Dec. 20, 2012
NFC standards organization GlobalPlatform has announced that it is advancing its "Composition Model" to make it faster and easier for developers and product issuers to perform security evaluations on their NFC contactless apps.
The GlobalPlatform Composition Model defines an easy approach to certifying the security of secure element products that carry either sensitive or basic applications, and makes it easier to manage those applications after they have been issued.
With the GlobalPlatform model, security evaluations of applications can re-use existing security evaluation results as well as limit the scope of testing to looking only at the impact of new application and SE combinations.
GlobalPlatform said the streamlined methodology means that the telecom and payment industries can now redeploy SEs and applications more easily once they have been certified.
GlobalPlatform said that a composite product falling under the model would include an open platform such as a secure element with one or more secure applications, as well as possibly one or more basic applications.
As secure elements on mobile devices are called upon to host multiple applications, it's crucial that deployed applications work as intended and do not interfere with other services, GlobalPlatform said. Evaluating the security of applications before and after issuance is therefore vital, but should be cost- and time-effective, it said.
"Most of the applications we have on our mobile handsets today have low security requirements," said Gil Bernabeu, technical director at GlobalPlatform. "As we start to add applications that connect to our bank accounts or identity, the need to protect an application is crucial. Security evaluation can be expensive and time consuming and while it is imperative that the industry adheres to the highest security standards, it is important that products can be brought to market quickly."
Bernabeu said the organization's work is intended to streamline the security testing process, which will encourage application developers to validate the security of their applications without stifling innovation and product advancements.
"The GlobalPlatform Composition Model also encourages basic applications to be validated against a given set of applicable security rules," Bernabeu said. "Basic application developers need to understand their responsibilities as more and more services are downloaded onto mobile devices."
GlobalPlatform said its Card Composition Model has been developed in cooperation with both payment standards body EMVCo and mobile industry group GSMA.
For more stories like this, visit the contactless/NFC research center.