ISO/IEC 15408
 

ISO/IEC 15408 is an international standard for evaluating the security attributes of information technology products and systems. It is also commonly known as the Common Criteria (CC). For mobile app developers building solutions in enterprise contexts—such as e-commerce platforms or mobile banking applications—understanding and aligning with Common Criteria is vital for ensuring rigorous security, meeting regulatory requirements, and gaining the trust of enterprise clients and end-users alike.

Overview of ISO/IEC 15408

ISO/IEC 15408 provides a structured framework for specifying security requirements, implementing security functionalities, and verifying that these features are correctly implemented and tested. Initially developed by a consortium of countries to unify disparate national evaluation criteria, it enables consistent and repeatable security evaluations across different technologies and products.

The Structure and Components of ISO/IEC 15408

The ISO/IEC 15408 structure is carefully designed to guide the specification, implementation, and evaluation of security features in IT products. Each component plays a specific role in ensuring that security claims are meaningful and testable.

• Three-Part Structure: ISO/IEC 15408 is divided into three interrelated parts that collectively define the framework. Part 1, Introduction and General Model, introduces key concepts, terminology, and the overall evaluation process. It outlines how security requirements are derived and how evaluation results are interpreted. Part 2, Security Functional Requirements (SFRs), catalogs a comprehensive set of standardized security functions (e.g., user authentication, access control, cryptographic support). Developers and evaluators select applicable SFRs to define the necessary security behaviors of a product. Part 3, Security Assurance Requirements (SARs), details how confidence in a product’s security can be established through rigorous evaluation. SARs cover development documentation, configuration management, testing strategies, vulnerability assessment, and lifecycle support.
• Protection Profiles and Security Targets: These components establish the foundation for reusable and product-specific security requirements. A Protection Profile (PP) is a document that specifies independent, implementation-agnostic security requirements for a class of products, such as mobile device operating systems or secure communication applications. PPs include an analysis of the anticipated threat environment and outline the expected security objectives and functions. On the other hand, a Security Target (ST) is written by the product developer. It defines how a specific product implements the requirements outlined in a PP or its own custom set. The ST is used by evaluators to guide assessment efforts and is tailored to a product’s design and risk context.
• Evaluation Assurance Levels (EALs): EALs represent predefined packages of SARs organized into seven ascending levels of rigor. EAL1 offers basic function testing suitable for low-assurance applications, while EAL7 demands formal design verification and comprehensive analysis for high-risk or national security systems. Each level defines how in-depth the evaluation must be, encompassing aspects such as code reviews, design analysis, and testing breadth. EAL selection depends on the security needs of the target environment and the level of trust required.

Understanding the structure and components of ISO/IEC 15408 is essential for developers seeking to build secure systems that withstand formal evaluation. Each part of the standard—from the functional and assurance requirements to the PPs, STs, and EALs—works in concert to provide a scalable, rigorous model for security assurance. Mastery of these elements enables teams to define precise, measurable security goals aligned with industry best practices and compliance mandates.

ISO/IEC 15408’s Relevance to Mobile App Developers in the Enterprise Context

For developers creating mobile applications for large enterprises, ISO/IEC 15408 offers a blueprint for designing security features that align with globally accepted standards. Whether the app handles personally identifiable information (PII), financial data or integrates with secure back-end systems, adherence to Common Criteria ensures that the app’s security mechanisms have been designed with formal scrutiny. Enterprise customers, especially in regulated industries, often demand software that aligns with recognized assurance levels to mitigate supply chain risks and meet compliance mandates.

ISO/IEC 15408 in the Context of Mobile Platforms

Mobile operating systems such as Android and iOS have historically undergone Common Criteria evaluations, mainly through Protection Profiles like the Mobile Device Fundamentals Protection Profile (MDFPP) and Application Software Protection Profile (APP PP). Developers building apps atop these platforms benefit when leveraging OS-level security services—such as cryptographic key stores, secure boot, biometric APIs, and sandboxing—since these features are evaluated under the Common Criteria model. Using platform security APIs that are part of a Common Criteria-certified OS helps developers inherit trusted functionality, which can be crucial for apps requiring formal security assurance.

ISO/IEC 15408’s Benefits for Enterprise and Government Adoption

Compliance with ISO/IEC 15408 can be a prerequisite for selling to government agencies or highly regulated industries. Many national cybersecurity authorities and procurement divisions mandate Common Criteria certification for software integrated into sensitive environments. This translates into reduced vendor risk, improved due diligence, and higher confidence in app security for enterprises. Developers who understand these requirements can better architect their apps to support such goals, integrating security design from the ground up rather than retrofitting it in later stages.

Security Target (ST) and How It Guides Development

The Security Target document acts as a contract between the developer and evaluator, defining the app’s specific security objectives, functional requirements, and assurance activities. Developers can use the ST as a roadmap to implement and document controls like access control, secure communication, cryptographic key management, and secure data storage. Aligning the app's design with the ST ensures that developers are not just checking boxes but embedding meaningful and measurable security capabilities into the mobile application.

Evaluation Assurance Levels (EALs) and What They Mean for Developers

EALs provide a graduated scale of evaluation rigor, from EAL1 (functionally tested) to EAL7 (formally verified). While mobile apps rarely seek high-level EALs due to the time and cost involved, EAL2 or EAL3 evaluations are more common and practical for commercial mobile software. For developers, understanding the assurance level expected by the enterprise client or target market helps shape their development process, documentation practices, and testing rigor. Higher EALs require extensive documentation, vulnerability assessments, code review, and structured development methodologies, directly impacting the app's development lifecycle.

Integrating ISO/IEC 15408 with the Secure Software Development Lifecycle (SDLC)

ISO/IEC 15408 complements modern secure SDLC practices by offering a comprehensive method to define and verify security controls. Developers integrating Common Criteria principles can strengthen threat modeling, risk assessment, and secure coding practices. Mapping app functionality to Common Criteria requirements ensures that each feature undergoes formal security scrutiny, including threat mitigation strategies and secure design decisions. This harmonization accelerates security audits and reduces the cost of downstream remediation.

Challenges and Practical Considerations

While the benefits are substantial, aligning mobile app development with ISO/IEC 15408 has challenges. The evaluation process is resource-intensive, requiring deep documentation, alignment with Protection Profiles, and potentially third-party evaluation labs. For agile development teams, this can introduce delays or necessitate process adjustments. Additionally, not all Protection Profiles directly apply to every type of mobile app, requiring developers to interpret and adapt requirements. However, partnering with Common Criteria consultants or leveraging existing certified components (e.g., cryptographic libraries, secure containers) can streamline adoption.

Emerging Trends and Evolving Protection Profiles

The ISO/IEC 15408 framework continues to evolve to address the changing threat landscape and technology innovations. Recent updates to Protection Profiles reflect advances in secure app development, including enhanced requirements for data encryption, runtime protection, anti-tampering mechanisms, and secure communication. There is also a growing emphasis on mobile app protection in untrusted environments—such as BYOD (Bring Your Own Device) settings—where enterprise data resides alongside personal user data. As these profiles mature, they offer developers clearer, more actionable guidance on building robust, enterprise-grade mobile applications.

Conclusion

For mobile app developers targeting enterprise and high-security markets, ISO/IEC 15408 is a foundational standard for defining, implementing, and validating security capabilities. By aligning mobile app architecture and development processes with Common Criteria, developers demonstrate a commitment to global security standards and enhance the app's marketability in regulated and security-sensitive domains. Despite the upfront investment, the long-term trust, compliance, and operational resilience returns make Common Criteria a strategic asset in the secure mobile application development lifecycle.