National Information Assurance Partnership
Common Criteria Evaluation and Validation Scheme
Validation Report
Apple iOS 13 on iPhone and Apple iPadOS 13 on iPad
Mobile Devices
Report Number: CCEVS-VR-VID11036-2020
Dated: November 6, 2020
Version: 1.0
National Institute of Standards and Technology National Security Agency
Information Technology Laboratory Information Assurance Directorate
100 Bureau Drive 9800 Savage Road STE 6940
Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6940
VID11036 Validation Report, Version 1.0 November 6, 2020
ii
Acknowledgements
Validation Team
Patrick W Mallett, PhD
Jean E Petty
Lisa D. Mitchell
Clare Olin
The MITRE Corporation
Common Criteria Testing Laboratory
Trang Huynh
King Ables
Randy Baker
Quentin Gouchet
Stephan Mueller
Matthew Olander
atsec information security corporation
Austin, TX
VID11036 Validation Report, Version 1.0 November 6, 2020
iii
Table of Contents
Table of Contents
1. Executive Summary .............................................................................................4
2. Identification.......................................................................................................3
3. Architectural Information ....................................................................................5
TOE Evaluated Configuration..............................................................................................6
Physical Scope of the TOE.................................................................................................10
Un-evaluated Functionality ..............................................................................................10
4. Security Policy ...................................................................................................11
Security Audit..................................................................................................................11
Cryptographic Support .....................................................................................................11
User Data Protection........................................................................................................13
Identification and Authentication.....................................................................................13
Security Management......................................................................................................14
Protection of the TSF........................................................................................................14
TOE Access.......................................................................................................................14
Trusted Path/Channels.....................................................................................................14
5. Assumptions......................................................................................................15
Clarification of Scope .......................................................................................................15
6. Documentation .................................................................................................16
7. IT Product Testing..............................................................................................18
Developer Testing............................................................................................................18
Evaluation Team Independent Testing..............................................................................18
8. Evaluated Configuration....................................................................................19
9. Results of the Evaluation ...................................................................................20
Evaluation of the PP-Configuration (ACE)..........................................................................20
Evaluation of the Security Target (ASE).............................................................................20
Evaluation of the Development Documentation (ADV)......................................................21
Evaluation of the Guidance Documents (AGD) ..................................................................21
Evaluation of the Life Cycle Support Activities (ALC)..........................................................21
VID11036 Validation Report, Version 1.0 November 6, 2020
iv
Evaluation of the Test Documentation and the Test Activity (ATE).....................................22
Vulnerability Assessment Activity (VAN)...........................................................................22
Summary of Evaluation Results ........................................................................................23
10. Validator Comments/Recommendations........................................................23
11. Annexes.........................................................................................................24
12. Security Target ..............................................................................................24
13. Glossary ........................................................................................................24
14. Bibliography..................................................................................................25
1. Executive Summary
This report documents the assessment of the National Information Assurance Partnership (NIAP)
validation team of the evaluation of Apple iOS 13 on iPhone and Apple iPadOS 13 on iPad
Mobile Devices provided by Apple Inc. It presents the evaluation results, their justifications, and
the conformance results. This Validation Report is not an endorsement of the Target of
Evaluation (TOE) by any agency of the U.S. government, and no warranty is either expressed or
implied.
The evaluation was performed by the Common Criteria Testing Laboratory (CCTL) atsec
information security corporation in Austin, TX, United States of America, and was completed in
November 2020. The information in this report is largely derived from the Evaluation Technical
Report (ETR) and associated test reports, all written by the CCTL, atsec information security
corporation. The evaluation determined that the product is both Common Criteria (CC) Part 2
Extended and Part 3 Extended, and meets the assurance requirements given in:
 PP-Configuration for Mobile Device Fundamentals (MDF), Mobile Device
Management (MDM) Agents, and Virtual Private Network (VPN) Clients, Version
1.0, dated 28 February 2020
o Protection Profile for Mobile Device Fundamentals, Version 3.1, dated 16
June 2017
o PP-Module for MDM Agents, Version 1.0, dated 25 April 2019
o The PP-Module for Virtual Private Network (VPN) Clients, Version 2.1,
dated 5 October 2017
 General Purpose Operating Systems Protection Profile/ Mobile Device Fundamentals
Protection Profile Extended Package (EP) Wireless Local Area Network (WLAN)
Clients, Version 1.0, dated 8 February 2016.
VID11036 Validation Report, Version 1.0 November 6, 2020
2
The TOE is Apple iOS 13 on iPhone and Apple iPadOS 13 on iPad Mobile Devices executing on
the following platforms:
 iPhone 6s / iPhone 6s Plus (A9 processor)
 iPhone SE (A9 processor)
 iPhone SE (2nd
gen) (A13 Bionic processor)
 iPhone 7 / iPhone 7 Plus (A10 Fusion processor)
 iPhone 8 / iPhone 8 Plus (A11 Bionic processor)
 iPhone X (A11 Bionic processor)
 iPhone XS / iPhone XS Max (A12 Bionic processor)
 iPhone XR (A12 Bionic processor)
 iPhone 11 / iPhone 11 Pro / iPhone 11 Pro Max (A13 Bionic processor)
 iPad mini 4 (A8 processor)
 iPad mini (5th
gen) (A12 Bionic)
 iPad Air 2 (A8X processor)
 iPad 9.7-inch (5th
gen) (A9 processor)
 iPad 9.7-inch (6th
gen) (A10 Fusion procession)
 iPad Pro 9.7-inch (A9X processor)
 iPad 10.2-inch (7th
gen) (A10 Fusion processor)
 iPad Pro 10.5-inch (A10X Fusion processor)
 iPad Pro 10.5-inch (3rd
gen) (A12 Bionic processor)
 iPad Pro 11-inch (A12X Bionic processor)
 iPad Pro 11-inch (2nd
gen) (12Z Bionic processor)
 iPad Pro 12.9-inch (A9X processor)
 iPad Pro 12.9-inch (2nd
gen) (A10X Fusion processor)
 iPad Pro 12.9-inch (A12X Bionic processor)
 iPad Pro 12.9-inch (4th
gen) (A12Z Bionic processor)
The TOE identified in this Validation Report has been evaluated at a NIAP approved CCTL
using the “Common Methodology for IT Security Evaluation (Version 3.1, Rev. 5)” (CEM) for
conformance to the “Common Criteria for IT Security Evaluation (Version 3.1, Rev. 5)” (CC)
and the Assurance Activities (AA) of the aforementioned PP-Configuration, Protection Profile,
PP Modules, and Extended Packages. This Validation Report applies only to the specific version
of the TOE as evaluated. The evaluation has been conducted in accordance with the provisions of
VID11036 Validation Report, Version 1.0 November 6, 2020
3
the NIAP Common Criteria Evaluation and Validation Scheme (CCEVS) and the conclusions of
the testing laboratory in the evaluation technical report are consistent with the evidence provided.
The validation team monitored the activities of the evaluation team, reviewed testing activities,
provided guidance on technical issues and evaluation processes, and reviewed the individual
work units and successive versions of the ETR. The validation team found that the evaluation
showed that the product satisfies all the functional requirements and assurance requirements
stated in the Security Target (ST). The validation team concludes that the testing laboratory’s
findings are accurate, the conclusions justified, and the conformance results are correct. The
conclusions of the testing laboratory in the evaluation technical report are consistent with the
evidence produced.
The CCTL atsec information security corporation evaluation team concluded that the CC
requirements specified by:
 PP-Configuration for Mobile Device Fundamentals (MDF), Mobile Device
Management (MDM) Agents, and Virtual Private Network (VPN) Clients, Version
1.0, dated 28 February 2020
o Protection Profile for Mobile Device Fundamentals, Version 3.1, dated 16
June 2017
o PP-Module for MDM Agents, Version 1.0, dated 25 April 2019
o The PP-Module for Virtual Private Network (VPN) Clients, Version 2.1,
dated 5 October 2017
 General Purpose Operating Systems Protection Profile/ Mobile Device Fundamentals
Protection Profile Extended Package (EP) Wireless Local Area Network (WLAN)
Clients, Version 1.0, dated 8 February 2016
have been met.
The technical information included in this report was obtained from the Apple iOS 13 on iPhone
and Apple iPadOS 13 on iPad Mobile Devices Security Target, Version 1.7.
2. Identification
The CCEVS is a joint National Security Agency (NSA) and National Institute of Standards and
Technology (NIST) effort to establish commercial facilities to perform trusted product
evaluations. Under this program, security evaluations are conducted by commercial testing
laboratories called Common Criteria Testing Laboratories (CCTLs) using the Common
Evaluation Methodology (CEM) for Evaluation Assurance in accordance with National
Voluntary Laboratory Assessment Program (NVLAP) accreditation.
The NIAP Validation Body assigns Validators to monitor the CCTLs to ensure quality and
consistency across evaluations. Developers of information technology products desiring a
VID11036 Validation Report, Version 1.0 November 6, 2020
4
security evaluation contract with a CCTL and pay a fee for their product’s evaluation. Upon
successful completion of the evaluation, the product is added to NIAP’s Product Compliant List.
The following table provides information needed to completely identify the product, including
the following.
 The Target of Evaluation (TOE): The fully qualified identifier of the product as evaluated
 The ST: Describing the security features, claims, and assurances of the product
 The conformance results of the evaluation
 The Protection Profile (PP) to which the product is conformant
 The organizations and individuals participating in the evaluation
Item Identifier
Evaluation Scheme United States NIAP Common Criteria Evaluation and Validation Scheme
TOE Apple iOS 13 on iPhone and Apple iPadOS 13 on iPad Mobile Devices executing on
the following platforms:
 iPhone 6s / iPhone 6s Plus (A9 processor)
 iPhone SE (A9 processor)
 iPhone SE (2nd
gen) (A13 Bionic processor)
 iPhone 7 / iPhone 7 Plus (A10 Fusion processor)
 iPhone 8 / iPhone 8 Plus (A11 Bionic processor)
 iPhone X (A11 Bionic processor)
 iPhone XS / iPhone XS Max (A12 Bionic processor)
 iPhone XR (A12 Bionic processor)
 iPhone 11 / iPhone 11 Pro / iPhone 11 Pro Max (A13 Bionic processor)
 iPad mini 4 (A8 processor)
 iPad mini (5th
gen) (A12 Bionic)
 iPad Air 2 (A8X processor)
 iPad 9.7-inch (5th
gen) (A9 processor)
 iPad 9.7-inch (6th
gen) (A10 Fusion procession)
 iPad Pro 9.7-inch (A9X processor)
 iPad 10.2-inch (7th
gen) (A10 Fusion processor)
 iPad Pro 10.5-inch (A10X Fusion processor)
 iPad Pro 10.5-inch (3rd
gen) (A12 Bionic processor)
 iPad Pro 11-inch (A12X Bionic processor)
VID11036 Validation Report, Version 1.0 November 6, 2020
5
Item Identifier
 iPad Pro 11-inch (2nd
gen) (12Z Bionic processor)
 iPad Pro 12.9-inch (A9X processor)
 iPad Pro 12.9-inch (2nd
gen) (A10X Fusion processor)
 iPad Pro 12.9-inch (A12X Bionic processor)
 iPad Pro 12.9-inch (4th
gen) (A12Z Bionic processor)
PP  PP-Configuration for Mobile Device Fundamentals (MDF), Mobile Device
Management (MDM) Agents, and Virtual Private Network (VPN) Clients,
Version 1.0, dated 28 February 2020
o Protection Profile for Mobile Device Fundamentals, Version 3.1,
dated 16 June 2017
o PP-Module for MDM Agents, Version 1.0, dated 25 April 2019
o The PP-Module for Virtual Private Network (VPN) Clients,
Version 2.1, dated 5 October 2017
 General Purpose Operating Systems Protection Profile/ Mobile Device
Fundamentals Protection Profile Extended Package (EP) Wireless Local
Area Network (WLAN) Clients Version 1.0, dated 8 February 2016.
ST Apple iOS 13 on iPhone and Apple iPadOS 13 on iPad Mobile Devices Security
Target (ST), Version 1.7 dated 2020-11-10.
ETR Evaluation Technical Report for a Target of Evaluation Apple iOS 13 on iPhone
and Apple iPadOS 13 on iPad Mobile Devices, Version 1.0, dated 2020-08-13
CC Version Common Criteria for Information Technology Security Evaluation, Version 3.1,
Revision 5
Conformance Result CC Part 2 extended, CC Part 3 extended
Sponsor Apple Inc.
Developer Apple Inc.
CCTL atsec information security corporation, Austin, TX
CCEVS Validators Patrick W Mallett, Jean E Petty, Lisa D. Michell, Clare Olin
3. Architectural Information
Note that the following architectural description is based on the description presented in the ST.
The implementation of TOE architecture can be viewed as a set of layers. Lower layers contain
fundamental services and technologies. Higher-level layers build upon the lower layers and
provide more sophisticated services and technologies.
These individual layers provide the following services.
VID11036 Validation Report, Version 1.0 November 6, 2020
6
The Cocoa Touch layer contains key frameworks for building iOS apps. These frameworks
define the appearance of applications (apps).
The Media layer contains the graphics, audio, and video technologies you use to implement
multimedia experiences in apps.
The Core Services layer contains fundamental system services for apps. Key among these
services are the Core Foundation and Foundation frameworks, which define the basic types that
all apps use. This layer also contains individual technologies to support features such as location,
iCloud, social media, and networking. This layer also implements data protection functions that
allow apps that work with sensitive user data to take advantage of the built-in encryption
available on some devices.
The Core OS layer contains the low-level features that most other technologies are built upon.
Situations where an app needs to explicitly deal with security or communications with an
external hardware accessory, it does so by using the frameworks in this layer.
Security related frameworks provided by this layer are as follows.
 The Generic Security Services Framework, which provides services as specified in RFC
2743 (Generic Security Service Application Program Interface Version 2, Update 1) and
RFC 4401 (Pseudo Random Function).
 The Local Authentication Framework.
 The Network Extension Framework, which provides support for configuring and
controlling virtual private network (VPN) tunnels.
 The Security Framework, which provides services to manage and store certificates,
public and private keys, and trust policies. This framework also provides the Common
Crypto library for symmetric encryption and hash-based message authentication codes
and
 The System Framework, which provides the kernel environment, drivers, and low-level
UNIX interfaces. The kernel manages the virtual memory system, threads, file system,
network, and inter-process communication and is therefore responsible for separating
apps from each other and controlling the use of low-level resources.
The TOE may be managed by an MDM solution that enables an enterprise to control and
administer the TOE instances that are enrolled in the MDM solution.
TOE Evaluated Configuration
The evaluated configuration consists of the following hardware and software, when configured
in accordance with the documentation specified in Section 6. The evaluation covers the
following Apple iPhone and iPad Mobile Devices running on iOS 13 and iPadOS 13 operating
system as detailed in Table 1.
VID11036 Validation Report, Version 1.0 November 6, 2020
7
Table 1: Devices covered by the evaluation
Processor Device Name Model Number
A8 iPad mini 4 A1538
A1550
A8X iPad Air 2 A1566
A1567
A9 iPhone 6s A1633
A1688
A1691 (China)
A1700 (China)
iPhone 6s Plus A1634
A1687
A1690 (China)
A1699 (China)
iPhone SE A1662
A1723 (China)
A1724 (China)
iPad 9.7-inch (5th gen) A1822
A1823
A9X iPad Pro 12.9-inch A1584
A1652
iPad Pro 9.7-inch A1673
A1674
A1675
A10 Fusion iPhone 7 A1660
A1779 (Japan)
A1780 (China)
A1778
iPhone 7 Plus A1661
A1785 (Japan)
A1786 (China)
A1784
iPad 9.7-inch
(6th gen)
A1893
A1954
VID11036 Validation Report, Version 1.0 November 6, 2020
8
Processor Device Name Model Number
iPad 10.2-inch (7th gen) A2199
A2200
A2198 (Hong Kong)
A10X Fusion iPad Pro 12.9-inch (2nd gen) A1670
A1671
A1821 (China)
iPad Pro 10.5-inch A1701
A1709
A1852 (China)
A11 Bionic iPhone 8 A1863
A1906 (Japan)
A1907
A1905 (GSM)
iPhone 8 Plus A1864
A1898 (Japan)
A1899
A1897 (GSM)
iPhone X A1865 (Japan)
A1902 (Japan)
A1903 (Japan)
A1901
A12 Bionic iPhone XS A1920 (US/CA/HK)
A2097
A2098 (Japan)
A2099 (Global)
A2100 (China)
iPhone XS Max A1921 (US/CA)
A2101 (Global)
A2102 (Japan)
A2103 (Global)
A2104 (China/HK)
iPhone XR A1984 (US/CA)
A2105 (Global)
VID11036 Validation Report, Version 1.0 November 6, 2020
9
Processor Device Name Model Number
A2106 (Japan)
A2107 (US/CA)
A2108 (HK/China)
iPad mini (5th gen) A2133
A2125 (China)
A2126
10.5-inch iPad (3rd gen) A2152
A2154 (China)
A2123
A2153
A12X Bionic 11-inch iPad Pro A1934 (US/CA)
A1979 (China)
A1980
A2013 (US/CA)
12.9-inch iPad Pro A2014 (US/CA)
A1876
A1895
A1983 (China)
A12Z Bionic 11-inch iPad Pro (2nd gen) A2068
A2228
A2230
A2231 (China)
12.9-inch iPad Pro (4th gen) A2069
A2229
A2232
A2233 (China)
A13 Bionic iPhone 11 A2111
A2221
A2222
A2223
iPhone 11 Pro A2160
A2215
A2217
VID11036 Validation Report, Version 1.0 November 6, 2020
10
Processor Device Name Model Number
A2216
iPhone 11 Pro Max A2161
A2218
A2220
A2219
iPhone SE (2nd gen) A2275 (US/CA)
A2296 (Global)
A2298 (China)
Physical Scope of the TOE
The TOE is a Mobile Device which consists of a hardware platform and its system software. It
provides wireless connectivity and includes software for VPN connections to access the
protected enterprise network and other Mobile Devices.
The TOE provides secured communication channels between itself and other trusted IT products
using IEEE 802.11-2012, IEEE 802.1X, EAP-TLS, TLS, IPsec, Bluetooth, and NFC (iPhone
devices only), UWB (iPhone 11 devices only). Via the established network connection, the TOE
can communicate with an MDM server allowing administrative control of the TOE.
Un-evaluated Functionality
The following functions were not evaluated and are therefore not included in the secure
configuration of the Mobile Devices.
 Two-Factor Authentication
Two-factor authentication is an extra layer of security for an Apple ID used in the Apple
store, iCloud and other Apple services.
 Bonjour
Bonjour is Apple’s standards-based, zero configuration network protocol that lets devices
find services on a network.
 VPN Split Tunnel
VPN split tunnel is not included in the evaluation and must be disabled in the Mobile
Device configurations to meet the requirements of this CC evaluation.
 Siri Interface
The Siri interface is capable of supporting commands related to configuration settings.
 Shared iPad for education
VID11036 Validation Report, Version 1.0 November 6, 2020
11
This multi-user configuration was not included in the evaluation and must not be used to
meet the requirements of this CC evaluation.
 Third-party MDM Agents
Third-party applications are available that provide functionality as a Mobile Device
MDM Agent. No third-party MDM Agent applications were included in the evaluation
and are outside the scope of the evaluated configuration.
 VPN Protocols and Authentication Methods
The following Virtual Private Network (VPN) protocols are not included in the
evaluation and must be disabled in the Mobile Device configurations that meet the
requirements of this CC evaluation.
o Cisco IPsec
o Layer Two Tunneling Protocol (L2TP) over IPsec
o Secure Sockets Layer (SSL) VPN
o Shared secret authentication
4. Security Policy
This section summaries the security functionality of the TOE including the following.
1. Security audit
2. Cryptographic support
3. User data protection
4. Identification and authentication
5. Security Management
6. Protection of the TSF (TOE Security Functionality)
7. TOE access
8. Trusted Path/Channels
9. Objective Requirements
Security Audit
The TOE provides the ability for responses to be sent from the MDM Device Agent to the MDM
Server. These responses are configurable by the organization using a scripting language given in
the Over-the-Air Profile Delivery and Configuration document.
Cryptographic Support
The TOE provides cryptographic services for the encryption of data-at rest, secure
communication channels, and for use by applications. In addition, the TOE implements several
cryptographic protocols that can be used to establish a trusted channel to other IT entities.
VID11036 Validation Report, Version 1.0 November 6, 2020
12
As noted in the Security Target, section 1.5.2.1 the TOE provides cryptographic services via the
following cryptographic modules.
 Apple CoreCrypto Cryptographic Module for ARM, v10.0 (User Space)
 Apple CoreCrypto Kernel Module for ARM, v10.0 (Kernel Space)
 Apple Secure Key Store Cryptographic Module, v10.0
The Apple CoreCrypto Cryptographic Module for ARM is a dynamically loadable library that
resides within the TOE OS user space. The library is loaded into an application running in user
space to provide cryptographic functions.
The cryptographic functions provided include symmetric key generation, encryption and
decryption using the Advanced Encryption Standard (AES) algorithms, asymmetric key
generation and key establishment, cryptographic hashing, and keyed-hash message
authentication.
The functions listed below are used to implement the security protocols supported and the
encryption of data-at-rest.
 Random number generation
 Data encryption and decryption
 Signature generation/verification
 Message digest
 Message authentication
 Key derivation (PBKDF2)
 Key generation
 Key wrapping
The Apple CoreCrypto Kernel Cryptographic Module for ARM is a TOE OS kernel
extension optimized for library use within the TOE OS kernel.
The functions listed below are used to implement the security protocols supported as well as for
the encryption of data-at-rest.
 Random number generation
 Data encryption/decryption
 Signature generation/verification
 Message digest
 Message authentication
 Key generation
VID11036 Validation Report, Version 1.0 November 6, 2020
13
The Apple Secure Key Store Cryptographic Module is a single-chip standalone hardware
cryptographic module running on a multi-chip device and provides services intended to protect
data in transit and at rest.
The cryptographic services provided by the module are:
 Random number generation
 Data encryption/decryption
 Message digest
 Key wrapping
 Key derivation
 Key generation
User Data Protection
User data in files is protected using cryptographic functions, password protection and encryption
to ensure data remains protected even if the device is lost or stolen. Critical data like passwords
used by applications or application defined cryptographic keys can be stored in the key chain,
which provides additional protection. Data can be protected such that only the application that
owns the data can access it.
The Secure Enclave Processor (SEP) is a separate CPU that executes a stand-alone operating
system and provides protection for critical security data such as keys.
Identification and Authentication
Except for making emergency calls, answering calls, accessing Medical ID information, using
the cameras, and using the flashlight, users need to authenticate using a passcode or a biometric
(fingerprint or face). The user is required to use the passcode authentication mechanisms under
the following conditions.
 Turn on or restart the device
 Press the Home button or swipe up to unlock your device (configurable)
 Erase the device
 View or change passcode settings
 Install iOS or iPadOS Configuration Profiles
The passcode can be configured for a minimum length, for dedicated passcode policies, and for a
maximum lifetime. When entered, passcodes are obscured and the frequency of entering
passcodes is limited as well as the number of consecutive failed attempts of entering the
passcode.
VID11036 Validation Report, Version 1.0 November 6, 2020
14
The TOE also enters a locked state after a (configurable) time of user inactivity and the user is
required to either enter his passcode or use biometric authentication (fingerprint or face) to
unlock the TOE.
External entities connecting to the TOE via a secure protocol (Extensible Authentication
Protocol Transport Layer Security (EAP-TLS), Transport Layer Security (TLS), IPsec) can be
authenticated using X.509 certificates.
Security Management
Security functions can be managed either by the user or by an authorized administrator through a
Mobile Device Management system. Table 6 of the Security Target identifies the functions that
can be managed and if the management function can be performed by the user, the authorized
administrator or both.
Protection of the TSF
Some of the functions the TOE implements to protect the TSF and TSF data are as follows:
 Protection of cryptographic keys
 Use of memory protection and processor states to separate applications and protect the
TSF from unauthorized access to TSF resources
 Digital signature protection of the TSF image
 Software/firmware integrity self-test upon start-up
 Digital signature verification for applications
 Access to defined TSF data and TSF services only when the TOE is unlocked
TOE Access
The TSF provides functions to lock the TOE upon request and after an administrator-
configurable time of inactivity.
Access to the TOE via a wireless network is controlled by user/administrator defined policy.
Trusted Path/Channels
The TOE supports the use of the following cryptographic protocols that define a trusted channel
between itself and another trusted IT product.
 IEEE 802.11-2012
 IEEE 802.11ac-2013 (a.k.a. Wi-Fi 5)
 IEEE 802.11ax (a.k.a. Wi-Fi 6)
 IEEE 802.1X
VID11036 Validation Report, Version 1.0 November 6, 2020
15
 EAP-TLS (1.0, 1.1, 1.2)
 TLS (1.2)
 IPsec
 Bluetooth (4.0, 4.2, 5.0)
5. Assumptions
The Security Problem Definition, including the assumptions, may be found in the associated PP-
Configuration:
 PP-Configuration for Mobile Device Fundamentals (MDF), Mobile Device
Management (MDM) Agents, and Virtual Private Network (VPN) Clients, Version
1.0, dated 28 February 2020
o Protection Profile for Mobile Device Fundamentals, Version 3.1, dated 16
June 2017
o PP-Module for MDM Agents, Version 1.0, dated 25 April 2019
o The PP-Module for Virtual Private Network (VPN) Clients, Version 2.1,
dated 5 October 2017
 General Purpose Operating Systems Protection Profile/ Mobile Device Fundamentals
Protection Profile Extended Package (EP) Wireless Local Area Network (WLAN)
Clients, Version 1.0, dated 8 February 2016
That information has not been reproduced here and the respective documents should be
consulted if there is interest in that material. Additionally, the Security Problem Description has
been presented in the Security Target.
Clarification of Scope
The scope of this evaluation was limited to the functionality and assurances covered in ST and
the associated PP-Configuration.
Other functionality included in the product was not assessed as part of this evaluation. All other
functionality provided by the device needs to be assessed separately, and no further conclusions
can be drawn about their effectiveness.
All evaluations (and all products) have limitations, as well as potential misconceptions that need
clarification. This text covers some of the more important limitations and clarifications of this
evaluation.
Note: As with any evaluation, this evaluation only shows that the evaluated configuration meets
the security claims made with a certain level of assurance (the assurance activities specified in
VID11036 Validation Report, Version 1.0 November 6, 2020
16
the PP_MD_V3.1, MOD_MDM_AGENT_V3.0, MOD_VPN_CLI_V2.1, and
PP_WLAN_CLI_EP_V1.0) performed by the evaluation team.
Specific exclusions from this evaluation are described in the subsection Un-evaluated
Functionality in Section 3.
6. Documentation
The following documentation was used as evidence for the evaluation of the TOE.
The following documentation was used as evidence for the evaluation.
Reference Document Name Location
Mobile Device Administrator Guidance
[CCGUIDE] Apple iOS 13 on iPhone and Apple
iPadOS 13 on iPad Mobile Devices
Common Criteria Configuration
Guide, Version 1.1, 2020-10-7.
https://www.niap-
ccevs.org/MMO/Product/st_vid1103
6-agd.pdf
[CfgProfRef]
(2019-05-03)
Configuration Profile Reference https://developer.apple.com/enterpris
e/documentation/Configuration-
Profile-Reference.pdf
Mobile Device User Guidance
[iPhone_UG] iPhone User Guide for iOS 13 (2019) https://support.apple.com/guide/ipho
ne/welcome/ios
[iPad_UG] iPad User Guide for iPadOS 13
(2019)
https://support.apple.com/guide/ipad/
welcome/ipados
[PASSCODE_Help]
(October 15, 2019)
Use a passcode with your iPhone,
iPad or iPod touch
https://support.apple.com/en-
us/HT204060
International:
https://support.apple.com/HT204 060
[BLUETOOTH_Help]
(September 24, 2019)
Pair a third-party Bluetooth
accessory with your iPhone, iPad, or
iPod touch
https://support.apple.com/en-
us/HT204091
International:
https://support.apple.com/HT204091
Mobile Device Management
VID11036 Validation Report, Version 1.0 November 6, 2020
17
Reference Document Name Location
[AConfig] Apple Configurator 2 User Guide
(online guidance)
https://support.apple.com/guide/appl
e-configurator-2/welcome/mac
[DEP_Guide]
(12-2017)
Apple Deployment Programs Device
Enrollment Program Guide
https://www.apple.com/business/doc
s/DEP_Guide.pdf
[PM_Help]
(2018)
Profile Manager User Guide https://support.apple.com/guide/profi
le-manager/welcome/mac
[MDM_REF]
(2019-03-25)
Mobile Device Management
Protocol Reference
https://developer.apple.com/business
/documentation/MDM-Protocol-
Reference.pdf
Supporting Documents
[DeployRef] Deployment Reference for iPhone
and iPad
https://support.apple.com/guide/depl
oyment-reference-ios/welcome/web
[PROFS_LOGS] Profiles and Logs
(applies to both iOS and iPadOS)
https://developer.apple.com/bug-
reporting/profiles-and-
logs/?platforms=ios
[LOGGING] Logging https://developer.apple.com/docume
ntation/os/logging?language=objc
[MDM_SETTINGS_IT] Mobile Device Management Settings https://support.apple.com/guide/mdm
/welcome/web
[TRUST_STORE] List of available trusted root
certificates in iOS 13, iPadOS 13,
macOS10.15, watchOS 6, and tvOS
13
https://support.apple.com/en-
us/HT210770
International:
https://support.apple.com/HT210770
[MANAGE_CARDS] Manage the cards that you use with
Apple Pay
https://support.apple.com/en-
us/HT205583
[PAY_SETUP] Set up Apple Pay https://support.apple.com/en-
us/HT204506
App Developer Guidance
[CKTSREF]
(2018)
Certificate, Key, and Trust Services https://developer.apple.com/docume
ntation/security/certificate_key_and_
trust_services
[KEYCHAINPG]
(2018)
Keychain Services Programming
Guide
https://developer.apple.com/docume
ntation/security/keychain_services
VID11036 Validation Report, Version 1.0 November 6, 2020
18
Reference Document Name Location
[AP_SEC]
(Spring 2020)
Apple Platform Security https://support.apple.com/guide/secu
rity/welcome/web
Any additional customer documentation delivered with the product or that may be available
through download was not included in the scope of the evaluation and hence should not be relied
upon when configuring or using the products in the evaluated configuration.
7. IT Product Testing
This section describes the testing efforts of the developer and the Evaluation Team. The specific
test configurations and test tools utilized may be found in the Assurance Activity Report (AAR)
in Section 2.2.
Developer Testing
No evidence of developer testing is required in the assurance activities for this product.
Evaluation Team Independent Testing
The ST lists more devices compared to the subset of devices used for testing. The tests were
performed on the Mobile Devices listed above which were selected, by choosing one from within
each device family.
One device family is defined by the hardware that impacts the TSF operation: the CPU. The
other hardware, such as form factor, size of non-volatile storage, presence or absence of modem
devices such as GSM, CDMA or LTE do not affect the TSF. All TSF functions are solely
implemented in software which uses the process isolation and memory separation capabilities
offered by the CPU. The software of the TOE is compiled once to form one set of binaries which
run on all devices and therefore on all CPUs equally.
In addition, the security functions specified in the ST are all implemented above the hardware
layer. Once a request is processed by the hardware, the security relevant decisions have been
already made by the software. The hardware now only needs to enforce the functionality
requested by the software. Based on this consideration, the evaluation team used the hardware
information provided by the developer which lists all devices found in the ST and references the
CPUs used by those devices. All devices listed in the ST use one of the following CPUs:
 A8
 A8X
 A9
VID11036 Validation Report, Version 1.0 November 6, 2020
19
 A9X
 A10 Fusion
 A10X Fusion
 A11 Bionic
 A12 Bionic
 A12X Bionic
 A12Z Bionic
 A13 Bionic
The test system was set up according to a setup strategy that followed the evaluated
configuration requirements specified in the guidance, supplemented by configurations required
to perform testing.
The testing was performed by setting up a Linux server that operated as a:
 WLAN access point,
 VPN endpoint,
 VPN Gateway with the Strongswan IKE daemon and the Linux kernel IPsec support
 Web server with TLS support,
 Key generator, and
 Bluetooth endpoint.
The Linux system was equipped with the appropriate tools to perform sniffing of the different
traffic types and analyzing the traffic, e.g., wireshark, tcpdump, bluez-hcidump.
Apple Configurator 2 was used to create the configuration profiles/policies and deploy the
profiles/policies onto the different test systems. An Apple system hosting the Apple Profile
Manager software component acted as the MDM server to which the test devices connected.
8. Evaluated Configuration
The guidance documentation provides specific instructions for creating configuration profiles
that configure Apple iOS and iPadOS to comply with the functions defined in the Security
Target. The evaluated configuration included the devices listed below running Apple iOS 13 on
iPhone and iPadOS 13 on iPad:
 Apple device with CPU A8: Apple iPad Mini 4
 Apple device with CPU A8X: iPad Air 2
 Apple device with CPU A9: iPhone 6s Plus
 Apple device with CPU A9X: iPad Pro 9.7-inch
VID11036 Validation Report, Version 1.0 November 6, 2020
20
 Apple device with CPU A10 Fusion: iPhone 7, iPhone 7 Plus
 Apple device with CPU A10X Fusion: iPad Pro 10.5-inch
 Apple device with CPU A11 Bionic: iPhone 8, iPhone 8 Plus
 Apple device with CPU A12 Bionic: iPhone Xs, iPhone Xs Max
 Apple device with CPU A12X Bionic: iPad Pro 11-inch, iPad Pro 12.9-inch
 Apple device with CPU A13 Bionic: iPhone 11 Pro, iPhone 11 Pro Max
9. Results of the Evaluation
The results of the assurance requirements are generally described in this section and are
presented in detail in the proprietary ETR.
All work units defined by CC Version 3.1 Revision 5 and CEM Version 3.1 Revision 5 and the
CFG_MDF-MDM_AGENT-VPNC_V1.0, PP_MD_V3.1, MOD_MDM_AGENT_V1.0, and
MOD_VPN_CLI_V2.1, and PP_WLAN_CLI_EP_V1.0 received a pass verdict.
A verdict for an assurance component is determined by the resulting verdicts assigned to the
corresponding evaluator action elements as well as assurance activities. The evaluation was
conducted based upon CEM Version 3.1 Revision 5. The evaluation determined the TOE to be
CC Part 2 extended and Part 3 extended, and to meet the assurance requirements defined by the
PP_MD_V3.1, MOD_MDM_AGENT_V1.0, and MOD_VPN_CLI_V2.1, and
PP_WLAN_CLI_EP_V1.0.
Evaluation of the PP-Configuration (ACE)
The evaluation team applied each ACE CEM work unit. The PP-Configuration evaluation
ensured that the PP-Configuration to be met by the Apple iOS/iPadOS 13 products is consistent
with the Common Criteria, and product security function descriptions that support the
requirements.
The validators reviewed the work of the evaluation team, and found that sufficient evidence and
justification was provided by the evaluation team to confirm that the evaluation was conducted in
accordance with the requirements of the CEM and CFG_MDF-MDM_AGENT-VPNC_V1.0,
and that the conclusion reached by the evaluation team was justified.
Evaluation of the Security Target (ASE)
The evaluation team applied each ASE CEM work unit and the assurance activity specified in
the PP_MD_V3.1, MOD_MDM_AGENT_V1.0, and MOD_VPN_CLI_V2.1, and
PP_WLAN_CLI_EP_V1.0. The ST evaluation ensured that the ST contains a description of the
environment in terms of policies and assumptions, a statement of security requirements claimed
to be met by the Apple iOS /iPadOS 13 product that are consistent with the Common Criteria,
and product security function descriptions that support the requirements.
VID11036 Validation Report, Version 1.0 November 6, 2020
21
The validators reviewed the work of the evaluation team, and found that sufficient evidence and
justification was provided by the evaluation team to confirm that the evaluation was conducted in
accordance with the requirements of the CEM and the PP_MD_V3.1,
MOD_MDM_AGENT_V1.0, and MOD_VPN_CLI_V2.1, and PP_WLAN_CLI_EP_V1.0 and
that the conclusion reached by the evaluation team was justified.
Evaluation of the Development Documentation (ADV)
The evaluation team applied each ADV CEM work unit. The evaluation team assessed the
documentation and found it adequate to aid in understanding how the TSF provides the security
functions. The documentation consists of a functional specification contained in the Security
Target and guidance documents.
The validation team reviewed the work of the evaluation team and found that sufficient evidence
and justification was provided by the evaluation team to confirm that the evaluation was
conducted in accordance with the requirements of the CEM, and that the conclusion reached by
the evaluation team was justified.
Evaluation of the Guidance Documents (AGD)
The evaluation team applied each AGD CEM work unit and assurance activity specified in
PP_MD_V3.1, MOD_MDM_AGENT_V1.0, and MOD_VPN_CLI_V2.1, and
PP_WLAN_CLI_EP_V1.0. The evaluation team ensured the adequacy of the user guidance in
describing how to use the operational TOE. Additionally, the evaluation team ensured the
adequacy of the administrator guidance in describing how to securely administer the TOE. Both
the administrator and user guides were assessed during the design and testing phases of the
evaluation to ensure they were complete.
The validation team reviewed the work of the evaluation team, and found that sufficient evidence
and justification was provided by the evaluation team to confirm that the evaluation was
conducted in accordance with the requirements of the CEM and the PP_MD_V3.1,
MOD_MDM_AGENT_V1.0, and MOD_VPN_CLI_V2.1, and PP_WLAN_CLI_EP_V1.0 and
that the conclusion reached by the evaluation team was justified.
Evaluation of the Life Cycle Support Activities (ALC)
The evaluation team applied each ALC CEM work unit and assurance activity specified in the
PP_MD_V3.1, MOD_MDM_AGENT_V1.0, and MOD_VPN_CLI_V2.1, and
PP_WLAN_CLI_EP_V1.0. The evaluation team ensured the adequacy of the developer
procedures to protect the TOE and the TOE documentation during TOE development and
maintenance to reduce the risk of the introduction of TOE exploitable vulnerabilities during TOE
development and maintenance. The ALC evaluation also ensured the TOE is identified such that
the consumer can identify the evaluated TOE.
The validators reviewed the work of the evaluation team, and found that sufficient evidence and
justification was provided by the evaluation team to confirm that the evaluation was conducted in
accordance with the requirements of the CEM and the PP_MD_V3.1,
VID11036 Validation Report, Version 1.0 November 6, 2020
22
MOD_MDM_AGENT_V1.0, and MOD_VPN_CLI_V2.1, and PP_WLAN_CLI_EP_V1.0 and
that the conclusion reached by the evaluation team was justified.
Evaluation of the Test Documentation and the Test Activity (ATE)
The evaluation team applied each ATE CEM work unit and assurance activity specified in the
PP_MD_V3.1, MOD_MDM_AGENT_V1.0, and MOD_VPN_CLI_V2.1, and
PP_WLAN_CLI_EP_V1.0. The evaluation team ensured that the TOE performed as described in
the design documentation and demonstrated that the TOE enforces the TOE security functional
requirements. The evaluation team performed devised an independent set of tests as mandated by
the protection profile.
The validators reviewed the work of the evaluation team, and found that sufficient evidence and
justification was provided by the evaluation team to confirm that the evaluation was conducted in
accordance with the requirements of the CEM and the PP_MD_V3.1,
MOD_MDM_AGENT_V1.0, and MOD_VPN_CLI_V2.1, and PP_WLAN_CLI_EP_V1.0 and
that the conclusion reached by the evaluation team was justified.
Vulnerability Assessment Activity (VAN)
The evaluation team applied each AVA CEM work unit and assurance activity specified in the
PP_MD_V3.1, MOD_MDM_AGENT_V1.0, and MOD_VPN_CLI_V2.1, and
PP_WLAN_CLI_EP_V1.0. The vendor provided security updates to the TOE during the
evaluation, therefore, while the tested version of the TOE did contain vulnerabilities, subsequent
security updates, in line with the guidance provided in Scheme Policy Letter 15, fixed all known
issues. The evaluation team ensured that the currently available version of the TOE does not
contain known exploitable flaws or weaknesses in the TOE based upon the evaluation team’s
vulnerability analysis, and the evaluation team’s performance of penetration tests.
The evaluators searched for publicly known vulnerabilities applicable to iOS using the following
sources. The search was performed on multiple occasions between 2001-01-20 and 2020-02-19,
and again on 2020-03-25, 2020-04-23, 2020-05-22, 2020-06-01, 2020-07-16, 2020-08-05 and
2020-08-12. At the time of the evaluation, iOS and iPadOS are the same code base, therefore
only one OS keyword was used in the vulnerability search.
 Apple security content disclosure statements for releases of iOS 13 and iPadOS 13
related to this evaluation
 MITRE Common Vulnerabilities and Exposures (CVE) List
 NIST National Vulnerability Database (NVD)
using the following search terms:
 ios ipad
 ios iphone
 ios core tls
 ios core crypto
 ios common crypto
VID11036 Validation Report, Version 1.0 November 6, 2020
23
 ios http
 ios https
 ios tcp
 ios ip
 ios bluetooth
 ios ipsec
 ios vpn
 ios mdm
 ios mobile
 ios touchid
 ios faceid
 broadcom wi-fi
The evaluator's CVE search found no vulnerabilities apart from the ones listed in the developer’s
security content disclosure statements, all of which have been fixed in subsequent releases of
iOS/iPadOS.
The validators reviewed the work of the evaluation team, and found that sufficient evidence and
justification was provided by the evaluation team to confirm that the evaluation was conducted in
accordance with the requirements of the CEM and the PP_MD_V3.1,
MOD_MDM_AGENT_V1.0, and MOD_VPN_CLI_V2.1, and PP_WLAN_CLI_EP_V1.0 and
that the conclusion reached by the evaluation team was justified.
Summary of Evaluation Results
The evaluation team’s assessment of the evaluation evidence demonstrates that the claims in the
ST are met. Additionally, the evaluation team’s performance of the testing defined by the
PP_MD_V3.1, MOD_MDM_AGENT_V1.0, and MOD_VPN_CLI_V2.1, and
PP_WLAN_CLI_EP_V1.0 and the penetration test also demonstrated the accuracy of the claims
in the ST.
The validator’s assessment of the evidence provided by the evaluation team is that it
demonstrates that the evaluation team followed the procedures defined in the CEM and the
PP_MD_V3.1, MOD_MDM_AGENT_V1.0, and MOD_VPN_CLI_V2.1, and
PP_WLAN_CLI_EP_V1.0 and correctly verified that the product meets the claims in the ST.
10.Validator Comments/Recommendations
The validation team notes that the evaluated configuration is dependent upon the TOE being
configured per the evaluated configuration instructions in the Apple iOS 13 on iPhone and Apple
iPadOS 13 on iPad Mobile Devices Common Criteria Configuration Guide, Version 1.1, 2020-
10-7document. No versions of the TOE and software, either earlier or later were evaluated.
Please note that the functionality evaluated is scoped exclusively to the security functional
requirements specified in the Security Target. Other functionality included in the product was not
assessed as part of this evaluation. Other functionality provided by devices in the operational
VID11036 Validation Report, Version 1.0 November 6, 2020
24
environment, such as the syslog server, need to be assessed separately and no further conclusions
can be drawn about their effectiveness.
11.Annexes
Not applicable.
12.Security Target
Apple iOS 13 on iPhone and iPadOS 13 on iPad Mobile Devices Security Target (ST) Version
1.7, dated 2019-11-10
13.Glossary
The following definitions are used throughout this document.
AA Assurance Activity
AES Advanced Encryption Standard
ARM Advanced RISC Machine
CC Common Criteria
CCEVS Common Criteria Evaluation and Validation Scheme
CDMA Code Division Multiple Access
CCTL Common Criteria Testing Laboratory—An IT security evaluation facility accredited
by the National Voluntary Laboratory Accreditation Program (NVLAP) and
approved by the CCEVS Validation Body to conduct Common Criteria-based
evaluations.
CEM Common Criteria Evaluation Methodology
CPU Central Processing Unit
Conformance The ability to demonstrate in an unambiguous way that a given implementation is
correct with respect to the formal model.
EAP-TLS Extensible Authentication Protocol Transport Layer Security
EC Elliptic Curve
EP Extended Package (for a Protection Profile)
ETR Evaluation Technical Report
Evaluation The assessment of an IT product against the Common Criteria using the Common
Criteria Evaluation Methodology to determine whether or not the claims made are
justified; or the assessment of a protection profile against the Common Criteria
using the Common Evaluation Methodology to determine if the Profile is complete,
consistent, technically sound and hence suitable for use as a statement of
VID11036 Validation Report, Version 1.0 November 6, 2020
25
requirements for one or more TOEs that may be evaluated.
Evaluation Evidence Any tangible resource (information) required from the sponsor or developer by the
evaluator to perform one or more evaluation activities.
GSM Global System for Mobile Communication
HKDF HMAC-based Extract-and-Expand Key Derivation Function
HMAC Keyed-hash Message Authentication Code
IETF Internet Engineering Task Force
IKE Internet Key Exchange
LTE Long-Term Evolution
MDM Mobile Device Management
NIAP National Information Assurance Partnership
NSA National Security Agency
NVLAP National Voluntary Laboratory Assessment Program
PBKDF Password Based Key Derivation Function
PP Protection Profile
REK Root Encryption Key
RFC Request For Comments
SEP Secure Enclave Processor
SFR Security Functional Requirement
ST Security Target
TOE Target of Evaluation—A group of IT products configured as an IT system, or an IT
product, and associated documentation that is the subject of a security evaluation
under the CC.
TLS Transport Layer Security
TSF TOE Security Functionality
Validation The process carried out by the CCEVS Validation Body leading to the issue of a
Common Criteria certificate.
Validation Body A governmental organization responsible for carrying out validation and for
overseeing the day-to-day operation of the NIAP Common Criteria Evaluation and
Validation Scheme.
VPN Virtual Private Network
VR Validation Report
WLAN Wireless Local Area Network
14.Bibliography
The evaluation team used the following documents to produce this Validation Report:
VID11036 Validation Report, Version 1.0 November 6, 2020
26
 Common Criteria for Information Technology Security Evaluation: Part 1: Introduction
and General Model, Version 3.1, Revision 5, April 2017.
 Common Criteria for Information Technology Security Evaluation Part 2: Security
functional components, Version 3.1, Revision 5, April 2017.
 Common Criteria for Information Technology Security Evaluation Part 3: Security
assurance components, Version 3.1 Revision 5, April 2017.
 PP-Configuration for Mobile Device Fundamentals (MDF), Mobile Device Management
(MDM) Agents, and Virtual Private Network (VPN) Clients, Version 1.0, 28 February
2020.
 Protection Profile for Mobile Device Fundamentals, Version 3.1, 16 June 2017.
 PP-Module for MDM Agents, Version 1.0, 25 April 2019.
 PP-Module for VPN Client Version 2.1, 05 October 2017.
 General Purpose Operating Systems Protection Profile / Mobile Device Fundamentals
Protection Profile Extended Package (EP) Wireless Local Area Network (WLAN) Client,
Version 1.0, 08 February 2016.
 Apple iOS 13 on iPhone and Apple iPadOS on iPad Mobile Devices Common Criteria
Configuration Guide, Version 1.1, 2020-10-7.
 Apple iOS 13 on iPhone and Apple iPadOS on iPad Mobile Devices Security Target
Version 1.7, 2020-11-10
 Apple iOS 13 on iPhone and Apple iPadOS 13 on iPad Mobile Devices Assurance
Activity Report, Version 1.4, 2020-11-10