Legal basis and Technical Guideline

The IT Security Label is issued on the basis of §9c BSI Act.

The BSI has introduced a product category "Mobile Devices", which applies to stand-alone consumer mobile devices (especially smartphones and tablets).

This category is based on the Technical Guideline TR-03180 A of the BSI, which is based on the European standard ETSI TS 103 732 and defines basic security requirements for mobile devices. Manufacturers can receive the IT Security Label if they assured conformity of their product with this standard.

Note on the application scope

Mobile devices, such as smartphones and tablets, are complex IT systems that can vary greatly depending on the manufacturer, design and personal customisation by the user.

For smartphones and tablets, the label therefore only includes those core elements that are supplied in the factory state.

These essentially include:

• Built-in device components (hardware), such as sensors, interfaces, etc.
• Original operating system and firmware, e.g. Android or iOS, including the associated libraries, drivers, etc.
• Pre-installed apps that cannot be uninstalled

Not taken into account are:

• Apps (pre-installed or downloaded) that can be uninstalled independently on the device and any associated cloud services.
• Components that are not built-in (e.g. SD card, SIM card, ...)

Assured device properties

The following list provides a simplified overview of the security features of the product category "Mobile Devices".

Detailed descriptions of the mandatory, recommended and conditionally applicable requirements can be found in the underlying BSI Technical Guideline TR-03180 A.

1. Vulnerabilities and security updates

The manufacturer promises to keep its product up to date using secure procedures.

This includes in particular:

• The duration of the update support is published by the manufacturer.
• Necessary security updates are displayed to users immediately. The installation of updates must be simple and possible with just a few steps.
• It must be possible to have updates installed automatically. Automatic installation is not enforced if the user does not want this.
• The manufacturer has implemented a vulnerability management system in order to detect and fix vulnerabilities quickly.
• The manufacturer has published a contact for reporting vulnerabilities.
• Security updates for the device and pre-installed apps are provided promptly.
• The use of technical means to check whether the installation package comes from a reliable source and has not been tampered with before installing an update and new applications.

2. Data hygiene and data security

The manufacturer guarantees that user data is used sparsely and can be easily deleted. User data required for operation is secured in accordance with modern technology, i.e. particularly sensitive user data must be adequately protected against access by unauthorized persons.

This includes, among other things:

• Important user data (e.g. PIN, access data, and biometric data such as fingerprints) are stored in a secure area that is independent of the operating system.
• The options for deleting all user data on the device independently and irrevocably (e.g. by resetting to factory settings)
• It must be possible to uninstall apps that a user has installed personally. During uninstalling it, all user data from the app must be deleted, too.
• User data is protected using the latest cryptographic methods by encrypting it during data transmission and storing it in encrypted form on the mobile device. Cryptographic methods are used, for example, to protect the data from manipulation and unauthorised reading.

3. Permission and access management

The manufacturer guarantees that its device has a permission and access management system. This regulates the access of the operating system, apps, interfaces and sensors to the user data. These permissions are granted on a user-oriented basis. A flashlight app for example is not granted access to the phone book.

Access management regulations include, for example:

• Users must be able to view which app has which rights. They must be able to withdraw or change authorisations and access rights at any time.
• Any access by pre-installed apps to the microphone, camera, NFC or address book, for example, must be explicitly authorised by users.
• The device has a permission management system that regulates which data is particularly worthy of protection and which data may be accessed under certain circumstances. Read and write authorisations are always assigned separately.
• Apps that have access to the microphone or camera may only use them if users open the app. Use of the microphone and camera must be clearly displayed in the status bar. In addition, apps may only use the camera if they are not running in the background in order to prevent undetected recording.
• Tracking services (e.g. via GPS and WiFi) must be able to be deactivated individually.

4. Interface security

The manufacturer assures that the communication connections of the product are cryptographically secured according to the current state of the art.

The secure use of interfaces includes, among other things:

• Interfaces (such as Bluetooth, WiFi, radio) and sensors (such as microphones and cameras) must be able to be switched off. The use of the USB interface for data traffic must be explicitly authorized for this purpose.
• Pre-installed applications must communicate encrypted.
• The person using the device must consent to the establishment of Bluetooth, NFC and WiFi connections.
• Active connections (e.g. WiFi, NFC, LTE) are always displayed in the status bar for transparency purposes.

5. Device security/access protection

The manufacturer declares that it has implemented mechanisms to protect the product from unauthorized access.

These include:

• It must be possible to lock devices with an individual PIN and password. A warning is displayed to the user when such protection mechanisms are switched off.
• The device does not allow passwords or unlocking patterns that are too simple.
• The number of incorrect entries when unlocking must be limited to prevent guessing login credentials. Biometric access options are deactivated after too many failed attempts.

6. Consumer friendliness and documentation

The manufacturer guarantees to design its device in a user-friendly way in order to make it easier for users to utilize the device in a security-conscious manner.

This includes in particular:

• Provision of documents and help texts at least in German and English, ideally in significantly more languages.
• User manuals are available online for the entire lifecycle of the device and beyond.
• Clear communication about how long the device will be supported and supplied with updates by the manufacturer, as well as the frequency of updates.