Telecommunication

Mobile Device Security Certification (MDSCert)

Consult our experts. We are happy to support you.

Contact Us

The GSMA Mobile Device Security Certification (MDSCert) Scheme provides a robust framework for evaluating and certifying the security of mobile devices.

Mobile devices are evaluated against the relevant GSMA MDSCert Security Requirements, which are based on the ETSI Consumer Mobile Device Protection Profile (ETSI TS 103 732 series).

The MDSCert Scheme defines a set of security requirements:

  • Cryptography
  • Updates
  • Preloaded applications and permissions
  • Authentication
  • User and privacy settings
  • Device integrity
  • Connectivity
  • Vulnerability remediation and patching
  • Device lifecycle
  • Device bootloader
  • Device security configuration
  • OTA client and updates
  • Device signing keys

The MDSCert Scheme also defines three security assurance levels:

  • Security Assurance Level 1 (Verified Self-Assessment)
  • Security Assurance Level 2 (Functional Test + Documentation Review)
  • Security Assurance Level 3 (Level 2 + Penetration Test)

Authoritative websites:

TrustCB’s Website

โ†’

TrustCB’s MDSCert Page

โ†’

FS.53 Mobile Device Certification Scheme

โ†’

FS.54 Mobile Device Security Certification Scheme โ€“ Security Test Laboratory Accreditation

โ†’

FS.55 Mobile Device Security Certification Scheme โ€“ Evaluation Methodology

โ†’

What atsec offers:

atsec is an authorized lab for performing Mobile Device Evaluations under the TrustCB scheme. MDSCert scheme evaluations involve four key stages:

1. Preparation Stage

During this stage, the Mobile Device Manufacturer:

  • Selects the device(s) for evaluation and the desired Security Assurance Level.
  • Submits an application form to TrustCB to initiate the process.
  • For higher assurance levels (Level 2/Level 3), coordinates a timeline for evaluation activities with the lab.

2. Submission Stage

The Mobile Device Manufacturer prepares and submits the required documentation and evidence to the lab, including:

  • A completed questionnaire.
  • Additional evidence and documentation based on the targeted Security Assurance Level.
  • Security certificates for relevant components or the entire product.
  • Justifications for product similarities and historical certification evidence for reuse.
  • For Level 2/Level 3, physical product samples for testing.

3. Evaluation Stage

The lab conducts a detailed evaluation based on the targeted Security Assurance Level:

  • Reviews the questionnaire for completeness and accuracy.
  • For Level 2/Level 3, performs functional testing on physical devices to validate Mobile Device Manufacturer claims and reviews documentation to verify non-technical requirements (e.g., security lifecycle).
  • For Level 3, conducts penetration testing to evaluate resistance to basic attack potential (AVA_VAN.2).
  • Prepares and reports results according to the MDSCert Product Evaluation Methodology (FS.55).

4. Certification Stage

TrustCB reviews the evaluation results and the testing methods applied by the lab. Upon approval, TrustCB prepares a Certification Report including the Certification Result (pass or fail), which is delivered to the Mobile Device Manufacturer and the lab.

Why our services are important to you:

atsecโ€™s MDSCert portfolio encompasses the entirety of the MDSCert certification process. We provide the following services:

  • Conducting product evaluations at security assurance level Level 1 – Level 3
  • Performing a readiness assessment to estimate the level of effort required to successfully comply with MDSCert evaluation

Still have questions?

Can’t find what you’re looking for? Let’s talk!

Contact Us โ†’

Common Criteria Evaluation

The Common Criteria (CC), also known as ISO 15408, is an internationally recognized standard used to specify and assess the security of IT products.

Learn More

Cryptographic Algorithm Testing

Testing that cryptographic algorithms are implemented correctly is a prerequisite for FIPS 140-3 cryptographic module testing and NIAP Common Criteria evaluations.

Learn More

FIPS 140-3 Testing

FIPS 140-3 specifies requirements related to securely designing and implementing cryptographic modules, and compliance is increasingly mandatory worldwide.

Learn More

The Information Security Provider

Read Our Latest Blog Articles

Learn the latest and greatest about information security. Youโ€™ll find insights and analyses of recent developments in technology and policy on our blog.