GSMA has designed and specified requirements for the development of industry developed schemes to certify the security of Mobile Devices. The basis for the Mobile Device security is the ETSI TS 103 732 series of Protection Profiles and the GSMA scheme requirements are described in GSMA published documents [FS.53], [FS.54], [FS.55] and [FS.56].

Aligning with the GSMA requirements, TrustCB has developed and now operates the TrustCB MDSCert scheme. As scheme owner, TrustCB is responsible for the direction and operations of the Scheme.

The expected TOE-type for the TrustCB MDSCert scheme is a consumer device complying with the ETSI TS 103 732 series. This will typically be a handheld or tablet device produced by a Mobile Device Manufacturer, but may also be a mobile derived device using a mobile OS. For example Chromebook and Mobile OS bases TVs.

The expected security functionality of all devices requesting TrustCB MDSCert certification is as specified in the ETSI TS 103 732 series.

The security baseline assessment and the product evaluations address the following elements of the mobile device:

  • Hardware.
  • Firmware.
  • Operating system.
  • Pre-loaded software.
  • In-life software updates.

The security surfaces include both physical and logical interfaces.

The following are excluded as they are typically addressed by other existing dedicated schemes:

  • 3GPP Mobile Radio interfaces (e.g. 5G RAN).
  • UICC and eUICC. eUICC designed in accordance with the GSMA specifications are expected to be certified under the GSMA eSA scheme.

The certification of a Mobile Device applies to the factory specified product. The certification does not apply to:

  • Third-party software or applications added (intentionally or unintentionally) post-production, including additions by users and/or supply chain participants (e.g. retail stores, mobile operators, etc.).
  • Modifications made to the originally provided software (intentionally or unintentionally), post-production.
  • Physical modifications made to the product, post-production.
  • Repaired products where such repairs are not carried out using Mobile Device Manufacturer certified parts and by a Mobile Device Manufacturer approved repair facility.

Additionally, the certificate does not apply to user behaviour which has the potential to compromise mobile device security, including:

  • Providing passwords or other security credentials to third parties (intentionally or unintentionally).
  • Failing to install in a timely manner or blocking installation of security-critical updates.
  • Failing to keep third-party applications up to date.
  • Connecting insecure peripherals (e.g. Bluetooth headphones).
  • Intentionally or unintentionally granting insecure permissions to applications which were blocked by default in the certified configuration.
  • Using the product over insecure / high risk networks (e.g. airport Wi-Fi).”

For details of TrustCB’s procedures for this scheme, refer to the MDSCert scheme specific procedure and the TrustCB shared scheme procedures.

Details of the ITSEFs that have been licensed by TrustCB to perform MDSCert evaluations labs can be found under Labs.

Scheme Documents

FS.53

FS.54

FS.55

FS.56

ETSI TS 103 732

Icon

MDSCert scheme specific procedures

MDSCert Applications

Icon

TrustCB Application Form - MDSCert v1.0

Icon

TrustCB MDSCert Pricelist v1.0

MDSCert Certificates

Click here to view issued certificates for this scheme

The TrustCB Shared Procedures are posted on the Policies & Procedures page.