The GSMA has published a framework and supporting documents for a Mobile Device Security Certification Scheme for consumer mobile smartphones. These have been developed in partnership with leading mobile network operators and device manufacturers, with the aim of raising the bar for smartphone security.
These documents are aligned with and complementary to test specifications developed by ETSI (European Telecommunications Standards Institute). Once in place, the certification scheme can help industry participants verify the security and privacy of smartphones. TrustCB launched the first certification programme that uses the GSMA framework and scheme documents to evaluate the security and privacy of consumer smartphones.
Growing consumer demand for mobile device security information
Consumer increasingly use their smartphones to access ever more personal health, financial, social media and digital identity services. They are also keeping their devices for longer periods, with devices often passing on to multiple owners. This means consumer interest in the security of their mobile devices is increasing, as is awareness around the highly sensitive personal data they contain.
A consumer-focused survey, carried out by YouGov on behalf of the GSMA, across 11 markets, shows that mobile device security, privacy and data protection are major considerations for consumers when purchasing a smartphone. It is clear from the survey of 22,000 participants that consumers want device manufacturers to ensure their personal data is not just safe and secure during the initial ownership period, but also provide assurances that their personal data will remain secure during the device’s entire lifecycle.
According to the survey, there is a strong and growing consumer demand for a trustworthy source of transparent, consistent, and relevant device security information. Consumers want this so they can compare the security of smartphone devices before buying a new device. Consumers are also concerned about how long their devices will be supported by the device manufacturer, to ensure data security for extended ownership periods. At the moment, consumers struggle to make informed security choices when purchasing a new device. Comparison and review sites seldom have access to the information necessary to help consumers from a security perspective, and manufacturers rarely provide security information in a consistent format.
Regulatory push for secure mobile devices
In addition to the security concerns raised by the growth in consumer-driven digital services, there is also a strong push within many public-sector organisations to provide new digital services. For many governments, digitalising these services is considered essential to provide modern public services. Alongside this, the need to process sensitive personal data, coupled with general consumer concerns over data-privacy, has led to the emergence of new cybersecurity regulations to ensure that citizens are protected while accessing digital services.
Mobile devices are essential enablers of these digital services, and device security has now become a core part of regulatory strategy. Most notably, the EU Radio Equipment Directive Delegated Act will require many digital products, including smartphones, to undergo some form of mandatory security certification before placement on the market. The EU Cyber Resilience Act, which will come into effect in 2026 and 2027 will have similar requirements.
GSMA accelerating the delivery of industry-led scheme
It was recognised that the GSMA is well placed to help develop the enablers necessary to establish a new industry-led scheme that balances the needs of consumers, regulators and the mobile industry. It has a proven track record of developing a security assurance schemes, such as the Security Accreditation Scheme (SAS), eUICC Security Assurance (eSA) scheme and Network Equipment Security Assurance Scheme (NESAS).
The GSMA developed the framework for a new device security certification scheme in order to provide an optimum solution for consumers, device manufacturers and regulators. The key benefits of the proposed scheme framework being:
- Media, comparison and review sites, and consumer advice and advocacy groups will be able to consume the results of such a scheme and present them as part of the wider array of other product information available to consumers.
- Device manufacturers will be able to address consumer needs for product security information, boosting demand, and gaining recognition for good security. With a global scheme, they will be able to certify a device once and have that certification recognised in many countries, simplifying product security certification, avoiding unnecessary costs, and using pre-certified sub-components to reduce effort further.
- Regulators will see devices come to market that comply with their security regulations whilst, at the same time, minimising the downstream cost impact of certification for consumers, and preserving competition in the device and digital services marketplace.
- Industry can reduce the risk of regulators developing fragmented and conflicting region-specific security requirements that only serve to weaken product security and raise costs to the detriment of the consumer.
- Finds the right balance between cost and complexity in order to make it agile enough to get products certified ahead of launch while simultaneously reducing the risk that certification would become too prohibitive to adopt by the industry.
- Regional and national regulators, that may not have the resources required to develop and operate a certification scheme can simply reference and adopt a globally recognised scheme.
Key objectives for an effective global scheme include:
- Creation of an objective and clearly defined security benchmark to enable greater transparency – benefitting security-conscious consumers.
- Raising the bar’ for security across all smartphone manufacturers and devices, appealing to global and national policymakers who are interested in setting security baselines.
- Satisfying both existing and future regulatory requirements, avoiding security requirement fragmentation, and promoting harmonisation, rooted in a globally supported security baseline.
- As a minimum, cover encryption, security updates, biometrics, networking and trusted hardware.
- Leverage existing global security technical specifications and standards, where practical and relevant
Industry support for the scheme
The GSMA has benefited from industry and government participation in the development of the scheme framework documents with contributions received from device manufacturers, mobile network operators, national bodies, and security labs.
Many participants are looking forward to being able to provide evidence that devices comply with the GSMA and related ETSI specifications:
“We are committed to working with industry and public sector partners to raise the bar for smartphone security and user transparency. This initiative will empower users to make informed purchase decisions by enabling them to assess the security of smartphones, including Google Pixel devices, before purchasing. It will also provide an elevated standard security benchmark for device manufacturers, and serve as a critical resource for policymakers,” said Dave Kleidermacher, Vice President, Product and Engineering, Android and Devices and Services Security & Privacy at Google.
“At OPPO, we understand that the key to enhancing mobile security in a connected world lies in strategic collaboration,” stated Andrew Wang, Director of Mobile Security at OPPO. “Faced with an expansive and diverse global user base, OPPO looks forward to exploring collaboration opportunities with organisations like GSMA and its members. By uniting our strengths, we will be forging a more secure and resilient digital ecosystem for consumers worldwide.”
“Protecting the data security and privacy of our users is a top priority at Xiaomi,” said Kuan Song, Information Security Director, Xiaomi Corporation. “We are committed to offering safe and reliable mobile devices that provide exceptional user experiences. We look forward to adopting a globally recognised, transparent, legible and independent mobile-device security-certification standard – now under development – to help consumers make better-informed security choices when they buy mobile devices.”
“Vivo has always been committed to delivering a secure user experience and striving to enhance the security of user devices. We believe that our collaboration with Google and work being done in GSMA will further strengthen the security and reliability of our services for our users,” said Lu Jinghui, Vivo CSO.
In addition, many mobile operators and reseller partners are looking forward to being able to use this information to help customers in their shopping experience.
“Orange, alongside GSMA and our industry partners, is spearheading the effort to enhance consumer mobile protection through the pioneering introduction of a device security certification scheme. This groundbreaking initiative sets a precedent in our industry, supports Orange’s strategy for device longevity and security, promotes demand for quality devices, and strides ahead of forthcoming EU regulation,” said Philippe Lucas, Executive Vice President, Orange Innovation Devices and Partnerships, Orange.
It’s now time to act
Now is the time for the mobile industry, regulators, consumer groups and standards development organisations to work together to develop a global, unified scheme that meets the requirements of consumers, regulators, and the mobile industry.
A device security certification scheme has the potential to demonstrate value for mobile device consumers whilst also driving improvements in device security through robust security requirements, thorough testing and increased transparency. The GSMA framework can be used to establish a global certification scheme that satisfies the needs of all stakeholders, averting the emergence of isolated and fragmented national approaches optimised for agility, with costs amortised over global volumes of devices.
Download more details on the GSMA’s framework for a Mobile Device Security Certification scheme. You can also learn more about the certification programme being run by TrustCB, based on the GSMA defined framework.