© 2021 Apple Inc. All rights reserved.
This document may be reproduced and distributed only in its original entirety without revision.
Apple macOS 11 Big Sur: Contacts
Security Target
VID: 11243
Document Version: 1.2
Date: February 2022
Prepared by:
2400 Research Blvd
Suite 395
Rockville, MD 20850
Prepared for:
Apple
One Apple Park Way
Cupertino, CA 95014
Apple Inc. Apple macOS 11 Big Sur: Contacts Security Target
VID: 11243
2
© 2022 Apple Inc. All rights reserved.
This document may be reproduced and distributed only in its original entirety without revision.
Revision History
Version Date Changes
1.0 January 2022 Released for Check-Out
1.1 February 2022 Updated to address ECR comments
1.2 February 2022 Added CAVP information
Trademarks
Apple’s trademarks applicable to this document are listed in
https://www.apple.com/legal/intellectual-property/trademark/appletmlist.html.
Other company, product, and service names may be trademarks or service marks of others.
Apple Inc. Apple macOS 11 Big Sur: Contacts Security Target
VID: 11243
3
© 2022 Apple Inc. All rights reserved.
This document may be reproduced and distributed only in its original entirety without revision.
Contents
1 Introduction........................................................................................................................... 4
1.1 Security Target and TOE Reference ............................................................................. 4
1.2 TOE Overview............................................................................................................... 4
1.3 TOE Description............................................................................................................ 4
1.3.1 Physical Boundaries.................................................................................................. 4
1.3.2 Security Functions Provided by the TOE ...................................................................6
1.3.3 TOE Documentation...................................................................................................6
1.4 TOE Environment...........................................................................................................7
1.5 Product Functionality not Included in the Scope of the Evaluation ...............................7
2 Conformance Claims............................................................................................................. 8
2.1 CC Conformance Claims .............................................................................................. 8
2.2 Protection Profile Conformance ................................................................................... 8
2.3 Conformance Rationale ................................................................................................ 8
2.3.1 Technical Decisions.................................................................................................. 8
3 Security Problem Definition..................................................................................................10
3.1 Threats.........................................................................................................................10
3.2 Assumptions ................................................................................................................10
3.3 Organizational Security Policies ..................................................................................10
4 Security Objectives .............................................................................................................. 11
4.1 Security Objectives for the TOE .................................................................................. 11
4.2 Security Objectives for the Operational Environment .................................................12
5 Security Requirements.........................................................................................................13
5.1 Conventions.................................................................................................................13
5.2 Security Functional Requirements...............................................................................13
5.2.1 Cryptographic Support (FCS)..................................................................................13
5.2.2 Identification and Authentication (FIA) ....................................................................14
5.2.3 User Data Protection (FDP) .....................................................................................15
5.2.4 Security Management (FMT)...................................................................................16
5.2.5 Privacy (FPR) ...........................................................................................................16
5.2.6 Protection of the TSF (FPT) ..................................................................................... 17
5.2.7 Trusted Path/Channel (FTP)....................................................................................18
5.3 Security Assurance Requirements...............................................................................18
5.4 Assurance Measures ...................................................................................................18
6 TOE Summary Specification................................................................................................ 20
6.1 CAVP Algorithm Certificate Details ............................................................................ 23
7 Acronyms ............................................................................................................................ 24
Apple Inc. Apple macOS 11 Big Sur: Contacts Security Target
VID: 11243
4
© 2022 Apple Inc. All rights reserved.
This document may be reproduced and distributed only in its original entirety without revision.
1 Introduction
The Security Target (ST) serves as the basis for the Common Criteria (CC) evaluation and
identifies the Target of Evaluation (TOE), the scope of the evaluation, and the assumptions
made throughout. This document will also describe the intended operational environment of the
TOE, and the functional and assurance requirements that the TOE meets.
1.1 Security Target and TOE Reference
This section provides the information needed to identify and control the TOE and the ST.
Table 1 – TOE/ST Identification
Category Identifier
ST Title Apple macOS 11 Big Sur: Contacts Security Target
VID 11243
ST Version 1.2
ST Date February 2022
ST Author Acumen Security, LLC
TOE Identifier Apple macOS 11 Big Sur: Contacts
TOE Version 13.0
TOE Developer Apple Inc.
Key Words Application
1.2 TOE Overview
The TOE is the Apple Contacts application running on Apple macOS 11 Big Sur. Contacts allows
a user to access and edit contacts from personal, business, and other accounts.
Contacts is a first-party app, bundled with Apple macOS 11 Big Sur. Users can add contacts
manually and/or contacts can be securely synchronized with an external server.
Note: The TOE is the Contacts application only.
1.3 TOE Description
This section provides a general description of the TOE, including physical boundaries, security
functions, and relevant TOE documentation and references.
1.3.1 Physical Boundaries
The TOE does not have a physical boundary, because the TOE is a software application. As
evaluated, the TOE runs on the following physical devices:
Table 2 – Hardware Platforms
Model Name
Marketing Name
Marketing
Model
Model Identifier Processor Security
Chip
MacBook Air
(Retina, 13-inch, 2018)
A1932 MacBookAir8,1 Intel Core i5 8210Y Apple T2
MacBook Air
(Retina, 13-inch, Mid
2019)
A1932 MacBookAir8,2 Intel Core i5 8210Y Apple T2
MacBook Air
(Retina, 13-inch, 2020)
A2179 MacBookAir9,1 Intel Core i5 1030NG7
Intel Core i7 1060NG7
Apple T2
MacBook Air A2337 MacBookAir10,1 Apple M1
MacBook Pro
(15-inch, 2018)
A1990 MacBookPro15,1 Intel Core i7 8750H
Intel Core i7 8850H
Intel Core i9 8950HK
Apple T2
Apple Inc. Apple macOS 11 Big Sur: Contacts Security Target
VID: 11243
5
© 2022 Apple Inc. All rights reserved.
This document may be reproduced and distributed only in its original entirety without revision.
Model Name
Marketing Name
Marketing
Model
Model Identifier Processor Security
Chip
MacBook Pro
(15-inch, 2019)
A1990 MacBookPro15,1 Intel Core i7 9750H
Intel Core i7 9880H
Intel Core i9 9980HK
Apple T2
MacBook Pro
(13-inch, 2018, Four
Thunderbolt 3 Ports)
A1989 MacBookPro15,2 Intel Core i5 8259U
Intel Core i7 8559U
Apple T2
MacBook Pro
(13-inch, 2019, Four
Thunderbolt 3 Ports)
A1989 MacBookPro15,2 Intel Core i5 8279U
Intel Core i7 8569U
Apple T2
MacBook Pro
(15-inch, 2018) +Vega
graphics
A1990 MacBookPro15,3 Intel Core i7 8750H
Intel Core i7 8850H
Intel Core i9 8950HK
Apple T2
MacBook Pro
(15-inch, 2019) +Vega
graphics
A1990 MacBookPro15,3 Intel Core i7 9750H
Intel Core i7 9880H
Intel Core i9 9980HK
Apple T2
MacBook Pro
(13-inch, 2019, 2-port)
A2159 MacBookPro15,4 Intel Core i5 8257U
Intel Core i7 8557U
Apple T2
MacBook Pro
(16-inch, 2019)
A2141 MacBookPro16,1 Intel Core i7 9750H
Intel Core i9 9880H
Intel Core i9 9980HK
Apple T2
MacBook Pro
(13-inch, 2020 Four
Thunderbolt 3 ports)
A2251 MacBookPro16,2 Intel Core i5 1038NG7
Intel Core i7 1068NG7
Apple T2
MacBook Pro
(13-inch, 2020 Two
Thunderbolt 3 ports)
A2289 MacBookPro16,3 Intel Core i5 8257U
Intel Core i7 8557U
Apple T2
MacBook Pro
(16-inch, 2019) 5600M
A2141 MacBookPro16,4 Intel Core i7 9750H
Intel Core i9 9880H
Intel Core i9 9980HK
Apple T2
MacBook Pro
(13-Inch, M1, 2020)
A2338 MacBookPro17,1 Apple M1
Mac mini
(Late 2018)
A1993 Macmini8,1 Intel Core i5 8500B
Intel Core i7 8700B
Apple T2
Mac mini A2348 Macmini9,1 Apple M1
iMac
(Retina 5K, 27-inch,
2019)
A2115 iMac19,1 Intel Core i5 8500
Intel Core i5 8600
Intel Core i5 9600K
Intel Core i9 9900K
Apple T2
iMac
(Retina 4K, 21.5-inch,
2019)
A2116 iMac19,2 Intel Core i5 8500
Intel Core i7 8700
Apple T2
iMac
iMac 27-inch (5K,2020)
5700 XT / Navi10)
A2115 iMac20,1 Intel Core i5 10500
Intel Core i5 10600
Intel Core i7 10700K
Intel Core i9 10910
Apple T2
iMac
iMac 27-inch (5K,2020;
5700 XT / Navi10)
A2115 iMac20,2 Intel Core i7 10700K
Intel Core i9 10910
Apple T2
iMac Pro
(2017)
A1862 iMacPro1,1 Intel Xeon W-2140B
Intel Xeon W-2150B
Intel Xeon W-2170B
Intel Xeon W-2190B
Apple T2
Apple Inc. Apple macOS 11 Big Sur: Contacts Security Target
VID: 11243
6
© 2022 Apple Inc. All rights reserved.
This document may be reproduced and distributed only in its original entirety without revision.
Model Name
Marketing Name
Marketing
Model
Model Identifier Processor Security
Chip
Mac Pro
(2019)
A1991 MacPro7,1 Intel Xeon W-3223
Intel Xeon W-3235
Intel Xeon W-3245
Intel Xeon W-3265M
Intel Xeon W-3275M
Apple T2
Mac Pro
(2019 Rack)
A2304 MacPro7,1 Intel Xeon W-3223
Intel Xeon W-3235
Intel Xeon W-3245
Intel Xeon W-3265M
Intel Xeon W-3275M
Apple T2
1.3.2 Security Functions Provided by the TOE
The TOE provides the security functions required by the Protection Profile for Application
Software, Version 1.3 (PP_APP_v1.3).
1.3.2.1 Cryptographic Support
The TOE platform provides HTTPS/TLS functionality to securely communicate with trusted
entities. The TOE does not directly perform any cryptographic functions.
1.3.2.2 User Data Protection
The TOE utilizes network and address book access. The TOE uses the camera and photos
library to associate pictures with contacts.
1.3.2.3 Identification and Authentication
The TOE uses platform-provided X.509 certificate validation functions to verify the validity and
revocation status of HTTPS/TLS server certificates.
1.3.2.4 Security Management
The TOE provides the user with the ability to add, delete, and enable/disable accounts.
1.3.2.5 Privacy
The TOE does not request any personal identifying information (PII) with the intent to transmit
the data over the network. However, the TOE will transmit contact information at the request of
the user.
1.3.2.6 Protection of the TSF
The TOE is compatible with all platform-provided security features such as ASLR and
application sandboxing. The TOE is compiled with stack-based overflow protections and does
not include any third-party libraries. The TOE platform also verifies all software updates have
valid digital signatures prior to installing the updates.
1.3.2.7 Trusted Path/Channels
The TOE can establish protected communications using platform-provided TLS/HTTPS.
1.3.3 TOE Documentation
The following documents are essential to understanding and controlling the TOE in the
evaluated configuration:
• [ST] Apple macOS 11 Big Sur: Contacts Security Target, Version 1.2 (This Document)
Apple Inc. Apple macOS 11 Big Sur: Contacts Security Target
VID: 11243
7
© 2022 Apple Inc. All rights reserved.
This document may be reproduced and distributed only in its original entirety without revision.
• [AGD] Apple macOS 11 Big Sur: Contacts Common Criteria Configuration Guide, Version
1.0
1.4 TOE Environment
The following environmental components interoperate with the TOE in the evaluated
configuration:
Table 3 – Environmental Components
Components Description
Hardware Platform See Table 2
Operating System Apple macOS 11 Big Sur
Remote Server (optional) Server for storing and synchronizing contacts
The TOE was tested on version 11.4 of Apple macOS 11 Big Sur.
1.5 Product Functionality not Included in the Scope of the Evaluation
The following product functionality is not included in the CC evaluation:
• None
Apple Inc. Apple macOS 11 Big Sur: Contacts Security Target
VID: 11243
8
© 2022 Apple Inc. All rights reserved.
This document may be reproduced and distributed only in its original entirety without revision.
2 Conformance Claims
This section identifies the TOE conformance claims, conformance rationale, and relevant
Technical Decisions (TDs).
2.1 CC Conformance Claims
The TOE is conformant to the following:
• Common Criteria for Information Technology Security Evaluations Part 1, Version 3.1,
Revision 5, April 2017
• Common Criteria for Information Technology Security Evaluations Part 2, Version 3.1,
Revision 5, April 2017
• Common Criteria for Information Technology Security Evaluations Part 3, Version 3.1,
Revision 5, April 2017
The TOE and ST are Part 2 extended and Part 3 extended.
2.2 Protection Profile Conformance
This ST claims exact conformance to the Protection Profile for Application Software, Version
1.3, March 1, 2019.
2.3 Conformance Rationale
This ST provides exact conformance to PP_APP_v1.3. The security problem definition, security
objectives, and security requirements in this ST are all taken from the Protection Profile (PP),
performing only the operations defined there.
2.3.1 Technical Decisions
All NIAP TDs issued to date and applicable to PP_APP_v1.3 have been considered. Table 4
identifies all applicable TDs.
Table 4 – Relevant Technical Decisions
Technical Decision Applicable
(Y/N)
Exclusion Rationale (if applicable)
TD0416: Correction to FCS_RBG_EXT.1
Test Activity
Yes
TD0427: Reliable Time Source Yes
TD0434: Windows Desktop
Applications Test
No This TD only applies to Windows platforms.
The TOE runs on macOS.
TD0435: Alternative to SELinux for
FPT_AEX_EXT.1.3
No This TD only applies to Linux platforms. The
TOE runs on macOS.
TD0437: Supported Configuration
Mechanism
Yes
TD0445: User Modifiable File Definition Yes
TD0465: Configuration Storage for
.NET Apps
No This TD only applies to Windows platforms.
The TOE runs on macOS.
TD0495: FIA_X509_EXT.1.2 Test
Clarification
Yes
TD0498: Application Software PP
Security Objectives and Requirements
Rationale
Yes
TD0510: Obtaining random bytes for
iOS/macOS
No The TOE does not obtain random bytes
from the platform.
Apple Inc. Apple macOS 11 Big Sur: Contacts Security Target
VID: 11243
9
© 2022 Apple Inc. All rights reserved.
This document may be reproduced and distributed only in its original entirety without revision.
Technical Decision Applicable
(Y/N)
Exclusion Rationale (if applicable)
TD0515: Use Android APK manifest in
test
No This TD only applies to Android platforms.
The TOE runs on macOS.
TD0519: Linux symbolic links and
FMT_CFG_EXT.1
No This TD only applies to Linux platforms. The
TOE runs on macOS.
TD0543: FMT_MEC_EXT.1 evaluation
activity update
No This TD only applies to Windows platforms.
The TOE runs on macOS.
TD0544: Alternative testing methods
for FPT_AEX_EXT.1.1
Yes
TD0548: Integrity for installation test in
AppSW PP 1.3
Yes
TD0554: iOS/iPadOS/Android AppSW
Virus Scan
Yes
TD0561: Signature Verification Update Yes
TD0582: PP-Configuration for
Application Software and Virtual Private
Network (VPN) Clients now allowed
Yes
TD0598: Expanded AES Modes in
FCS_COP for App PP
No The TOE does not implement AES.
TD0600: Conformance claim sections
updated to allow for MOD_VPNC_V2.3
Yes
TD0601: X.509 SFR Applicability in App
PP
Yes
Apple Inc. Apple macOS 11 Big Sur: Contacts Security Target
VID: 11243
10
© 2022 Apple Inc. All rights reserved.
This document may be reproduced and distributed only in its original entirety without revision.
3 Security Problem Definition
The security problem definition is taken directly from the claimed PP specified in Section 2.2
and is reproduced here for the convenience of the reader. The security problem is described in
terms of the threats that the TOE is expected to address, assumptions about the operational
environment, and any Organizational Security Policies (OSPs) that the TOE is expected to
enforce.
3.1 Threats
The threats included in Table 5 are drawn directly from the PP specified in Section 2.2.
Table 5 – Threats
ID Threat
T.NETWORK_ATTACK An attacker is positioned on a communications
channel or elsewhere on the network infrastructure.
Attackers may engage in communications with the
application software or alter communications
between the application software and other
endpoints in order to compromise it.
T.NETWORK_EAVESDROP An attacker is positioned on a communications
channel or elsewhere on the network infrastructure.
Attackers may monitor and gain access to data
exchanged between the application and other
endpoints.
T.LOCAL_ATTACK An attacker can act through unprivileged software on
the same computing platform on which the
application executes. Attackers may provide
maliciously formatted input to the application in the
form of files or other local communications.
T.PHYSICAL_ACCESS An attacker may try to access sensitive data at rest.
3.2 Assumptions
The assumptions included in Table 6 are drawn directly from the PP.
Table 6 – Assumptions
ID Assumption
A.PLATFORM The TOE relies upon a trustworthy computing
platform with a reliable time clock for its execution.
This includes the underlying platform and whatever
runtime environment it provides to the TOE.
A.PROPER_USER The user of the application software is not willfully
negligent or hostile, and uses the software in
compliance with the applied enterprise security
policy.
A.PROPER_ADMIN The administrator of the application software is not
careless, willfully negligent or hostile, and
administers the software in compliance with the
applied enterprise security policy.
3.3 Organizational Security Policies
The PP does not define any OSPs.
Apple Inc. Apple macOS 11 Big Sur: Contacts Security Target
VID: 11243
11
© 2022 Apple Inc. All rights reserved.
This document may be reproduced and distributed only in its original entirety without revision.
4 Security Objectives
The security objectives have been taken directly from the claimed PP and are reproduced here
for the convenience of the reader.
4.1 Security Objectives for the TOE
The security objectives in the following table apply to the TOE.
Table 7 – Security Objectives
ID Security Objectives
O.INTEGRITY Conformant TOEs ensure the integrity of their installation and
update packages, and also leverage execution environment-
based mitigations. Software is seldom, if ever, shipped
without errors. The ability to deploy patches and updates to
fielded software with integrity is critical to enterprise network
security. Processor manufacturers, compiler developers,
execution environment vendors, and operating system
vendors have developed execution environment-based
mitigations that increase the cost to attackers by adding
complexity to the task of compromising systems. Application
software can often take advantage of these mechanisms by
using APIs provided by the runtime environment or by
enabling the mechanism through compiler or linker options.
O.QUALITY To ensure quality of implementation, conformant TOEs
leverage services and APIs provided by the runtime
environment rather than implementing their own versions of
these services and APIs. This is especially important for
cryptographic services and other complex operations such
as file and media parsing. Leveraging this platform behavior
relies upon using only documented and supported APIs.
O.MANAGEMENT To facilitate management by users and the enterprise,
conformant TOEs provide consistent and supported
interfaces for their security-relevant configuration and
maintenance. This includes the deployment of applications
and application updates through the use of platform-
supported deployment mechanisms and formats, as well as
providing mechanisms for configuration. This also includes
providing control to the user regarding disclosure of any PII.
O.PROTECTED_STORAGE To address the issue of loss of confidentiality of user data in
the event of loss of physical control of the storage medium,
conformant TOEs will use data-at-rest protection. This
involves encrypting data and keys stored by the TOE in order
to prevent unauthorized access to this data. This also
includes unnecessary network communications whose
consequence may be the loss of data.
O.PROTECTED_COMMS To address both passive (eavesdropping) and active (packet
modification) network attack threats, conformant TOEs will
use a trusted channel for sensitive data. Sensitive data
includes cryptographic keys, passwords, and any other data
specific to the application that should not be exposed
outside of the application.
Apple Inc. Apple macOS 11 Big Sur: Contacts Security Target
VID: 11243
12
© 2022 Apple Inc. All rights reserved.
This document may be reproduced and distributed only in its original entirety without revision.
4.2 Security Objectives for the Operational Environment
Security objectives for the operational environment assist the TOE in correctly providing its
security functionality. These objectives, which are found in the table below, track with the
assumptions about the TOE operational environment.
Table 8 – Security Objectives for the Operational Environment
ID Objectives for the Operational Environment
OE.PLATFORM The TOE relies upon a trustworthy computing
platform for its execution. This includes the
underlying operating system and any discrete
execution environment provided to the TOE.
OE.PROPER_USER The user of the application software is not willfully
negligent or hostile, and uses the software within
compliance of the applied enterprise security policy.
OE.PROPER_ADMIN The administrator of the application software is not
careless, willfully negligent or hostile, and
administers the software within compliance of the
applied enterprise security policy.
Apple Inc. Apple macOS 11 Big Sur: Contacts Security Target
VID: 11243
13
© 2022 Apple Inc. All rights reserved.
This document may be reproduced and distributed only in its original entirety without revision.
5 Security Requirements
This section identifies the Security Functional Requirements (SFRs) for the TOE. The SFRs
included in this section are derived from Part 2 of the Common Criteria for Information
Technology Security Evaluation, Version 3.1, Revision 5, April 2017, and all international
interpretations.
Table 9 – SFRs
Requirement Description
FCS_CKM_EXT.1 Cryptographic Key Generation Services
FCS_RBG_EXT.1 Random Bit Generation Services
FCS_STO_EXT.1 Storage of Credentials
FDP_DAR_EXT.1 Encryption of Sensitive Application Data
FDP_DEC_EXT.1 Access to Platform Resources
FDP_NET_EXT.1 Network Communications
FIA_X509_EXT.1 X.509 Certificate Validation
FIA_X509_EXT.2 X.509 Certificate Authentication
FMT_CFG_EXT.1 Secure by Default Configuration
FMT_MEC_EXT.1 Supported Configuration Mechanism
FMT_SMF.1 Specification of Management Functions
FPR_ANO_EXT.1 User Consent for Transmission of Personally Identifiable
Information
FPT_AEX_EXT.1 Anti-Exploitation Capabilities
FPT_API_EXT.1 Use of Supported Services and APIs
FPT_IDV_EXT.1 Software Identification and Versions
FPT_LIB_EXT.1 Use of Third Party Libraries
FPT_TUD_EXT.1 Integrity for Installation and Update
FTP_DIT_EXT.1 Protection of Data in Transit
5.1 Conventions
The CC allows the following types of operations to be performed on the functional
requirements: assignments, selections, refinements, and iterations. The following font
conventions are used within this document to identify operations defined by CC:
• Assignment: Indicated with italicized text;
• Refinement: Indicated with bold text;
• Selection: Indicated with underlined text;
• Iteration: Indicated by appending the iteration identifier in parenthesis, e.g., (1), (2), (3).
• Where operations were completed in the PP, the formatting has been retained.
• Extended SFRs are identified by the addition of “EXT” after the requirement name.
5.2 Security Functional Requirements
This section includes the security functional requirements for this ST.
5.2.1 Cryptographic Support (FCS)
5.2.1.1 FCS_CKM_EXT.1 Cryptographic Key Generation Services
FCS_CKM_EXT.1.1
The application shall [
• generate no asymmetric cryptographic keys,
Apple Inc. Apple macOS 11 Big Sur: Contacts Security Target
VID: 11243
14
© 2022 Apple Inc. All rights reserved.
This document may be reproduced and distributed only in its original entirety without revision.
].
5.2.1.2 FCS_RBG_EXT.1 Random Bit Generation Services
FCS_RBG_EXT.1.1
The application shall [
• use no DRBG functionality,
] for its cryptographic operations.
5.2.1.3 FCS_STO_EXT.1 Storage of Credentials
FCS_STO_EXT.1.1
The application shall [
• invoke the functionality provided by the platform to securely store [account
credentials],
] to non-volatile memory.
5.2.2 Identification and Authentication (FIA)
5.2.2.1 FIA_X509.EXT.1 X.509 Certificate Validation
FIA_X509_EXT.1.1
The application shall [invoke platform provided functionality] to validate certificates in
accordance with the following rules:
• RFC 5280 certificate validation and certificate path validation
• The certificate path must terminate with a trusted CA certificate
• The application shall validate a certificate path by ensuring the presence of the
basicConstraints extension, that the CA flag is set to TRUE for all CA certificates, and
that any path constraints are met
• The application shall validate that any CA certificate includes caSigning purpose in the
key usage field
• The application shall validate the revocation status of the certificate using [an OCSP
TLS Status Request Extension (OCSP stapling) as specified in RFC 6066]
• The application shall validate the extendedKeyUsage (EKU) field according to the
following rules:
o Certificates used for trusted updates and executable code integrity verification
shall have the Code Signing Purpose (id-kp 3 with OID 1.3.6.1.5.5.7.3.3) in the
extendedKeyUsage field.
o Server certificates presented for TLS shall have the Server Authentication
purpose (id-kp 1 with OID 1.3.6.1.5.5.7.3.1) in the EKU field.
o Client certificates presented for TLS shall have the Client Authentication purpose
(id-kp 2 with OID 1.3.6.1.5.5.7.3.2) in the EKU field.
o S/MIME certificates presented for email encryption and signature shall have the
Email Protection purpose (id-kp 4 with OID 1.3.6.1.5.5.7.3.4) in the EKU field.
o OCSP certificates presented for OCSP responses shall have the OCSP Signing
purpose (id-kp 9 with OID 1.3.6.1.5.5.7.3.9) in the EKU field.
Apple Inc. Apple macOS 11 Big Sur: Contacts Security Target
VID: 11243
15
© 2022 Apple Inc. All rights reserved.
This document may be reproduced and distributed only in its original entirety without revision.
o Server certificates presented for EST shall have the CMC Registration Authority
(RA) purpose (id-kp-cmcRA with OID 1.3.6.1.5.5.7.3.28) in the EKU field.
Application Note: This SFR has been updated by TD0601.
FIA_X509_EXT.1.2
The application shall treat a certificate as a CA certificate only if the basicConstraints
extension is present and the CA flag is set to TRUE.
5.2.2.2 FIA_X509_EXT.2 X.509 Certificate Authentication
FIA_X509_EXT.2.1
The application shall use X.509v3 certificates as defined by RFC 5280 to support
authentication for [HTTPS, TLS].
Application Note: This SFR has been updated by TD0601.
FIA_X509_EXT.2.2
When the application cannot establish a connection to determine the validity of a certificate,
the application shall [accept the certificate].
5.2.3 User Data Protection (FDP)
5.2.3.1 FDP_DAR_EXT.1 Encryption of Sensitive Application Data
FDP_DAR_EXT.1.1
The application shall [
• leverage platform-provided functionality to encrypt sensitive data,
] in non-volatile memory.
5.2.3.2 FDP_DEC_EXT.1 Access to Platform Resources
FDP_DEC_EXT.1.1
The application shall restrict its access to [
• network connectivity,
• camera,
].
FDP_DEC_EXT.1.2
The application shall restrict its access to [
• address book,
• [photos library]
].
Apple Inc. Apple macOS 11 Big Sur: Contacts Security Target
VID: 11243
16
© 2022 Apple Inc. All rights reserved.
This document may be reproduced and distributed only in its original entirety without revision.
5.2.3.3 FDP_NET_EXT.1 Network Communications
FDP_NET_EXT.1.1
The application shall restrict network communication to [
• user-initiated communication for [updating contacts, adding accounts],
• [synchronization of contacts]
].
5.2.4 Security Management (FMT)
5.2.4.1 FMT_CFG_EXT.1 Secure by Default Configuration
FMT_CFG_EXT.1.1
The application shall provide only enough functionality to set new credentials when configured
with default credentials or no credentials.
FMT_CFG_EXT.1.2
The application shall be configured by default with file permissions which protect the
application binaries and data files from modification by normal unprivileged users.
5.2.4.2 FMT_MEC_EXT.1 Supported Configuration Mechanism
FMT_MEC_EXT.1.1
The application shall [
• invoke the mechanisms recommended by the platform vendor for storing and setting
configuration options.].
5.2.4.3 FMT_SMF.1 Specification of Management Functions
FMT_SMF.1.1
The TSF shall be capable of performing the following management functions [
• [Add Account,
• Delete Account, and
• Enable/Disable Account]
].
5.2.5 Privacy (FPR)
5.2.5.1 FPR_ANO_EXT.1 User Consent for Transmission of Personally Identifiable Information
FPR_ANO_EXT.1.1
The application shall [
• not transmit PII over a network,
].
Apple Inc. Apple macOS 11 Big Sur: Contacts Security Target
VID: 11243
17
© 2022 Apple Inc. All rights reserved.
This document may be reproduced and distributed only in its original entirety without revision.
5.2.6 Protection of the TSF (FPT)
5.2.6.1 FPT_AEX_EXT.1 Anti-Exploitation Capabilities
FPT_AEX_EXT.1.1
The application shall not request to map memory at an explicit address except for [no
exceptions].
FPT_AEX_EXT.1.2
The application shall [
• not allocate any memory region with both write and execute permissions ,
].
FPT_AEX_EXT.1.3
The application shall be compatible with security features provided by the platform vendor.
FPT_AEX_EXT.1.4
The application shall not write user-modifiable files to directories that contain executable files
unless explicitly directed by the user to do so.
FPT_AEX_EXT.1.5
The application shall be built with stack-based buffer overflow protection enabled.
5.2.6.2 FPT_API_EXT.1 Use of Supported Services and APIs
FPT_API_EXT.1.1
The application shall use only documented platform APIs.
5.2.6.3 FPT_IDV_EXT.1 Software Identification and Versions
FPT_IDV_EXT.1.1
The application shall be versioned with [[Bundle configuration information (Name, Bundle ID
and version)]].
5.2.6.4 FPT_LIB_EXT.1 Use of Third Party Libraries
FPT_LIB_EXT.1.1
The application shall be packaged with only [no third-party libraries].
5.2.6.5 FPT_TUD_EXT.1 Integrity for Installation and Update
FPT_TUD_EXT.1.1
The application shall [leverage the platform] to check for updates and patches to the
application software.
FPT_TUD_EXT.1.2
The application shall [provide the ability] to query the current version of the application
software.
FPT_TUD_EXT.1.3
The application shall not download, modify, replace or update its own binary code.
Apple Inc. Apple macOS 11 Big Sur: Contacts Security Target
VID: 11243
18
© 2022 Apple Inc. All rights reserved.
This document may be reproduced and distributed only in its original entirety without revision.
FPT_TUD_EXT.1.4
Application updates shall be digitally signed such that the application platform can
cryptographically verify them prior to installation.
FPT_TUD_EXT.1.5
The application is distributed [with the platform OS]
5.2.7 Trusted Path/Channel (FTP)
5.2.7.1 FTP_DIT_EXT.1 Protection of Data in Transit
FTP_DIT_EXT.1.1
The application shall [
• invoke platform-provided functionality to encrypt all transmitted data with [HTTPS,
TLS]
] between itself and another trusted IT product.
Application Note: This SFR has been updated by TD0601.
5.3 Security Assurance Requirements
The TOE assurance requirements for this ST are taken directly from the PP, and are derived
from Common Criteria Version 3.1, Revision 5. The assurance requirements are summarized in
Table 10.
Table 10 – Security Assurance Requirements
Assurance Class Assurance
Components
Component Description
Security Target
evaluation
ASE_CCL.1 Conformance claims
ASE_ECD.1 Extended components definition
ASE_INT.1 ST introduction
ASE_OBJ.1 Security objectives for the operational
environment
ASE_REQ.1 Stated security requirements
ASE_SPD.1 Security problem definition
ASE_TSS.1 TOE summary specification
Development ADV_FSP.1 Basic functional specification
Guidance documents AGD_OPE.1 Operational user guidance
AGD_PRE.1 Preparative procedures
Life-cycle support ALC_CMC.1 Labelling of the TOE
ALC_CMS.1 TOE CM coverage
ALC_TSU_EXT.1 Timely Security Updates
Tests ATE_IND.1 Independent testing – conformance
Vulnerability
assessment
AVA_VAN.1 Vulnerability survey
5.4 Assurance Measures
The TOE satisfied the identified assurance requirements. This section identifies the Assurance
Measures applied by Apple to satisfy the assurance requirements. The following table lists the
details.
Apple Inc. Apple macOS 11 Big Sur: Contacts Security Target
VID: 11243
19
© 2022 Apple Inc. All rights reserved.
This document may be reproduced and distributed only in its original entirety without revision.
Table 11 – TOE Security Assurance Measures
SAR Component How the SAR will be met
ADV_FSP.1 The functional specification describes the external interfaces of the TOE;
such as the means for a user to invoke a service and the corresponding
response of those services. The description includes the interface(s)
that enforces a security functional requirement, the interface(s) that
supports the enforcement of a security functional requirement, and the
interface(s) that does not enforce any security functional requirements.
The interfaces are described in terms of their purpose (general goal of
the interface), method of use (how the interface is to be used),
parameters (explicit inputs to and outputs from an interface that control
the behavior of that interface), parameter descriptions (tells what the
parameter is in some meaningful way), and error messages (identifies
the condition that generated it, what the message is, and the meaning of
any error codes).
AGD_OPE.1 The Administrative Guide provides the descriptions of the processes and
procedures of how the administrative users of the TOE can securely
administer the TOE using the interfaces that provide the features and
functions detailed in the guidance.
AGD_PRE.1 The Installation Guide describes the installation, generation, and startup
procedures so that the users of the TOE can put the components of the
TOE in the evaluated configuration.
ALC_CMC.1 The Configuration Management (CM) documents describe how the
consumer identifies the evaluated TOE. The CM documents identify the
configuration items, how those configuration items are uniquely
identified, and the adequacy of the procedures that are used to control
and track changes that are made to the TOE. This includes details on
what changes are tracked and how potential changes are incorporated.
ALC_CMS.1
ALC_TSU_EXT.1 This component requires the TOE developer, in conjunction with any
other necessary parties, to provide information as to how the end-user
devices are updated to address security issues in a timely manner. The
documentation describes the process of providing updates to the public
from the time a security flaw is reported/discovered, to the time an
update is released. This description includes the parties involved (e.g.,
the developer, carriers(s)) and the steps that are performed (e.g.,
developer testing, carrier testing), including worst case time periods,
before an update is made available to the public.
ATE_IND.1 Apple will provide the TOE for testing.
AVA_VAN.1 Apple will provide the TOE for testing.
FPT_LIB_EXT.1 identifies the third-party software components.
Apple Inc. Apple macOS 11 Big Sur: Contacts Security Target
VID: 11243
20
© 2022 Apple Inc. All rights reserved.
This document may be reproduced and distributed only in its original entirety without revision.
6 TOE Summary Specification
This chapter identifies and describes how the Security Requirements identified above are met
by the TOE.
Table 12 – TOE Summary Specification SFR Description
Requirement TSS Description
ALC_TSU_EXT.1 Apple generally does not disclose, discuss, or confirm security issues until a
full investigation is complete and any necessary patches or releases are
available. Once an issue has been confirmed and a patch has been made
available, references containing technical details on the patches are made
available and Common Vulnerabilities and Exposures (CVEs), etc. are
released.
Apple distributes information about security issues in its products through
its “Apple security updates” page. (https://support.apple.com/HT201222)
Security advisories are also provided through the security-announce mailing
list. (https://lists.apple.com/mailman/listinfo/security-announce/)
Potential security vulnerabilities can be reported by following the procedures
on the “Report a security or privacy vulnerability” page
(https://support.apple.com/HT201220). This includes sending an email to
“product-security@apple.com” and includes the ability to encrypt
information using the Apple Product Security PGP key.
(https://support.apple.com/kb/HT201214)
FCS_CKM_EXT.1 The TOE does not perform asymmetric key generation.
FCS_RBG_EXT.1 The TOE does not use DRBG functionality.
FCS_STO_EXT.1 The TOE allows a user to add a remote account. Depending on the type of
account, the TOE stores the username/password or OAUTH token in the
platform-provided Keychain.
FDP_DAR_EXT.1 Contact data is the only data and only sensitive data stored by the TOE. The
underlying platform automatically encrypts all data (including TOE data). The
Operational User Guidance requires the user to enable FileVault 2, so the
encryption is tied to the user’s authentication to the platform.
FDP_DEC_EXT.1 The TOE limits its access to the following hardware resources:
• Network connectivity – synchronizing contacts
• Camera – associating pictures with contacts
The TOE limits its access to the following sensitive information repository:
• Address book – updating the local database of contacts
• Photos Library – associating pictures with contacts
FDP_NET_EXT.1 The TOE communicates on the network based upon user-initiated request to
update contacts or configure a new remote account. The user can also
configure the TOE to periodically synchronize contacts with a remote server.
FIA_X509_EXT.1
FIA_X509_EXT.2
The TOE invokes platform-provided X.509 certificate validation to verify the
validity and revocation status of HTTPS/TLS server certificates. The
platform-provided functionality validates certificates according to the
following rules:
• RFC 5280 certificate validation and certificate path validation
• The certificate path must terminate with a trusted CA certificate
marked as a trust anchor in the user or platform’s keychain.
• All CA certificates contain the basicConstraints extension with the
CA flag is set to TRUE and (if present) path constraints are met.
Apple Inc. Apple macOS 11 Big Sur: Contacts Security Target
VID: 11243
21
© 2022 Apple Inc. All rights reserved.
This document may be reproduced and distributed only in its original entirety without revision.
Requirement TSS Description
• All CA certificates include the caSigning purpose in the key usage
field.
• Certificate revocation status is checked using OCSP stapling. The
certificate is accepted if it’s revocation status cannot be determined
(i.e., no status is received or the status is “unknown”).
The extendedKeyUsage field is verified to contain the Server Authentication
purpose (id-kp 1 with OID 1.3.6.1.5.5.7.3.1).
The extendedKeyUsage field for OCSP signing certificates is verified to
contain the OCSP Signing purpose (id-kp 9 with OID 1.3.6.1.5.5.7.3.9.
X.509 certificates are validated during session establishment with an
HTTPS/TLS server. The platform uses the certificates provided by the
HTTPS/TLS server and the certificates in the local trust store to build the
certificate chain.
FMT_CFG_EXT.1 The TOE does not come with any default credentials. The user must
configure an account to enable synchronization of contacts with a remote
server.
The TOE binary is installed in the /System/Applications directory. The
platform prevents non-Administrator users from modifying the contents of
this directory.
The underlying platform ensures that all files in the TOE’s data directories
are not world readable. The TOE’s data directory is ~/Library/Application
Support/AddressBook
FMT_MEC_EXT.1 The TOE stores and retrieves configuration options from platform’s user
defaults system using NSUsersDefaults class.
FMT_SMF.1 The TOE allows the user to add, delete, and enable/disable accounts.
FPR_ANO_EXT.1 The TOE does not request any PII with the intent to transmit the data over
the network. However, the TOE will transmit contact information at the
request of the user. In these cases, the TOE provides a notification when
sharing this information.
Note: This SFR only applies to PII that is specifically requested by the
application.
FPT_AEX_EXT.1 The TOE is compiled with ASLR enabled (achieved by compiling with the -
fPIE flag).
The TOE does not allocate any memory regions with the PROT_EXEC
permission.
The TOE is compatible with the security features provided by the underlying
platform. The TOE executes on macOS without the need to disable the
platform security features.
The TOE writes data to the application working directory and not the
directory containing executable files.
The TOE is compiled with stack-based buffer overflow protection enabled
(achieved by compiling with the -fstack-protector-all flag).
FPT_API_EXT.1 The following platform frameworks are used by the TOE:
• ImageIO.framework
Apple Inc. Apple macOS 11 Big Sur: Contacts Security Target
VID: 11243
22
© 2022 Apple Inc. All rights reserved.
This document may be reproduced and distributed only in its original entirety without revision.
Requirement TSS Description
• Accounts.framework
• AddressBook.framework
• AppKit.framework
• Contacts.framework
• CoreData.framework
• CoreFoundation.framework
• CoreGraphics.framework
• CoreSpotlight.framework
• CoreText.framework
• Foundation.framework
• Security.framework
• UIKit.framework
• XCTest.framework
The TOE also uses the following private frameworks:
• AddressBookCore.framework
• AddressBookLegacy.framework
• AppleAccount.framework
• EmailCore.framework
• AppSupport.framework
• AssistantServices.framework
• ContactsDonation.framework
• ContactsFoundation.framework
• ContactsPersistence.framework
• CoreRecents.framework
• CoreSuggestions.framework
• FamilyCircle.framework
• IntlPreferences.framework
• PhoneNumbers.framework
• SAObjects.framework
• TCC.framework
The private frameworks are supported by Apple; however, there is not public
developer documentation because they are only intended for internal use by
Apple.
FPT_IDV_EXT.1 Each macOS application must be distributed in as an Application Bundle.
The Application Bundle includes an Info.plist file containing the following
identifying information: Bundle name, Bundle ID, and Short version string.
For the TOE, these are the following key/value pairs in the Info.plist file:
• Bundle name: Contacts
• Bundle identifier: com.apple.AddressBook
• Short version string: 13.0
FPT_LIB_EXT.1 The TOE does not leverage any third-party libraries. The TOE uses
platform-provided APIs identified in FPT_API_EXT.1 instead of
implementing/including third-party libraries.
FPT_TUD_EXT.1 The TOE is provided within the underlying OS image and packaged as a
signed DMG file. The platform considers the signature authorized if the
certificate used to sign the DMG file chains to the Apple Worldwide
Developer Relations Certification Authority or the Apple Mac Certification
Authority. Updates to the TOE are provided through the underlying OS
updates, and the current version of the TOE can be viewed in the “About
Contacts” window.
Apple Inc. Apple macOS 11 Big Sur: Contacts Security Target
VID: 11243
23
© 2022 Apple Inc. All rights reserved.
This document may be reproduced and distributed only in its original entirety without revision.
Requirement TSS Description
FTP_DIT_EXT.1 All application data is transmitted securely via platform-provided HTTPS and
TLS with Apple servers or other configured servers. The TOE uses the
NSURL class to initiate a synchronization of contacts with the servers. User
credentials are transmitted during the synchronization process.
6.1 CAVP Algorithm Certificate Details
The TOE invokes corecrypto version 11.1 (i.e., platform-provided cryptographic library) for
cryptographic operations. The algorithms implemented in corecrypto have been validated by
CAVP.
Table 13 – CAVP Algorithm Certificate Reference
Cryptographic Operation Certificate
Platform-provided TLS A919
Apple Inc. Apple macOS 11 Big Sur: Contacts Security Target
VID: 11243
24
© 2022 Apple Inc. All rights reserved.
This document may be reproduced and distributed only in its original entirety without revision.
7 Acronyms
Table 14 – Acronyms
Acronym Definition
AES Advanced Encryption Standard
API Application Programming Interface
AppSW Application Software Protection Profile
ASLR Address Space Layout Randomization
CA Certificate Authority
CAVP Cryptographic Algorithm Validation Program
CC Common Criteria
CVE Common Vulnerabilities and Exposures
DRBG Deterministic Random Bit Generator
EKU Extended Key Usage
HMAC Keyed-Hash Message Authentication Code
HTTPS Hypertext Transfer Protocol Secure
IP Internet Protocol
NIAP Nation Information Assurance Partnership
OCSP Online Certificate Status Protocol
OID Object Identifier
OS Operating System
PII Personally Identifiable Information
PP Protection Profile
RFC Request for Comments
RSA Rivest, Shamir, & Adleman
SFR Security Functional Requirement
SHA Secure Hash Algorithm
ST Security Target
TD Technical Decision
TOE Target of Evaluation
TLS Transport Layer Security
TSS TOE Summary Specification
VID Validation Identifier
VPN Virtual Private Network