED to include the hardware that is
evaluated using a Security Target, Evaluation Assurance Level (EAL) 5,
augmented by AVA_VAN.5. EAL 5 certification will likely become a
requirement in a future release.
[C-SR] are STRONGLY RECOMMENDED to provide insider attack resistance (IAR), which
means that an insider with access to firmware signing keys cannot produce firmware that
causes the StrongBox to leak secrets, to bypass functional security requirements or
otherwise enable access to sensitive user data. The recommended way to implement IAR
is to allow firmware updates only when the primary user password is provided via the
IAuthSecret HAL. IAR will likely become a requirement in a future release.
9.12. Data Deletion
All device implementations:
[C-0-1] MUST provide users a mechanism to perform a "Factory Data Reset".
[C-0-2] MUST delete all user-generated data. That is, all data except for the following:
The system image
Any operating system files required by the system image
[C-0-3] MUST delete the data in such a way that will satisfy relevant industry standards
such as NIST SP800-88.
[C-0-4] MUST trigger the above "Factory Data Reset" process when the
DevicePolicyManager.wipeData()
API is called by the primary user's Device Policy Controller
app.
MAY provide a fast data wipe option that conducts only a logical data erase.
9.13. Safe Boot Mode
Android provides Safe Boot Mode, which allows users to boot up into a mode where only preinstalled
system apps are allowed to run and all third-party apps are disabled. This mode, known as "Safe Boot
Mode", provides the user the capability to uninstall potentially harmful third-party apps.
Device implementations are:
Page 128 of 132
