GlobalPlatform has released a new technical specification that prevents unauthorized applications from communicating with the secure element on a mobile device.
According to GlobalPlatform, the Secure Element Access Control mechanism ensures that only legitimate secure mobile services, such mobile payments and ticketing applications, are able to connect with the secure element and access the user’s personal information, while blocking unauthorized applications and malicious third parties.
“Failure to restrict access to the secure element communication channel could result in a fake wallet application popping up during a secure element-based transaction that could send the wrong, or too many, commands,” explained Christophe Colas, GlobalPlatform’s Device Committee Chair. “This would result in ‘denial of service’ attacks or PIN blocking, and a secure application being unable to perform as required.”
The document, which may be used by secure element and handset manufacturers as well as secure elemen issuers, specifies how the access policy is stored and how it can be accessed and used by the device. The policy will be enforced within the device’s operating system, according to GlobalPlatform.