GlobalPlatform Enhances Security Certification Process for Secure Mobile Apps

GlobalPlatform said that it has advanced its composition model, which streamlines the security evaluation of near-field communication (NFC) contactless mobile applications, and that the enhancements would be of particular interest to mobile application and product issuers, such as mobile network operators (MNOs) and financial institutions.

The international organisation for standardising the management of applications on secure chip technology added that a composite product consists of an open platform (such as a secure element [SEs]), with one or more secure applications (known as sensitive applications), and optionally one or more basic applications (which does not need to comply with stringent security requirements to operate).

As SEs in mobile devices begin to host multiple applications, it is important that all applications perform as intended and do not interfere with the other services being delivered. Evaluating the security of applications pre and post issuance is therefore vital, but needs to be cost and time-effective for all market stakeholders.

GlobalPlatform adds that the composition model, first released in 2011, defines a relatively easy approach to certify the security of SE products that carry sensitive and/or basic applications and simplify post-issuance application management.

The model achieves this this by promoting two key concepts: re-using existing security evaluation results; and limiting security evaluation work to only test the impact of new application and SE combinations.  The streamlined methodology enables the telecom and payment industries to more easily redeploy SEs and applications once they have been certified.

“Most of the applications we have on our mobile handsets today have low security,” said Gil Bernabeu, GlobalPlatform’s technical director. “As we start to add applications that connect to our bank accounts or identity, the need to protect an application is crucial. Security evaluation can be expensive and time consuming and while it is imperative that the industry adheres to the highest security standards, it is important that products can be brought to market quickly.

“GlobalPlatform’s work in this area aims to streamline the security testing process. This will encourage application developers to validate the security of their applications appropriately without stifling innovation and product advancements.”


Related reading