National InformationAssurance Partnership
Common CriteriaEvaluation and ValidationScheme
ValidationReport
for the
Apple iOS 12 Safari on iPhone and iPad
Report Number: CCEVS-VR-VID10960
Dated: June 12, 2019
Version: 1.0
National Institute ofStandards and Technology National SecurityAgency
InformationTechnology Laboratory InformationAssurance Directorate
100 Bureau Drive 9800 Savage Road STE 6940
Gaithersburg,MD 20899 Fort George G.Meade,MD 20755-6940
®
TM
2
ACKNOWLEDGEMENTS
ValidationTeam
KennethBStutterheim
SheldonA Durrant
Common CriteriaTestingLaboratory
Kenji Yoshino
Rutwij Kulkarni
Danielle FCanoles
RodrigoTapia
Acumen Security,LLC
3
Table of Contents
1 Executive Summary............................................................................................................... 4
2 Identification .......................................................................................................................... 5
3 Architectural Information .................................................................................................... 6
4 Security Policy........................................................................................................................ 7
4.1 Cryptographic Support.................................................................................................................................................7
4.2 User Data Protection ......................................................................................................................................................7
4.3 Identification and Authentication...............................................................................................................................7
4.4 Security Management ....................................................................................................................................................7
4.5 Privacy ...............................................................................................................................................................................7
4.6 Protection of the TSF.....................................................................................................................................................7
4.7 Trusted Path/Channels ..................................................................................................................................................7
The TOE is software application. The TOE establishes protected communications using HTTPS/TLS. ............7
5 Assumptions, Threats & Clarification of Scope.................................................................. 8
5.1 Assumptions......................................................................................................................................................................8
5.2 Threats ...............................................................................................................................................................................8
5.3 Clarification of Scope.....................................................................................................................................................9
6 Documentation..................................................................................................................... 10
7 TOE Evaluated Configuration ........................................................................................... 11
7.1 Evaluated Configuration.............................................................................................................................................11
8 IT Product Testing............................................................................................................... 13
8.1 Developer Testing..........................................................................................................................................................13
8.2 Evaluation Team Independent Testing ...................................................................................................................13
8.3 TOE andPlatform Testing Timeframe and Location ........................................................................................13
9 Results of the Evaluation..................................................................................................... 14
9.1 Evaluation of Security Target....................................................................................................................................14
9.2 Evaluation of Development Documentation ..........................................................................................................14
9.3 Evaluation of Guidance Documents.........................................................................................................................14
9.4 Evaluation of Life Cycle Support Activities ..........................................................................................................15
9.5 Evaluation of Test Documentation and the Test Activity ..................................................................................15
9.6 Vulnerability Assessment Activity............................................................................................................................15
9.7 Summary of Evaluation Results................................................................................................................................17
10 Validator Comments & Recommendations....................................................................... 18
11 Annexes................................................................................................................................. 19
12 Security Target..................................................................................................................... 20
13 Glossary ................................................................................................................................ 21
14 Bibliography......................................................................................................................... 22
4
1 Executive Summary
ThisValidationReport(VR) isintendedtoassistthe enduserof thisproductand any security
certificationAgentforthatenduserin determiningthe suitabilityof thisInformationTechnology(IT)
productfor theirenvironment. Endusersshouldreview the SecurityTarget(ST),whichiswhere specific
securityclaimsare made,inconjunctionwiththis VR,whichdescribeshow those securityclaimswere
testedandevaluatedandanyrestrictionsonthe evaluatedconfiguration. Prospective usersshould
carefullyreadthe AssumptionsandClarificationof Scope inSection5andthe ValidatorCommentsin
Section10, where anyrestrictionsonthe evaluatedconfigurationare highlighted.
Thisreportdocumentsthe National InformationAssurance Partnership(NIAP) assessmentof the
evaluationof the Apple iOS12Safari Target of Evaluation(TOE). It presentsthe evaluationresults,their
justifications,andthe conformance results.This VRisnotan endorsementof the TOE byany agencyof
the U.S. Governmentandnowarranty of the TOE iseitherexpressedorimplied. ThisVRappliesonlyto
the specificversionandconfigurationof the productasevaluatedanddocumentedinthe ST.
The evaluationwascompletedbyAcumenSecurityin June 2019. The informationinthisreportis
largelyderivedfromthe proprietary EvaluationTechnical Report(ETR) andassociatedtestreport,all
writtenbyAcumenSecurity assummarizedinthe Apple iOS12Safari Assurance ActivityReport. The
evaluationdeterminedthatthe productisbothCommonCriteriaPart2 ExtendedandPart3 Extended,
and meetsthe assurance requirementsdefinedinthe ProtectionProfileforApplicationSoftware,
version1.2,dated,22 April 2016 [SWAPP] andExtendedPackage forWebBrowsers,version2.0,dated
16 June 2015 [WEBBROWSEREP].
The Target of Evaluation(TOE) identifiedinthisValidationReporthasbeenevaluatedata NIAP
approvedCommonCriteriaTestingLaboratoryusingthe CommonMethodologyforITSecurity
Evaluation(Version3.1,Rev. 4) forconformance to the CommonCriteriaforIT SecurityEvaluation
(Version3.1,Rev. 4),as interpretedbythe Assurance Activitiescontainedin the ProtectionProfile for
ApplicationSoftware,version1.2,dated,22 April 2016 [SWAPP] andExtendedPackage forWeb
Browsers,version2.0,dated16 June 2015 [WEBBROWSEREP] inadditionto all applicable NIAPtechnical
decisionsforthe technology. ThisValidationReportappliesonlytothe specificversionof the TOEas
evaluated. The evaluationhasbeenconductedin accordance withthe provisionsof the NIAPCommon
CriteriaEvaluationandValidationSchemeandthe conclusionsof the testinglaboratoryinthe evaluation
technical reportare consistentwiththe evidence provided.
The validationteamprovidedguidance ontechnical issuesandevaluationprocessesand reviewedthe
individualworkunitsdocumentedinthe ETR and the Assurance ActivitiesReport(AAR).The validation
teamfoundthat the evaluationshowedthatthe productsatisfiesall of the functional requirementsand
assurance requirementsstatedinthe SecurityTarget(ST). Basedonthese findings,the validationteam
concludesthatthe testinglaboratory'sfindingsare accurate,the conclusionsjustified,andthe
conformance resultsare correct.The conclusionsof the testinglaboratoryinthe evaluationtechnical
reportare consistentwiththe evidence produced.
5
2 Identification
The CCEVS isa jointNational SecurityAgency(NSA) andNationalInstitute of Standards andTechnology
(NIST) efforttoestablishcommercial facilitiestoperformtrustedproductevaluations. Underthis
program,securityevaluations are conductedbycommercial testing laboratoriescalledCommonCriteria
TestingLaboratories(CCTLs).CCTLsevaluate productsagainstProtectionProfilecontainingAssurance
Activities,whichare interpretationof CEMworkunitsspecifictothe technology describedbythe PP.
The NIAPValidationBodyassignsValidatorstomonitorthe CCTLsto ensure quality andconsistency
across evaluations.Developersof informationtechnologyproducts desiringasecurityevaluation
contract witha CCTL andpay a fee for theirproduct's evaluation.Uponsuccessful completionof the
evaluation,the productisaddedtoNIAP's ProductCompliance List.
The target of evaluationisthe AppleiOS12 Safari,andthe associatedTOE guidance documentation.
Table 1 providesinformationneededtocompletelyidentifythe product,including:
 The Target of Evaluation(TOE):the fullyqualifiedidentifierof the productas
evaluated.
 The SecurityTarget (ST),describingthe securityfeatures,claims,andassurances
of the product.
 The conformance resultof the evaluation.
 The ProtectionProfile(s)towhichthe productisconformant.
 The organizationsandindividualsparticipatinginthe evaluation.
Table 1 - Identification
Item Identifier
Evaluation Scheme UnitedStatesNIAPCommonCriteriaEvaluationandValidationScheme
TOE Apple iOS12 Safari on iPhone andiPad
ProtectionProfile ProtectionProfileforApplicationSoftware,version1.2,dated22 April 2016
ApplicationSoftware ExtendedPackage forWebBrowsers,version2.0,dated
16 June 2015
Security Target Apple iOS12 Safari SecurityTargetVersion 1.0
Evaluation
Technical Report
VID10960 Assurance ActivityReport
CC Version Version3.1,Revision 4
Conformance Result CC Part 2 ExtendedandCCPart 3 Extended
Sponsor Apple Inc.
Developer Apple Inc.
Common Criteria
TestingLab (CCTL)
AcumenSecurity
Rockville,MD
CCEVS Validators SheldonA Durrant
KennethBStutterheim
6
3 Architectural Information
Note:The following architectural descriptionisbasedonthe descriptionpresentedinthe Security
Target.
The TOE isthe Apple iOSSafari applicationwhichrunsoniPadandiPhone devices.The productprovides
access to HTTPS/TLSconnectionsviaa browserforuserconnectivity.The TOEisthe Safari software only.
The Apple iOSoperatingsystemhasbeenseparatelyvalidated(VID10937). The TOE is an applicationon
a mobile operatingsystem.The mobile operatingsystemandhardware platformsare partof the TOE
environment. The evaluated versionof the TOEisversion12.3.1.
7
4 Security Policy
The TOE iscomprisedof several securityfeatures,asidentifiedbelow.
 CryptographySupport
 User Data Protection
 IdentificationandAuthentication
 SecurityManagement
 Privacy
 Protection of the TSF
 TrustedPath/Channels
The TOE provides the security functionalityrequired by[SWAPP] and[WEBBROWSEREP].
4.1 Cryptographic Support
The TOE providesTLS/HTTPSconnectivityforusersattemptingtocommunicate withsecure URLs.The
TOE doesnot directlyperformanycryptographicfunctions.The TOEinvokesthe iOSplatform
cryptographyforsecure credential storage.
4.2 UserData Protection
The TOE requestsaccesstonetworkconnectivity,camera,microphone,locationservices,andaddress
book,and communicateswiththe wirelessnetworkwheninvokedbythe user.The TOE runs inside of a
sandbox where eachbrowsertabisisolated.Inaddition,the TOEsupportsblockingof third-party
cookiesandthe ‘secure’attribute.
4.3 IdentificationandAuthentication
All validationof X.509certificatesisperformedbythe iOSplatformthatthe TOE is runningon.
4.4 Security Management
The TOE platformprovidesthe abilitytoconfigure the TOE.Nocredentialsare installedbydefault.
4.5 Privacy
The TOE will transmitcontact informationatthe requestof auser.The TOE providesanotificationwhen
sharingthisinformation.
4.6 Protectionof the TSF
The TOE doesnotpermitautomaticdownloads.All downloadsare atthe requestof a userand require
approval.The TOE doesnot supportadd-ons.The onlysupportedmobile code issignedJavaScript.No
third-partylibrariesare leveragedbythe TOE.The TOE platformverifiesall software updatesviadigital
signature.
4.7 Trusted Path/Channels
The TOE issoftware application.The TOEestablishesprotectedcommunicationsusingHTTPS/TLS.
8
5 Assumptions,Threats & ClarificationofScope
5.1 Assumptions
The specificconditionslistedinthe followingsubsectionsare assumedtoexistinthe TOE’s
environment.These assumptionsinclude bothpractical realitiesinthe developmentof the TOE security
requirementsandthe essential environmental conditionsonthe use of the TOE.
Table 2 - Assumptions
Assumption AssumptionDefinition
A.PLATFORM The TOE relies upon a trustworthy computing platformfor its execution.
This includes the underlying platformand whatever runtime environment
it provides to the TOE.
A.PROPER_USER The user of the application softwareis notwillfully negligentor hostile,
and uses the software in compliancewith the applied enterprisesecurity
policy.
A.PROPER_ADMIN The administrator of the application softwareis notcareless,willfully
negligent or hostile,and administers the software within complianceof
the applied enterprisesecurity policy.
5.2 Threats
The followingtable liststhe threatsaddressedbythe TOEand the IT Environment. The assumedlevel of
expertiseof the attackerforall the threatsidentifiedbelow isEnhanced-Basic.
Table 3 - Threats
Threat Threat Definition
T.NETWORK_ATTACK An attacker is positioned on a communications channel or elsewhere
on the network infrastructure.Attackers may engage in
communications with the application softwareor alter
communications between the application softwareand other
endpoints in order to compromise it.
T.NETWORK_EAVESDROP An attacker is positioned on a communications channel or elsewhere
on the network infrastructure.Attackers may monitor and gain access
to data exchanged between the application and other endpoints.
T.LOCAL_ATTACK An attacker can actthrough unprivileged software on the same
computing platform on which the application executes. Attackers may
providemaliciously formatted input to the application in the form of
files or other local communications.
T.PHYSICAL_ACCESS An attacker may try to access sensitivedata atrest.
T.FLAWED_ADDON Web browser functionality can beextended through the integration of
third-party utilities and tools.Malicious or vulnerableadd-ons could
resultin attacks againstthe system. Such attacks can allow
unauthorized access to sensitiveinformation in the browser,
unauthorized access to the platform's filesystem, or even privilege
escalation thatenables unauthorized access to other applications or
the operating system.
9
Threat Threat Definition
T.SAME-ORIGIN_VIOLATION Violating the same-origin policy isa specialized type of network attack
(covered generally as T.NETWORK_ATTACK in the App PP) which
involves web content violating access control policies enforced by a
web browser to separate the content of different web domains.It is
specifically identified as a threat to web browsers, sincethey
implement the access control policies thatareviolated in these
attacks.
Attacks which involvesame origin violations include:
 Insufficientprotection of session tokens can lead to session
hijacking,where a token is captured and reused in order to
gain the privileges of the user who initiated the session.
 Cross-sitescripting (XSS) and Cross-SiteRequest Forgery
(CSRF) attacks aremethods used to compromiseuser
credentials (usually by stealing theuser's session token) to a
web site. These attacks aremore likely a resultof server
security problems,but some browsers incorporate
technologies that try to detect the attacks.
 Inadequate sandboxing of browser windows/tabs or a faulty
cross domain communications model can lead to leakageof
content from one domain in one window/tab to a different
domain in a different window/tab. Such attacks leverage the
ability of browsers to display content from multipledomains
simultaneously.
5.3 Clarificationof Scope
All evaluations(andall products) have limitations,aswell aspotential misconceptionsthatneed
clarifying.Thistextcoverssome of the more importantlimitationsand clarificationsof thisevaluation.
Note that:
 As withanyevaluation,thisevaluationonlyshowsthatthe evaluatedconfigurationmeetsthe
securityclaimsmade,withacertainlevel of assurance.The level of assurance forthisevaluation
isdefinedwithin the ProtectionProfile forApplicationSoftware,version1.2,dated22 April 2016
[SWAPP] andthe ApplicationSoftware ExtendedPackage forWebBrowsers,version2.0,dated
16 June 2015 [WEBBROWSEREP].
 Consistentwiththe expectationsof the ProtectionProfile,thisevaluationdidnotspecifically
searchfor, nor seriouslyattempttocounter,vulnerabilitiesthatwere not“obvious”or
vulnerabilitiestoobjectivesnotclaimedinthe ST.The CEM definesan“obvious”vulnerabilityas
one that iseasilyexploitedwithaminimumof understandingof the TOE,technical
sophisticationandresources.
 The evaluationof securityfunctionalityof the productwaslimitedtothe functionalityspecified
inthe claimedPPandapplicable Technical Decisions.Anyadditional securityrelatedfunctional
capabilities thatmaybe includedinthe productwere notcoveredbythisevaluation.
10
6 Documentation
The followingdocumentswere provided bythe vendorwiththe TOEfor evaluation:
 Apple iOS12 Safari SecurityTarget,Version 1.0 [ST]
 Apple iOS12 Safari on iPhone andiPad CommonCriteriaConfigurationGuide,Version 1.1[AGD]
Anyadditional customerdocumentationprovidedwiththe product,orthatisavailable onlinewasnot
includedinthe scope of the evaluationandtherefore shouldnottobe relieduponwhenconfiguringor
operatingthe device asevaluated.
11
7 TOE EvaluatedConfiguration
7.1 Evaluated Configuration
The TOE isa webbrowserapplicationona mobile operatingsystem.The TOEisthe Safari browser
applicationonly.The AppleiOSoperatingsystem hasbeenseparatelyvalidated(VID10937). The mobile
operatingsystemandhardware platformsare partof the TOE environment.The evaluated versionof
the TOE isversion12.3.1.
As evaluated,the TOEsoftware runsonthe followingdevices:
Table 4 Hardware Devices
Device Name Model Processor WiFi Bluetooth
iPhone XS A1920
A2097
A2098
A2099
A2100
A12 Bionic 802.11a/b/g/n/ac 5.0
iPhone XS Max A1921
A2101
A2102
A2103
A2104
A12 Bionic 802.11a/b/g/n/ac 5.0
iPhone XR A1984
A2105
A2106
A2107
A2108
A12 Bionic 802.11a/b/g/n/ac 5.0
iPhone X A1901
A1902
A1865
A11 802.11a/b/g/n/ac 5.0
iPhone 8 Plus/
iPhone 8
A1864, A1897, A1898, A1899/
A1863, A1905, A1906, A1907
A11 802.11a/b/g/n/ac 5.0
iPhone 7 Plus/ iPhone7 A1661, A1784, A1785, A1786/
A1660, A1778, A1779, A1780
A10 802.11a/b/g/n/ac 4.2
12
Device Name Model Processor WiFi Bluetooth
iPhone 6S Plus/ iPhone
6S
A1634, A1687, A1690, A1699/
A1633, A1688, A1691, A1700
A9 802.11a/b/g/n/ac 4.2
iPhone SE A1662
A1723
A1724
A9 802.11a/b/g/n/ac 4.2
iPhone 6 Plus/ iPhone6 A1522, A1524, A1593/
A1549, A1586, A1589
A8 802.11a/b/g/n/ac 4.0
iPad mini 4 A1538
A1550
A8 802.11a/b/g/n 4.2
iPad Air 2 A1566
A1567
A8X 802.11a/b/g/n/ac 4.2
iPad (5th gen) A1822
A1823
A9X 802.11a/b/g/n/ac 4.2
iPad Pro 12.9”
(1st Gen)
A1584
A1652
A9X 802.11a/b/g/n/ac 4.2
iPad Pro 9.7” A1673
A1674
A9X 802.11a/b/g/n/ac 4.2
iPad Pro 12.9” (2nd
Gen)
A1670
A1671
A10X 802.11a/b/g/n/ac 4.2
iPad Pro 10.5” A1701
A1709
A10X 802.11a/b/g/n/ac 4.2
iPad 9.7” A1893
A1954
A10 802.11a/b/g/n/ac 4.2
13
8 IT Product Testing
Thissectiondescribesthe testingeffortsof the developerandthe evaluationteam.Itisderivedfrom
informationcontainedin the Apple iOS12Safari EvaluationTestReport [ETR],whichisnot publicly
available.The CommonCriteriaSWAPPandWEBBROWSEREPAssurance ActivityReportApple iOS12
Safari [AAR] providesanoverviewof testingandthe prescribedassurance activities.
8.1 DeveloperTesting
No evidenceof developertestingisrequiredinthe Assurance Activitiesforthisproduct.
8.2 Evaluation Team IndependentTesting
The evaluationteamverifiedthe productaccordingthe vendor-providedguidance documentation and
ran the testsspecifiedinthe ProtectionProfile forApplicationSoftware,version1.2,dated22 April 2016
[SWAPP],andthe ApplicationSoftwareExtendedPackage forWebBrowsers,version2.0,dated16 June
2015 [WEBBROWSEREP]. The IndependentTestingactivityisdocumentedinthe Assurance Activities
Report,whichis publicly available,andisnotduplicatedhere. Multipletestbedswere constructedto
exercise the application software capabilitiesandclaimedsecurityfunctionality.
8.3 TOE and Platform TestingTimeframe and Location
 The TOE specifictestingwasconductedduringthe timeframeof October2018 throughJanuary
2019.
 The TOE specifictestingwasconductedatAcumenSecurityCCTLlocatedat Rockville,MDand
the Apple Inc.facilitieslocatedatReston,VA.
 PlatformtestingwasconductedSeptember17-21, 2018
 PlatformtestingwasconductedatApple Inc.headquartersinCupertino,CA
14
9 Resultsof the Evaluation
The resultsof the assurance requirementsare generallydescribedinthissectionandare presentedin
detail inthe proprietarydocuments: the DetailedTestReport [DTR] andthe Apple iOS12 Safari
Evaluation TestReport[ETR] and as summarizedinthe CommonCriteriaSWAPPandWEBBROWSEREP
Assurance ActivityReportAppleiOS12Safari [AAR].The readerof thisdocumentcanassume that
activitiesandworkunitsreceivedapassingverdict.
A verdictforan assurance componentisdeterminedbythe resultingverdictsassignedtothe
correspondingevaluatoractionelements.The evaluationwasconductedbaseduponCCversion3.1rev
4 and CEMversion3.1 rev 4. The evaluationdeterminedthe AppleiOS12 Safari oniPhone andiPad to
be Part 2 extended, andmetthe SARscontainedinthe PP.Additionallythe evaluatorperformedthe
Assurance Activitiesspecifiedinthe [SWAPP] and[WEBBROWSEREP].
9.1 Evaluation of SecurityTarget
The evaluationteamappliedeachASECEM workunit.The ST evaluationensuredthe STcontainsa
descriptionof the environmentintermsof policiesandassumptions,astatementof security
requirementsclaimedtobe metby the Apple iOS12 Safari on iPhone andiPad thatare consistentwith
the CommonCriteria,andproductsecurityfunctiondescriptionsthatsupportthe requirements.
Additionally, the evaluatorperformedanassessmentof the Assurance Activitiesspecifiedinthe
ProtectionProfileforApplicationSoftware,version1.2,dated,22 April 2016 [SWAPP] and Extended
Package for WebBrowsers,version2.0,dated16 June 2015 [WEBBROWSEREP].
The validators reviewedthe workof the evaluationteamandfoundthatsufficientevidenceand
justificationwasprovidedbythe evaluationteamtoconfirmthatthe evaluationwasconductedin
accordance withthe requirementsof the CEM,and that the conclusionreachedbythe evaluationteam
was justified.
9.2 Evaluation of DevelopmentDocumentation
The evaluationteamassessedthe designdocumentationandfounditadequate toaidinunderstanding
howthe TSF providesthe securityfunctions.The designdocumentationconsistsof afunctional
specificationcontainedinthe SecurityTarget'sTOESummarySpecification. Additionally, the evaluator
performedthe Assurance Activitiesspecifiedinthe [SWAPP] and[WEBBROWSEREP] relatedtothe
examinationof the informationcontainedinthe TOESummarySpecification.
The validators reviewedthe workof the evaluationteamandfoundthatsufficientevidenceand
justificationwasprovidedbythe evaluationteamtoconfirmthatthe evaluationwasconductedin
accordance withthe Assurance Activities,andthatthe conclusionreachedbythe evaluationteamwas
justified.
9.3 Evaluation of Guidance Documents
The evaluationteamensuredthe adequacyof the userguidance indescribinghow touse the
operational TOE.Additionally,the evaluationteamensuredthe adequacyof the administratorguidance
indescribinghowto securelyadministerthe TOE.The guideswere assessedduringthe designand
testingphasesof the evaluationtoensure theywere complete.Additionally, the evaluatorperformed
15
the Assurance Activitiesspecifiedinthe [SWAPP] and[WEBBROWSEREP] relatedtothe examinationof
the informationcontainedinthe operationalguidance documents.
The validators reviewedthe workof the evaluationteamandfoundthatsufficientevidenceand
justificationwasprovidedbythe evaluationteamtoconfirmthatthe evaluationwas
conductedinaccordance withthe Assurance Activities,andthatthe conclusionreachedby
the evaluationteamwasjustified.
9.4 Evaluation of Life Cycle Support Activities
The evaluationteamfoundthatthe TOE was identified. Additionally,the teamverifiedthatboththe
TOE and itssupportingdocumentationare consistentlyreference the same versionanduse the same
nomenclature.The evaluationteamalsoverifiedthatthe vendorwebsiteidentifiedthe TOEversion
accurately.
The validatorsreviewedthe workof the evaluationteamandfoundthatsufficientevidenceand
justificationwasprovidedbythe evaluationteamtoconfirmthatthe evaluationwasconductedin
accordance withthe requirementsof the CEM,and that the conclusionreachedbythe evaluationteam
was justified.
9.5 Evaluation of Test Documentationand the Test Activity
The evaluationteamranthe set of testsspecifiedbythe Assurance Activitiesinthe [SWAPP] and
[WEBBROWSEREP] and recordedthe resultsinaTest Report,summarizedinthe EvaluationTechnical
Reportand Assurance ActivitiesReport.
The validatorsreviewedthe workof the evaluationteamandfoundthatsufficientevidencewas
providedbythe evaluationteamtoshow thatthe evaluationactivitiesaddressedthe testactivitiesin
the [SWAPP] and[WEBBROWSEREP],andthat the conclusionreachedbythe evaluationteamwas
justified.
9.6 VulnerabilityAssessmentActivity
The evaluationteamperformedapublicsearchfor vulnerabilities onJanuary25, 2019, performed
vulnerabilitytestinganddidnotdiscoveranyissueswiththe TOE. The followingsourcesof public
vulnerabilityinformationweresearched:
 General websearch(Google)
 http://nvd.nist.gov/
 https://www.exploit-db.com/search
 http://www.securityfocus.com
 https://support.apple.com/en-us/HT209106
 https://support.apple.com/en-us/HT209192
The searchtermsusedincluded:
 Apple iOSSafari
16
 Webkit
 Apple Framework
The search returnedapplicablevulnerabilities,sothe TOE wasupdatedto version12.1.4, whichfixed
the publiclyknownvulnerabilities.
A follow-upvulnerabilitysearchwasperformedonMarch 1, 2019. Version12.1.4 is the latestversionof
the TOE, and the vendor“reserves”all CVEdescriptionsuntil anupdate isavailable.Forthisreason,the
updatedvulnerabilitysearchfocusedonpublicwebsearchesforpotentiallyirresponsiblydisclosedzero-
day exploits.
The evaluatorsearchedthe Internetforpotentialvulnerabilitiesinthe TOEusingthe websiteslisted
below. The sourcesof the publiclyavailable informationare providedbelow.
 www.securityfocus.com recentApplevulnerabilities
 General websearch(exploit,vulnerability,andzerodaywere appendedtothe searchterm) for:
o iOS12.1.4
o Safari 12.1.4
 https://www.exploit-db.com/search iOSvulnerabilitiesfor:
o Webkit
o Safari
The evaluatorselectedthe searchkeywordsbaseduponthe followingcriteria.
 The product name was searched,
 Keyplatformfeaturesthe productleveragesweresearched
 Focuson irresponsiblydisclosedexploits
The search returnednoapplicable vulnerabilities.
A final vulnerabilitysearchwasperformedon June 4,2019. Version12.3.1 isthe latestversionof the
TOE, and the vendor“reserves”all CVEdescriptionsuntilanupdate isavailable.Forthisreason,the
updatedvulnerabilitysearchfocusedonpublicwebsearchesforpotentiallyirresponsiblydisclosedzero-
day exploits.
The evaluatorsearchedthe Internetforpotentialvulnerabilitiesinthe TOEusingthe websiteslisted
below. The sourcesof the publiclyavailable informationare provided below.
 www.securityfocus.com recentApplevulnerabilities
 General websearch(exploit,vulnerability,andzerodaywere appendedtothe searchterm) for:
o iOS12.3.1
o Safari 12.3.1
 https://www.exploit-db.com/search iOSvulnerabilitiesfor:
o Webkit
o Safari
The evaluatorselectedthe searchkeywordsbaseduponthe followingcriteria.
 The product name was searched,
 Keyplatformfeaturesthe productleveragesweresearched
 Focuson irresponsiblydisclosedexploits
The search returnednoapplicable vulnerabilities.
17
The validatorsreviewedthe workof the evaluationteamandfoundthatsufficientevidenceand
justificationwasprovidedbythe evaluationteamtoconfirmthatthe evaluationaddressedthe
vulnerabilityanalysisAssurance Activitiesinthe [SWAPP] and[WEBBROWSEREP], andthatthe
conclusionreachedbythe evaluationteamwasjustified.
9.7 Summary of Evaluation Results
The evaluationteam'sassessmentof the evaluationevidence demonstratesthatthe claimsin the ST are
met.Additionally,the evaluationteam'stestactivitiesalsodemonstratedthe accuracyof the claimsin
the ST.
The validationteam'sassessmentof the evidence providedbythe evaluationteamisthatit
demonstratesthatthe evaluationteamperformedthe Assurance Activitiesinthe [SWAPP] and
[WEBBROWSEREP],andcorrectlyverifiedthatthe productmeetsthe claimsinthe ST.
18
10 Validator Comments& Recommendations
There are noadditional Validatorcomments.
19
11 Annexes
Notapplicable.
20
12 Security Target
Please see the AppleiOS12 Safari SecurityTarget,Version 1.0[ST].
21
13 Glossary
The followingdefinitionsare usedthroughoutthisdocument:
 Common CriteriaTestingLaboratory (CCTL). AnIT securityevaluationfacilityaccreditedbythe
National VoluntaryLaboratoryAccreditationProgram(NVLAP)andapprovedbythe CCEVS
ValidationBodytoconductCommonCriteria-basedevaluations.
 Conformance.The abilitytodemonstrate inanunambiguouswaythatagivenimplementation
iscorrect withrespectto the formal model.
 Evaluation. The assessmentof anIT product againstthe CommonCriteriausingthe Common
CriteriaEvaluationMethodologytodetermine whetherornotthe claimsmade are justified;or
the assessmentof aprotectionprofile againstthe CommonCriteriausingthe Common
EvaluationMethodologytodetermineif the Profile iscomplete,consistent,technicallysound
and hence suitable foruse asa statementof requirementsforone ormore TOEs that maybe
evaluated.
 Evaluation Evidence.Anytangible resource (information) requiredfromthe sponsoror
developerbythe evaluatortoperformone ormore evaluationactivities.
 Feature.Part of a productthat is eitherincludedwiththe productorcan be orderedseparately.
 Target of Evaluation (TOE). A groupof IT productsconfiguredasan IT system, oran IT product,
and associateddocumentationthatisthe subjectof a securityevaluationunderthe CC.
 Validation.The processcarriedout by the CCEVSValidationBodyleadingtothe issue of a
CommonCriteriacertificate.
 ValidationBody. A governmental organizationresponsible forcarryingoutvalidationandfor
overseeingthe day-to-dayoperationof the NIAPCommonCriteriaEvaluationandValidation
Scheme.
22
14 Bibliography
The ValidationTeamusedthe followingdocumentstoproduce thisValidationReport:
 CommonCriteriaforInformationTechnologySecurityEvaluation - Part1: Introductionand
general model,Version3.1Revision 4.
 CommonCriteriaforInformationTechnologySecurityEvaluation - Part2: Securityfunctional
requirements,Version3.1Revision 4.
 CommonCriteriaforInformationTechnologySecurityEvaluation - Part3: Securityassurance
requirements,Version3.1Revision4.
 CommonEvaluationMethodologyforInformationTechnologySecurityEvaluation,Version3.1
Revision 4.
 Apple iOS12 Safari SecurityTarget,Version 1.0 [ST]
 ProtectionProfileforApplicationSoftware,version1.2,dated22 April 2016 [SWAPP]
 Extended Package forWebBrowsers,version2.0,dated16 June 2015 [WEBBROWSEREP]
 CommonCriteriaSWAPPandWEBBROWSEREP Assurance ActivityReportApple iOS12Safari,
Version 1.0 [AAR]
 Apple iOS12 Safari on iPhone andiPad CommonCriteriaConfigurationGuide, version1.1[AGD]