Devices
Prevent firmware downgrades
Summary Devices should have mechanisms that protect their firmware (anti-rollback) from being downgraded. Description Attackers may attempt to exploit vulnerabilities in older firmware versions that have been patched in newer releases. Anti-rollback ...
Schedule firmware updates
Summary Devices should update their own firmware upon a predefined schedule. Description Keeping the firmware up to date can be useful for devices to operate with improved stability and performance, minimizing the likelihood of malfunctions or system ...
Enable trusted execution
Summary Developers should implement and enable trusted execution if it is available on the device's System-on-Chip (SoC) or CPU. Description Enabling and implementing trusted execution, especially when available on the device's System-on-Chip (SoC) ...
Enable memory protection mechanisms
Summary The system should enable memory protection mechanisms, such as ASLR and DEP. Description ASLR and DEP help to mitigate buffer overflow attacks, a common method used by attackers to exploit vulnerabilities in software. Buffer overflows consist ...
Detect rooted devices
Summary Mobile applications must check whether the device on which they will run is rooted. Description Rooting is a process that grants mobile device users privileged control over the device's system. Applications running on such devices are ...
Allow data destruction
Summary The mobile device must allow remote data destruction in case of loss. Description In cases where a mobile devices are lost or stolen, there is a risk that someone could gain access to the data stored on the device. Remote data destruction ...
Allow geographic location
Summary The mobile device must allow remote geographic location in case of loss. Description Allowing geographic location on mobile devices gives the ability to determine the physical location (through geographical coordinates) of the device, without ...
Delete information from mobile devices
Summary The system must delete the information from mobile devices after 10 failed authentication attempts. Description The purpose of this requirement is to mitigate the risk of data exposure in the event that an unauthorized user gains physical ...
Manage passwords in cache
Summary Applications that authenticate offline must only store one password in the authentication cache. Description Applications that limit the authentication cache to store only one password per user adds a security control that is useful to ...
Configure communication protocols
Summary The system must keep mobile devices communication protocols hidden, protected with credentials or turned off. This refers to protocols that allow data exchange such as Bluetooth, NFC and Tethering. Description This is requirement emphasizes ...
Configure PIN
Summary Devices that connect to the mobile network must have a personal identification number (PIN) configured on the SIM card. Description Mobile devices contain sensitive personal and professional data. The SIM card contains identity information, ...