All press documents

Securing Mobile Services

By Alex Chen, Security – the heart of mobile services, FIME ASIA, Taiwan

Security is at the heart of all mobile services, whether that be payment, transit, identity and access control or multimedia gaming and video applications.

What is also common across all services is that each must operate effectively and in line with any sector specific and general industry requirements. The only way that this can be assured is through the rigorous testing of the underlying hardware and software, which provides the framework for mobile services to be delivered and managed on a device such as a smart phone.

Delivering convenient and secure mobile services to end-users, which add value to their daily lives, is what will inevitably drive consumer acceptance of near field communication (NFC)-based mobile applications. For this to be achieved however, security and interoperability must be realised. Security is at the heart of all mobile services, whether that be payment, transit, identity and access control or multimedia gaming and video applications.

What is also common across all services is that each must operate effectively and in line with any sector specific and general industry requirements. The only way that this can be assured is through the rigorous testing of the underlying hardware and software, which provides the framework for mobile services to be delivered and managed on a device such as a smart phone.

With value added services such as transport and loyalty driving the NFC mobile market and leading the way for mass market adoption, a dedicated and pragmatic approach to mobile security must be agreed and implemented. Get this right, and end-users will benefit from convenient, yet secure and interoperable mobile services. This in turn will build consumer confidence and acceptance in NFC-based applications.

The challenge of achieving multi-application security

With the rise in NFC chip-based applications, comes market convergence. Payments, transport and public sector service providers for example, find themselves working together in a business and technical capacity for the first time. For handset manufacturers, this brings many new challenges as they strive to ensure the suitability, security and usability of their handsets in an ever growing and technically demanding marketplace.

For payment applications for example, EMVCo - the EMV® standards body jointly owned by American Express, JCB, MasterCard and Visa - requests that the same security levels are applied to a payment transaction on a mobile device as on a traditional plastic payment card. This means that handset manufacturers must develop devices which are capable of hosting embedded secure elements (SE), universal integrated circuit cards (UICC) or MicroSDs dependent upon the business model being selected by the stakeholders involved. Within the SE, secure applications for payment services for example, co-exist with other basic applications, which require less security. This considerably modifies the way that SE and chipbased applications are evaluated.

In addition, the SE is accessible through the handset, via a mobile application. While this introduces a way to interact with the end-user, it brings new challenges in terms of SE security. From a business perspective, device manufacturers must take into account the different service providers’ processes that will impact the product development schedules. Typically, mobile handset manufacturers will develop and bring new devices to market within six months. In contrast, the security evaluation of payment applications often far exceeds the six month product development lifecycle. The key challenge for service providers is that their business model has changed.

The service provider no longer owns, issues and manages the SE, therefore it must communicate and build trust with other stakeholders in the ecosystem. This is particularly important for the service provider’s relationship with the SE owner, as it assumes the responsibility for delivering the level of security expected by the service provider for the application. Regardless of a stakeholder's position in the supply chain, all players need to mitigate risk. Key to this is ensuring that the appropriate levels of security for any given application and service is achieved.

It goes without saying that the more sensitive the data, the more important the security is in order to protect a person’s identity credentials from being used fraudulently. Although multiple applications require different levels of security, all must be able to sit together on the same secure chip and effectively run without interference. Industry agreement on common specifications and certification is therefore essential in realising cross sector interoperability, security and usability of services on mobile devices.

Achieving technical interoperability

The ability to secure an application from malicious attacks or unintentional corruption is continually advancing. In order to defend against this on a mobile device, the way that data is stored, processed and protected needs to be considered. For a mobile service to operate effectively, the application on the SE must be accessible by the end-user, via the mobile application interface. GlobalPlatform – the standard for managing applications on secure chip technology – is working with its members to develop industry specifications that will standardise the trusted execution environment (TEE), offering greater security to the screen and keyboard of a mobile device to protect against attacks, while providing a secure area to store sensitive information.

The TEE provides a secure communication channel between the SE and the mobile application, allowing the secure access and delivery of services between them. GlobalPlatform’s standardisation work in this area will ensure that service providers do not have to create multiple applications for differing devices, thereby streamlining application development and reducing costs. As a respected industry organisation, GlobalPlatform is continually looking at developing new specifications and guidelines which are designed to support the interoperable development of secure chip-based applications. The organisation also runs its own compliance programme, which sets out a framework for the testing and certification of products.

Evaluation and certification - generating market confidence

To ensure that the mobile handset and the technologies required to process the residing applications run as expected and meet all necessary specifications, handset manufacturers, service providers and SE owners must undergo appropriate product testing and evaluation, taking into account state-of-the-art attacks and the latest test methodologies. The NFC environment is a competitive place to be, with all participants wanting to be the first to launch the next generation mobile with the latest functionalities.

Controlled third party evaluation, as part of a certification programme therefore, not only ensures that products and services are fully compliant to commonly agreed requirements, but also builds confidence between stakeholders and help to increase end-user acceptance. Industry specifications, such as GlobalPlatform’ s Composition Model, are required to ensure cross sector interoperability and security, while helping to strengthen relationships between the NFC ecosystem stakeholders.

Different security levels are to be achieved depending on the type of application in order to ensure the protection of the product’s and other applications’ assets: Secure applications in line with the relevant security certifications (such as Common Criteria or EMVCo), or basic applications through light security validation processes (against a set of security rules). The impact of a security breach on the brand image and the cost to fix it needs to be balanced with the time and cost of certification. Understanding and adhering to standards and specifications, while being aware of the enduser experience is vital for product developers and service providers. It helps to achieve the level of performance, security and interoperability required to boost end-user confidence in NFC services, creating a stable landscape for mass market deployment.

Download
Article