C116 Certification Report
Huawei AppGallery v10.4.0.301
File name: ISCB-5-RPT-C116-CR-V1
Version: v1
Date of document: 15 April 2021
Document classification: PUBLIC
For general inquiry about us or our services,
please email: mycc@cybersecurity.my
PUBLIC
FINAL
C116 Certification Report ISCB-5-RPT-C116-CR-V1
Page i of ix
PUBLIC
C116 Certification Report
Huawei AppGallery v10.4.0.301
15 April 2021
ISCB Department
CyberSecurity Malaysia
Level 7, Tower 1,
Menara Cyber Axis, Jalan Impact,
63000 Cyberjaya, Selangor, Malaysia
Tel: +603 8800 7999 Fax: +603 8008 7000
http://www.cybersecurity.my
PUBLIC
FINAL
C116 Certification Report ISCB-5-RPT-C116-CR-V1
Page ii of ix
PUBLIC
Document Authorisation
DOCUMENT TITLE: C116 Certification Report
DOCUMENT REFERENCE: ISCB-5-RPT-C116-CR-V1
ISSUE: v1
DATE: 15 April 2021
DISTRIBUTION: UNCONTROLLED COPY - FOR UNLIMITED USE AND
DISTRIBUTION
PUBLIC
FINAL
C116 Certification Report ISCB-5-RPT-C116-CR-V1
Page iii of ix
PUBLIC
Copyright Statement
The copyright of this document, which may contain proprietary information, is the
property of CyberSecurity Malaysia.
The document shall be held in safe custody.
©CYBERSECURITY MALAYSIA, 2021
Registered office:
Level 7, Tower 1
Menara Cyber Axis
Jalan Impact
63000 Cyberjaya
Selangor Malaysia
Registered in Malaysia – Company Limited by Guarantee
Company No. 201601006881 (726630-U)
Printed in Malaysia
PUBLIC
FINAL
C116 Certification Report ISCB-5-RPT-C116-CR-V1
Page iv of ix
PUBLIC
Foreword
The Malaysian Common Criteria Evaluation and Certification (MyCC) Scheme has been
established under the 9th
Malaysian Plan to increase Malaysia’s competitiveness in quality
assurance of information security based on the Common Criteria (CC) standard and to
build consumers’ confidence towards Malaysian information security products.
The MyCC Scheme is operated by CyberSecurity Malaysia and provides a model for licensed
Malaysian Security Evaluation Facilities (MySEFs) to conduct security evaluations of ICT
products, systems and protection profiles against internationally recognised standards.
The results of these evaluations are certified by the Malaysian Common Criteria
Certification Body (MyCB) Unit, a unit established within Information Security Certification
Body (ISCB) Department, CyberSecurity Malaysia.
By awarding a Common Criteria certificate, the MyCB asserts that the product complies
with the security requirements specified in the associated Security Target. A Security
Target is a requirements specification document that defines the scope of the evaluation
activities. The consumer of certified IT products should review the Security Target, in
addition to this certification report, in order to gain an understanding of any assumptions
made during the evaluation, the IT product's intended environment, its security
requirements, and the level of confidence (i.e., the evaluation assurance level) that the
product satisfies the security requirements.
This certification report is associated with the certificate of product evaluation dated
20 April 2021 and the Security Target (Ref [6])The certification report, Certificate of
product evaluation and security target are posted on the MyCC Scheme Certified Product
Register (MyCPR) at www.cybersecurity.my/mycc and the Common Criteria Portal (the
official website of the Common Criteria Recognition Arrangement).
Reproduction of this report is authorised provided the report is reproduced in its entirety.
PUBLIC
FINAL
C116 Certification Report ISCB-5-RPT-C116-CR-V1
Page v of ix
PUBLIC
Disclaimer
The Information Technology (IT) product identified in this certification report and its
associate certificate has been evaluated at an accredited and licensed evaluation facility
established under the Malaysian Common Criteria Evaluation and Certification (MyCC)
Scheme using the Common Methodology for IT Security Evaluation, version 3.1 revision 5
(Ref [3]), for conformance to the Common Criteria for IT Security Evaluation, version 3.1
revision 5 (Ref [2]). This certification report and its associated certificate apply only to the
specific version and release of the product in its evaluated configuration. The evaluation
has been conducted in accordance with the provisions of the MyCC Scheme and the
conclusions of the evaluation facility in the evaluation technical report are consistent with
the evidence adduced. This certification report and its associated certificate is not an
endorsement of the IT product by CyberSecurity Malaysia or by any other organisation that
recognises or gives effect to this certification report and its associated certificate, and no
warranty of the IT product by CyberSecurity Malaysia or by any other organisation that
recognises or gives effect to this certificate, is either expressed or implied.
PUBLIC
FINAL
C116 Certification Report ISCB-5-RPT-C116-CR-V1
Page vi of ix
PUBLIC
Document Change Log
RELEASE DATE PAGES
AFFECTED
REMARKS/CHANGE REFERENCE
d1 7 April 2021 All Initial draft
V1 15 April 2021 All Final Release
PUBLIC
FINAL
C116 Certification Report ISCB-5-RPT-C116-CR-V1
Page vii of ix
PUBLIC
Executive Summary
The Target of Evaluation (TOE) is Huawei AppGallery v10.4.0.301. The TOE is an official
Huawei product which is a mobile application that has the capability as a mobile
distribution channel for applications. The TOE provides users with a secure portal to buy,
download, install, view list (sort/search), monitor, update and delete all registered third-
party mobile apps inside the Huawei mobile devices. The TOE also enables TOE users
access to all registered 3rd party mobile applications as application distribution platform
with all relevant security features. The TOE provides several security functionalities such
as Identification and Authentication, Security Management and Secure Communication.
The scope of the evaluation is defined by the Security Target (Ref[6]) which identifies
security objectives for the environment, the security functional requirements, and the
evaluation assurance level at which the product is intended to satisfy the security
requirements. Prospective consumers are advised to verify that their operating
environment is consistent with the evaluated configuration, and to give due consideration
to the comments, observations and recommendations in this certification report.
This report confirms the findings of the security evaluation of the TOE to the Common
Criteria (CC) Evaluation Assurance Level 1 (EAL1). This report confirms that the evaluation
was conducted in accordance with the relevant criteria and the requirements of the
Malaysia Common Criteria Evaluation and Certification (MyCC) Scheme (Ref [4]).
The evaluation was performed by CyberSecurity Malaysia MySEF (CSM MySEF) and the
evaluation was completed on 23 March 2021.
The Malaysia Common Criteria Certification Body (MyCB), as the MyCC Scheme Certification
Body, declares that the TOE evaluation meets all the Arrangements on the Recognition of
Common Criteria certificates and the product will be listed in the MyCC Scheme Certified
Products Register (MyCPR) at http://www.cybersecurity.my/mycc and the Common Criteria
portal (the official website of the Common Criteria Recognition Arrangement) at
http://www.commoncriteriaportal.org
It is the responsibility of the user to ensure that Huawei AppGallery v10.4.0.301 meets
their requirements. It is recommended that a potential user of the TOE refer to the Security
Target (Ref [6]) and this Certification Report prior to deciding whether to purchase the
product.
PUBLIC
FINAL
C116 Certification Report ISCB-5-RPT-C116-CR-V1
Page viii of ix
PUBLIC
Table of Contents
Document Authorisation................................................................................. ii
Copyright Statement ....................................................................................... iii
Foreword............................................................................................................ iv
Disclaimer........................................................................................................... v
Document Change Log.................................................................................... vi
Executive Summary ........................................................................................ vii
Index of Tables................................................................................................. ix
Index of Figures ............................................................................................... ix
1 Target of Evaluation ..................................................................................... 1
1.1 TOE Description .............................................................................................1
1.2 TOE Identification ...............................................................................................2
1.3 Security Policy..................................................................................................3
1.4 TOE Architecture ..............................................................................................3
1.4.1 Logical Boundaries........................................................................3
1.4.2 Physical Boundaries......................................................................4
1.5 Clarification of Scope......................................................................................5
1.6 Assumptions...................................................................................................5
1.7 Evaluated Configuration..................................................................................6
1.8 Delivery Procedures .......................................................................................6
2 Evaluation.......................................................................................... 7
2.1 Evaluation Analysis Activities..........................................................................7
2.1.1 Life-cycle support................................................................................7
2.1.2 Development ........................................................................................7
2.1.3 Guidance documents...........................................................................7
2.1.4 IT Product Testing................................................................................8
3 Result of the Evaluation ............................................................... 13
3.1 Assurance Level Information.........................................................................13
3.2 Recommendation .........................................................................................13
PUBLIC
FINAL
C116 Certification Report ISCB-5-RPT-C116-CR-V1
Page ix of ix
PUBLIC
Annex A References .......................................................................................15
A.1 References...................................................................................................15
A.2 Terminology................................................................................................15
A.2.1 Acronyms ....................................................................................................15
A.2.2 Glossary of Terms ......................................................................................16
Index of Tables
Table 1: TOE Identification....................................................................................................... 2
Table 2: Independent Functional Test..................................................................................... 8
Table 3: List of Acronyms .......................................................................................................15
Table 4: Glossary of Terms .....................................................................................................16
Index of Figures
Figure 1 – TOE in Red Box........................................................................................................ 4
PUBLIC
FINAL
C116 Certification Report ISCB-5-RPT-C116-CR-V1
Page 1 of 17
PUBLIC
1 Target of Evaluation
1.1 TOE Description
1 The Target of Evaluation (TOE) is Huawei AppGallery version 10.4.0.301. The TOE is a
mobile application that equipped with the capability as mobile applications distribution
platform, as official app of Huawei. The TOE also known as Huawei AppGallery features
with assurance of providing secure platform for user to purchase, download, install,
view list (sort/search), monitor, update and remove all registered 3rd party mobile
applications. The TOE user able to use the TOE for other functions such as receiving
reward, managing gift (claim and redeem), writing comment/remark on 3rd party mobile
application page, perform pre-orders and managing wish list.
2 Below are the key features of the TOE:
a) TOE have access to catalogue of carefully selected android apps;
b) Enable security with quad-layer security mechanism that includes Huawei’s unique
security manual verification check and validation;
c) User reward and benefits upon usage of the Huawei AppGallery as mobile application
manager platform;
d) Smart search feature for user experience in exploring all types of mobile application
varieties registered with Huawei, developed by authorised app developer by Huawei;
e) Auto-update applications for all mobile application under management of Huawei
AppGallery via Wi-Fi for optimise mobile application updates; and
f) User experience in application discovery upon different region stores with local
varieties of mobile application for selection.
3 The following list highlights the range of security functions implemented by the TOE:
I. Identification and Authentication
II. Security Management
III. Secure Communication
PUBLIC
FINAL
C116 Certification Report ISCB-5-RPT-C116-CR-V1
Page 2 of 17
PUBLIC
1.2 TOE Identification
4 The details of the TOE are identified in Table 1: TOE Identification below.
Table 1: TOE Identification
Evaluation Scheme
Malaysian Common Criteria Evaluation and Certification
(MyCC) Scheme
Project Identifier C116
TOE Name Huawei AppGallery
TOE Version V10.4.0.301
Security Target Title Huawei AppGallery Security Target
Security Target Version V1.0
Security Target Date 17 March 2021
Assurance Level Evaluation Assurance Level 1
Criteria
Common Criteria for Information Technology Security
Evaluation, April 2017, Version 3.1, Revision 5 (Ref [2])
Methodology
Common Methodology for Information Technology
Security Evaluation, April 2017, Version 3.1, Revision 5
(Ref [3])
Protection Profile
Conformance
None
Common Criteria
Conformance
CC Part 2 Conformant
CC Part 3 Conformant
Package conformant to EAL 1
Sponsor
Huawei Technologies (Malaysia) Sdn Bhd
Suite 32.01, Level 34, Integra Tower
The Intermark, No 348, Jalan Tun Razak
50400 Kuala Lumpur, Malaysia
Developer
Huawei Technologies (Malaysia) Sdn Bhd
Suite 32.01, Level 34, Integra Tower
The Intermark, No 348, Jalan Tun Razak
50400 Kuala Lumpur, Malaysia
Evaluation Facility
CyberSecurity Malaysia MySEF (CSM MySEF)
Level 7, Tower 1
Menara Cyber Axis
Jalan Impact
63000 Cyberjaya
Selangor Malaysia
PUBLIC
FINAL
C116 Certification Report ISCB-5-RPT-C116-CR-V1
Page 3 of 17
PUBLIC
1.3 Security Policy
5 There is no organisational security policy defined regarding the use of TOE.
1.4 TOE Architecture
6 The TOE consist of logical and physical boundaries which are described in Section 1.5
of the Security Target (Ref [6]).
1.4.1 Logical Boundaries
7 The logical boundary of the TOE is summarized below.
• Identification & Authentication
The TOE requires that TOE user is successfully identified and authenticated
before any interactions with protected resources (registered APKs) which allow
TOE user to purchase and download the 3rd party mobile applications, reward,
gift and remark, pre-order, wish list and comment notification. Additionally, TOE
user requires to be identified and authenticated (via login into the Huawei
registered account) before accessing the TOE as applications distribution
platform.
• Security Management
The TOE provides security management functions that allow the TOE user to
manage the TOE functions as the following stated below:
a. Purchase, download, and install the paid 3rd party mobile applications(s);
b. Monitor and update the 3rd party mobile application(s) has been notified
by the TOE upon update available;
c. Remove selected 3rd party mobile application(s) selected by TOE user;
d. Receiving rewards;
e. Managing gifts (claim and redeem);
f. Writing comment/remark; and
g. Perform pre-orders
The TOE restricts access to the management functions applicable for the TOE
user with registered account with Huawei.
• Security Management
The TOE is able to protect the user data from disclosure and modification using
a secure communication between TOE and TOE server for mobile APK file
download and updates. If the TOE exit, close or send to background processes
PUBLIC
FINAL
C116 Certification Report ISCB-5-RPT-C116-CR-V1
Page 4 of 17
PUBLIC
by the underlying operating system, the communication between TOE and TOE
server will be terminated.
1.4.2 Physical Boundaries
8 A typical implementation of the TOE can be found in Figure 1 below, which identifies
the various components of the TOE architecture.
Figure 1 – TOE in Red Box
9 Huawei AppGallery as the TOE is designed specifically for Huawei mobile devices and
Huawei mobile operating system to play role as applications distribution platform for
other mobile application APK file to initiate TOE functions as stated below:
• Purchase, download, and install the paid 3rd party mobile application(s);
• Monitor and update the 3rd party mobile application(s) has been notified by
the TOE upon update available;
• Remove selected 3rd party mobile application(s) selected by TOE user
• Receiving rewards;
• Managing gifts (claim and redeem);
PUBLIC
FINAL
C116 Certification Report ISCB-5-RPT-C116-CR-V1
Page 5 of 17
PUBLIC
• Writing comment/remark; and
• Perform pre-orders.
10 These TOE functions are secure operates within Huawei mobile device Android operating
system.
11 Aside of operate as applications distribution platform in the Huawei mobile device
Android operating system, the TOE communicates with the TOE server to perform the
following TOE functions as listed above. Whilst, to ensure its secure operating
environment are enforce through continuous usage by the TOE user and ensuring the
3rd party mobile applications are up to date via constant updates. The Huawei back-end
cloud server (also known as TOE server) is not part of the TOE. TOE user able to perform
TOE management functions based on the listed TOE functions listed above.
12 Before the TOE is operates as application distribution platform manager, TOE required
to be identified and authenticated before any relevant actions are allowed by the TOE to
be performed by TOE user on the TOE.
13 Between TOE and TOE server are communicates using secure communication protocols.
The secure communication channel is secured by using international standards or
industry-recognized security protocols that supports the following secure protocols: TLS
v1.0, v1.1, v1.2 and v1.3. Likewise, the TOE also enables secure operations in the
Huawei mobile device Android operating system to ensure all 3rd party mobile
applications managed by the TOE are securely operates within the Android operating
system operational environment.
1.5 Clarification of Scope
14 The TOE is designed to be suitable for use in accordance with user guidance that is
supplied with the product.
15 Section 1.4 of this document describes the scope of the evaluation, which is limited to
those claims made in the Security Target (Ref [6]).
16 Potential consumers of the TOE are advised that some functions and services of the
overall product have not have been evaluated as part of this evaluation. Potential
consumers of the TOE should carefully consider their requirements for using functions
and services outside of the evaluated configuration.
1.6 Assumptions
17 There is no assumptions defined regarding the use of TOE.
PUBLIC
FINAL
C116 Certification Report ISCB-5-RPT-C116-CR-V1
Page 6 of 17
PUBLIC
1.7 Evaluated Configuration
18 The TOE is delivered to the users in its operational state (Mobile Application) and no
additional configuration is required.
1.8 Delivery Procedures
19 Huawei AppGallery is delivered to the customer via pre-installed in Huawei mobile
devices.
20 However for this EAL1 evaluation, TOE Delivery (ALC_DEL) is not included in the scope
of the evaluation. Thus, the evaluators did not verify any TOE delivery process.
PUBLIC
FINAL
C116 Certification Report ISCB-5-RPT-C116-CR-V1
Page 7 of 17
PUBLIC
2 Evaluation
21 The evaluation was conducted in accordance with the requirements of the Common
Criteria, version 3.1 Revision 5 (Ref [2]) and the Common Methodology for IT Security
Evaluation (CEM), version 3.1 Revision 5 (Ref [3]). The evaluation was conducted at
Evaluation Assurance Level 1. The evaluation was performed conformant to the MyCC
Scheme Requirement (MyCC_REQ) (Ref [4]) and ISCB Evaluation Facility Manual
(ISCB_EFM) (Ref [5]).
2.1 Evaluation Analysis Activities
22 The evaluation activities involved a structured evaluation of the TOE, including the
following components:
2.1.1 Life-cycle support
23 An analysis of the TOE configuration management system and associated
documentation was performed. The evaluators found that the configuration items were
clearly and uniquely labelled, and that the access control measures as described in the
configuration management documentation are effective in preventing unauthorised
access to the configuration items. The developer’s configuration management system
was evaluated, and it was found to be consistent with the provided evidence.
2.1.2 Development
24 The evaluators analyzed the TOE functional specification; they determined that the
design completely and accurately describes the TOE security functionality interfaces
(TSFIs), and how the TOE security function (TSF) implements the security functional
requirements (SFRs).
25 The evaluators confirmed that all the requirements for this class were fulfilled and
passed.
2.1.3 Guidance documents
26 The evaluators examined the TOE preparative user guidance and operational user
guidance, and determined that it sufficiently and unambiguously described how to
securely transform the TOE into its evaluated configuration, and how to use and
PUBLIC
FINAL
C116 Certification Report ISCB-5-RPT-C116-CR-V1
Page 8 of 17
PUBLIC
administer the product in order to fulfil the security objectives for the operational
environment. The evaluators examined and tested the preparative and operative
guidance, and determined that they were complete and sufficiently detailed to result in
a secure configuration.
27 The evaluators confirmed that the TOE guidance was fulfilled all the requirements and
passed for this class.
2.1.4 IT Product Testing
28 Testing at EAL 1 consists of performing independent functional test and conducting
penetration tests. The TOE testing was conducted by CyberSecurity Malaysia MySEF (CSM
MySEF). The detailed testing activities, including configurations, procedures, test cases,
expected results and actual results are documented in a separate Test Plan Report.
2.1.4.1 Independent Functional Testing
29 At EAL 1, independent functional testing is the evaluation conducted by evaluators
based on the information gathered by examining design and guidance documentation,
examining developer’s test documentation, executing a subset of the developer’s test
plan, and creating test cases that are independent of the developer’s tests.
30 All testing was planned and documented to a sufficient level of detail to allow
repeatability of the testing procedures and results. The results of the independent
functional tests were recorded by the evaluators and are consistent with the expected
test results in the test documentation.
Table 2: Independent Functional Test
Test Title
Description
Security
Function
TSFI Results
Test Group A Identification and Authentication
A.1 Registration Process
Require Credentials
This test group
consist of a
series of test
cases on user
registration, user
identification and
authentication.
FIA_ATD.1 Secure
Communication
with TOE Server
and TOE User
Credential
Management
Passed.
A.2 Login Using Email and
Password
FIA_UAU.2
FIA_UID.2
PUBLIC
FINAL
C116 Certification Report ISCB-5-RPT-C116-CR-V1
Page 9 of 17
PUBLIC
Test Title
Description
Security
Function
TSFI Results
A.3 Login Using Email and
Without Password
FIA_ATD.1
Administrator
3rd Party Mobile
Application
Manager, Secure
Communication
with TOE Server
and TOE User
Credential
Management
A.4 Login Without Email and
Without Password
A.5 Login Using Phone
Number and Verification
Code
A.6 Login Using Phone
Number and without
Verification Code
A.7 Login Without Phone
Number and with Verification
Code
A.8 Login Without Phone
Number and without
Verification Code
A.9 Login Using Phone
Number and wrong
Verification Code
Test Group B Security Management
B.1 Purchase 3rd Party
Mobile
Application – With Login
This test group
consists of a
series of test
cases on TOE
security
functions of how
security
permission and
capability being
managed for
TOE user.
FIA_ATD.1
FIA_UID.2
FIA_UAU.2
FMT_MSA.1
FMT_MSA.3
FMT_SMF.1
FMT SMR.1
FDP_ACC.1
FDP_ACF.1
3rd Party Mobile
Application
Manager, Secure
Communication
with TOE Server
and TOE User
Credential
Management
Passed.
B.2 Download and Install 3rd
Party Mobile Application –
With Login
B.3 Update and Monitor 3rd
Party Mobile Application –
With Login
B.4 View (Sort/Search) 3rd
Party Mobile Application –
With Login
B.5 Remove 3rd Party Mobile
Application – With Login
B.6 Managing Gifts – With
Login
B.7 Access Rewards – With
Login
PUBLIC
FINAL
C116 Certification Report ISCB-5-RPT-C116-CR-V1
Page 10 of 17
PUBLIC
Test Title
Description
Security
Function
TSFI Results
B.8 Write and View
Comments – With Login
B.9 Perform Pre-Order and
Managing Wish – With Login
B.10 Purchase 3rd Party
Mobile
Application – Without Login
FMT_MSA.1
FMT_MSA.3
FMT_SMF.1
FMT SMR.1
FDP_ACC.1
FDP_ACF.1
3rd Party Mobile
Application
Manager
B.11 Managing Gifts –
Without
Login
B.12 Access Rewards –
Without login
B.13 Write and View
Comments – Without login
B.14 Perform Pre-Order and
Managing Wish – Without
login
B.15 Manage Profile FIA_ATD.1
FIA_UID.2
FIA_UAU.2
FDP_ACC.1
FDP_ACF.1
3rd Party Mobile
Application
Manager, Secure
Communication
with TOE Server
and TOE User
Credential
Management
B.16 Manage Credential
Test Group C Secure Communication
C.1 User Interactive Session
Termination
This test group
consists of a
series of test
cases on secure
communication
between TOE as
mobile
application and
TOE server
manage by TOE
Passed.
C.2 User Interactive Secure
Communication Session
Termination by Closing TOE.
FTA_SSL.4 Secure
Communication
with TOE Server
C.3 User Interactive Secure
Communication Session
Termination using Clear All
function.
FTA_SSL.4
FTP_ITC.1
PUBLIC
FINAL
C116 Certification Report ISCB-5-RPT-C116-CR-V1
Page 11 of 17
PUBLIC
Test Title
Description
Security
Function
TSFI Results
C.4 User Interactive Secure
Communication Session
Termination using Force
Stop
function.
developer and
the capability of
TOE user to
terminate
his/her
interactive
session.
31 All testing performed by evaluators produced the expected results and as such the TOE
behaved as expected.
2.1.4.2 Vulnerability Analysis
32 The evaluators performed a vulnerability analysis of the TOE in order to identify
potential vulnerabilities in the TOE. This vulnerability analysis considered public domain
sources and an analysis of guidance documentation and functional specification.
33 From the vulnerability analysis, the evaluators conducted penetration testing to
determine that the TOE is resistant to attack performed by an attacker possessing a
basic attack potential. The following factors have been taken into consideration during
penetration tests:
a) Time taken to identify and exploit (elapsed time);
b) Specialist technical expertise required (specialised expertise);
c) Knowledge of the TOE design and operation (knowledge of the TOE);
d) Window of opportunity; and
e) IT hardware/software or other equipment required for exploitation.
2.1.4.3 Vulnerability testing
34 The penetration tests focused on:
a) Attack on TLS Version: Insecure Communication
b) Insecure Application Data Storage: Insecure Data Storage
c) Insecure Disclosure Through Logcat : Insecure Data Storage
35 The result of the penetration testing noted that there is no residual vulnerability found.
However, it is important to ensure that the TOE is use only in its evaluated configuration
and in secure environment as specified in the Security Target (Ref [6]).
PUBLIC
FINAL
C116 Certification Report ISCB-5-RPT-C116-CR-V1
Page 12 of 17
PUBLIC
2.1.4.4 Testing Results
36 Tests conducted for the TOE produced the expected results and demonstrated that the
product behaved as specified in its Security Target and its functional specification.
Therefore, the certifiers confirmed that all the test conducted were PASSED as expected.
PUBLIC
FINAL
C116 Certification Report ISCB-5-RPT-C116-CR-V1
Page 13 of 17
PUBLIC
3 Result of the Evaluation
37 After due consideration during the oversight of the execution of the evaluation by the
certifiers and of the Evaluation Technical Report (Ref [7]), the Malaysian Common
Criteria Certification Body certifies the evaluation of Huawei AppGallery v10.4.0.301
which is performed by CyberSecurity Malaysia MySEF (CSM MySEF).
38 CyberSecurity Malaysia MySEF (CSM MySEF) found that Huawei AppGallery v10.4.0.301
upholds the claims made in the Security Target (Ref [6]) and supporting documentations,
and has met the requirements of the Common Criteria (CC) Evaluation Assurance Level
1.
39 Certification is not a guarantee that a TOE is completely free of exploitable
vulnerabilities. There will remain a small level of risk that exploitable vulnerabilities
remain undiscovered in its claimed security functionality. The risk is reduced as the
certified level of assurance increases for the TOE.
3.1 Assurance Level Information
40 EAL 1 provides a basic level of assurance by a limited security target and an analysis of
the SFRs in that ST using a functional and interface specification and guidance
documentation, to understand the security behaviour.
41 The analysis is supported by a search for potential vulnerabilities in the public domain
and independent testing (functional and penetration) of the TSF.
42 EAL 1 also provides assurance through unique identification of the TOE and of the
relevant evaluation documents.
43 This EAL provides a meaningful increase in assurance over unevaluated IT.
3.2 Recommendation
44 The Malaysian Certification Body (MyCB) is strongly recommended that:
a) Developer is recommended to ensure that TOE user needs to be identified and
authenticated before able to access the TOE and perform any activities inside the
TOE.
b) Developer is recommended to use latest version of TLS which is TLS1.2 and above,
while, the use of TLS version 1.1 and 1.0 are generally discouraged as suggested by
the NIST Guideline for TLS Implementations.
PUBLIC
FINAL
C116 Certification Report ISCB-5-RPT-C116-CR-V1
Page 14 of 17
PUBLIC
c) Developer is recommended to provide FAQ documentation based on the TOE
version.
PUBLIC
FINAL
C116 Certification Report ISCB-5-RPT-C116-CR-V1
Page 15 of 17
PUBLIC
Annex A References
A.1 References
[1] Arrangement on the recognition of Common Criteria Certificates in the field of
Information Technology Security, July, 2014.
[2] The Common Criteria for Information Technology Security Evaluation, Version 3.1,
Revision 5, April 2017.
[3] The Common Methodology for Information Technology Security Evaluation, Version
3.1, Revision 5, April 2017.
[4] MyCC Scheme Requirement (MYCC_REQ), v1, CyberSecurity Malaysia, December 2019.
[5] ISCB Evaluation Facility Manual (ISCB_EFM), v2a, August 2020.
[6] Huawei AppGallery Security Target, Version 1.0, 17 March 2021.
[7] Evaluation Technical Report, Version 1.1, 2 April 2021.
A.2 Terminology
A.2.1 Acronyms
Table 3: List of Acronyms
Acronym Expanded Term
CB Certification Body
CC Common Criteria (ISO/IEC15408)
CEM Common Evaluation Methodology (ISO/IEC 18045)
CCRA Common Criteria Recognition Arrangement
IEC International Electrotechnical Commission
ISO International Organisation for Standardization
ISCB Information Security Certification Body
MyCB Malaysian Common Criteria Certification Body
PUBLIC
FINAL
C116 Certification Report ISCB-5-RPT-C116-CR-V1
Page 16 of 17
PUBLIC
Acronym Expanded Term
MyCC Malaysian Common Criteria Evaluation and Certification
Scheme
MyCPR MyCC Scheme Certified Products Register
MySEF Malaysian Security Evaluation Facility
PP Protection Profile
ST Security Target
TOE Target of Evaluation
A.2.2 Glossary of Terms
Table 4: Glossary of Terms
Term Definition and Source
CC International
Interpretation
An interpretation of the CC or CEM issued by the CCMB that
is applicable to all CCRA participants.
Certificate The official representation from the CB of the certification of
a specific version of a product to the Common Criteria.
Certification Body An organisation responsible for carrying out certification
and for overseeing the day-today operation of an Evaluation
and Certification Scheme. Source CCRA
Consumer The organisation that uses the certified product within their
infrastructure.
Developer The organisation that develops the product submitted for CC
evaluation and certification.
Evaluation The assessment of an IT product, IT system, or any other
valid target as defined by the scheme, proposed by an
applicant against the standards covered by the scope defined
in its application against the certification criteria specified in
the rules of the scheme. Source CCRA and MS-ISO/IEC Guide
65
PUBLIC
FINAL
C116 Certification Report ISCB-5-RPT-C116-CR-V1
Page 17 of 17
PUBLIC
Term Definition and Source
Evaluation and Certification
Scheme
The systematic organisation of the functions of evaluation
and certification under the authority of a certification body
in order to ensure that high standards of competence and
impartiality are maintained and that consistency is achieved.
Source CCRA.
Interpretation Expert technical judgement, when required, regarding the
meaning or method of application of any technical aspect of
the criteria or the methodology. An interpretation may be
either a national interpretation or a CC international
interpretation.
Certifier The certifier responsible for managing a specific certification
task.
Evaluator The evaluator responsible for managing the technical aspects
of a specific evaluation task.
Maintenance Certificate The update of a Common Criteria certificate to reflect a
specific version of a product that has been maintained under
the MyCC Scheme.
National Interpretation An interpretation of the CC, CEM or MyCC Scheme rules that
is applicable within the MyCC Scheme only.
Security Evaluation Facility An organisation (or business unit of an organisation) that
conducts ICT security evaluation of products and systems
using the CC and CEM in accordance with Evaluation and
Certification Scheme policy
Sponsor The organisation that submits a product for evaluation and
certification under the MyCC Scheme. The sponsor may also
be the developer.
--- END OF DOCUMENT ---