GlobalPlatform enables the Web to access Advanced Security Services

Organization standardizes the interface between web applications and secure elements

12 January, 2017 – GlobalPlatform has defined a standardized communications interface between web applications and secure element (SEs), which will enable developers of web services to build in advanced security features to protect online services against many types of attack and fraud.

By allowing web services to utilize a dedicated tamper resistant piece of hardware within a device, known as a SE, the newly released Web API for Accessing Secure Elements v1.0 enables sensitive data from online applications to be securely stored and processed in a secure, isolated environment. By doing so, it enables web services to address multiple use cases that are central to the deployment of value added services:

• Authentication – access to an online service may be protected by a strong authentication mechanism based on credentials stored and processed within a SE.

• Digital signatures – web applications may use a digital signature to digitally sign a document or data with a key stored in the SE.

• Payment – when online commerce transactions are made via a mobile device, the payment application may be hosted on the SE within a device, to enforce the security of the online transaction. This may alleviate the need for the user to handle multiple physical devices (e.g. a mobile device plus a payment card).

• Credential provisioning – a web service may update the content of the SE to install, update or remove an application or credential it may hold. For example, a public transport app may credit a user's NFC-enabled transport card or mobile device with tickets bought online. The tickets would be stored securely in the SE, ensuring access only to authorized parties.  

By extending the benefits of GlobalPlatform's secure, standardized infrastructure to web services for the first time, Web API for Accessing Secure Elements v1.0 presents web app developers with advanced security options which may help them to overcome multiple security challenges presented by the increasing connectivity of mobile devices. The new API enables web-based applications to access SEs of any form factor, including UICC or eUICC, embedded SEs and smart micro SD cards.   

Gil Bernabeu, GlobalPlatform's Technical Director, comments: "The release of this API extends the highest levels of security available currently to web services, empowering online service providers to take advantage of new use cases to protect their assets and customers in a way that has not previously been possible.

"This is particularly relevant in light of the many security challenges that we face globally as the Internet of Things (IoT) leads to an unprecedented volume of connected devices and greatly increases the attack surface at risk.  With this new API, used in conjunction with other complementary GlobalPlatform technology for SE Access Control, secure messaging and Trusted Execution Environment (TEE) standardization, online service providers can now benefit from far greater security and privacy than ever before."

In October 2016, SIMalliance announced that it had transferred ownership of the Open Mobile API (OMAPI) Specification to GlobalPlatform. The OMAPI Specification defines how mobile applications may access different SEs in a mobile device and is currently referenced by GSMA, mandated by EMVCo in devices used for contactless payments, and implemented in over 250 models of Android NFC smartphone.

Gil concludes: "We are pleased that the release of this web API has come so quickly following the transferral of ownership of the OMAPI Specification to GlobalPlatform. Our goal is very much to expand the existing OMAPI Specification to serve new use cases and environments and a web API is the logical next step towards ensuring that secure and trusted applications across many platforms, in addition to Android, can utilise the SE to offer enhanced security benefits."   

GlobalPlatform's Web API for Accessing Secure Elements v1.0 has been developed to be complementary to W3C standards, with no overlap of functionality. Please visit the device specifications page of the GlobalPlatform website to access the document.

Featured Reports

Connected Vehicle: V2V and V2X Market Outlook 2017-2022

Connected vehicle technology is rapidly evolving to encompass Vehicle-to-Vehicle (V2V), Vehicle-to-Infrastructure (V2I), Vehicle-to-Device (V2D), and Vehicle-to-Pedestrian (V2P) signaling and communications. This research examines the V2V and V2X market including technologies, solutions, and major players. 
Buy now

 

IoT Device Management: Outlook and Forecasts 2017-2022

The report evaluates market opportunities and challenges for IoT Device Management solutions across various industry verticals.  The report includes forecasting for global and regional markets as well as potential across deployment types and sectors including automotive, manufacturing, smart cities, and more.
Buy now

 

DAS Market Analysis and Forecasts 2016-2021

Analysis of the DAS market, including carrier WiFi, small cells, and SON, and the leading companies in the DAS ecosystem and their solutions.  The report also includes evaluation of market drivers, challenges, and provides forecasts for 2016 to 2021.
Buy now

 

NextGen Network OSS/BSS Forecast 2016-2021

Comprehensive coverage of NGN OSS/BSS including opportunities within Big Data and IoT, analysis of the drivers and issues related to the technical and business aspects of OSS/BSS, deployments and operations issues, and quantitative analysis with forecasts for anticipated growth through 2021.
Buy now