The Federal Office for Information Security (BSI) has one Requirements catalog published, the smartphone manufacturer should commit to certain security criteria for their hardware. With these requirements, the BSI wants to ensure an increased level of consumer protection.
The Office writes in an official press release:
"In recent years, smartphones have become the control center through which we control and handle more and more everyday processes. (…) Consumers should be able to rely on the fact that a smartphone already contains basic IT security when it is purchased, so that they can use the possibilities of digitization as smoothly as possible. Manufacturers and OEM are therefore called upon to make the devices as safe as possible, right from the start and over a certain period of use. "
The requirements catalog of the BSI contains accordingly concrete measures and criteria, which can be summarized with the general terms topicality, protection against unauthorized access and data protection:
- Manufacturers must disclose the number of years of support as well as the number of version updates released when a model is launched.
- Devices must receive security updates for at least five years, which in turn appear within one month.
- Smartphones must have at least one of the following lock mechanisms: alphanumeric password, fingerprint, face recognition, biometric scan.
- The internal memory must be fully encrypted, and a secure encryption option must exist for SD cards.
- The manufacturers may only install system-relevant apps on the system partition.
- Manufacturers may only collect telemetry data with the express consent of the user.
- Users must be able to switch off interfaces such as WLAN.
Manufacturers are lagging behind in security updates
How t3n reports, the manufacturers of Android smartphones currently meet these criteria in very different dimensions. There is a lot of catching up to do when it comes to supplying security updates, which manufacturers currently only provide for a maximum of three years.
It remains to be seen whether and to what extent the BSI can actually effectively implement its catalog of requirements. So far, the Office has only referred to the criteria as "the starting point for a public discourse with manufacturers and original equipment manufacturers (OEM), network operators and civil society".