Today Google announced that the Pixel 4a and Google Pixel 4 (and XL) were the first Android smartphones “to go through ioXt certification against the Android Profile.” That makes the Google Pixel 4a the first smartphone to be certified as such as a “newly launched” smartphone. The Internet of Secure Things Alliance (ioXt) assesses a baseline set of requirements for security, upgradability, and transparency.
The iOxt profile with Android is defined as running Android and qualifying under the GMS certification process (or equivalent), passing a number of tests. The tests begin with Automatically Applied Updates.
Automatically Applied Updates includes automatically applied security updates and a published expiration date of security support. The test further grades a phone on whether they offer 2, 3, 4, or more years of security updates guaranteed from launch.
The test checks VDP1 VDP vulnerability reporting, whether the creator of a phone’s company accepts external submissions, and the responsible disclosure of defects to impacted parties who must take action. Test cases for verified software updates (security updates) of at most 95 days between said updates. Other options are 65 days and 35 days.
The test checks whether the device uses “no universal passwords”, checks for FIDO certification or ISO 15408 certification with an ST selecting FAR no worse than 1:10000. The test checks for preloaded malware and “no history of confirmed preloaded malware.”
This ioXt certification against the Android Profile requires that the device has FIPS CAVP algorithm certifications (or the equivalent of said certifications) for core system crypto. Another test case checks whether the device is listed under evaluation or on the NIAP approved list for Common Criteria MDFPP.
A common theme here, you might have noticed, is that this ioXt certification against the Android Profile system checks for certifications from other organizations. It’s almost as if the ioXt is a big list of tests – an assurance that the device you’ve got is certified by the most important certification groups for the best-possible checked security.
On the list for the test are the following: Automatically Applied Updates, Security Expiration Date, Vulnerability Reporting Program, Verified Software, No Universal Passwords, Proven Cryptography, Secured Interfaces, and Secured by Default.
Futher, the NCC Group has published a security assessment of the Pixel 4, Pixel 4XL, and the Pixel 4a. Take a peek at the NCC Group audit for said results. The NCC Group is an “authorized lab for the ioXt Alliance. You’ll see phones and devices of many sorts put through tests aplenty through this and similar labs in the near future.
At the moment, only a few devices are on the approved iOxt device list. They include the Pixel 4 family (4, 4a, 4XL), as well as LEEDARSON Tunable White Bulb, Sync UP Pets (T-Mobile), the T-Mobile Home Internet Gateway, Flyfish Gateway from DSR, nLight ECLYPSE from Acuity Brands, the SyncUP Drive from T-Mobile, and the Thunderboard BG22 Kit from Silicon Labs.