The Samsung Galaxy S III, Note II and Note 10.1 are now undergoing a formal Common Criteria Evaluation by BAE Systems Detica to determine whether they can be used by the Australian Government.
For smartphones to be accepted for use in government, they must first make it to the Evaluated Products List (EPL), overseen by the Defence Signals Directorate, which is soon to be renamed the Australian Signals Directorate.
There are different certification methods that can be used to evaluate a product, and different assurance levels. In this case, Samsung's three devices will be evaluated using the Common Criteria process, to an EAL2 evaluation assurance level.
EAL classifications vary from EAL1 to EAL7, where the EAL1 represents the lowest testing — seeing that the target subject correctly works, with few regards to security; and EAL7 represents devices target subjects that must not fail in extreme high-risk situations.
DSD's definition of EAL2 is one where the subject being evaluated passes "structural" testing consisting of an analysis of its security features, independent black box testing, and a search for obvious vulnerabilities.
The evaluation of Samsung's devices mean that its modified version of Android 4.1.1 will be put to scrutiny. DSD notes that Samsung's version of Android has "modifications made to increase the level of security provided to end users and enterprises" and that if it passes evaluation, it is intended to be used "as part of an enterprise messaging solution providing mobile staff with enterprise connectivity."
It is the first time the Android operating system will be evaluated by DSD, with the only other two evaluated mobile operating systems being Blackberry's OS and Apple's iOS.
While iOS took over a year for the evaluation to take place, it was certified using DSD's Cryptographic Evaluation process. BAE Systems Detica will conduct the evaluation of the Samsung devices and expects the process to take four to six months.