Secure element security added to web applications

GlobalPlatform has released Web API for Accessing Secure Elements v1.0, a standardised communications interface between web applications and secure elements (SEs) that will enable sensitive data from online applications to be stored and processed in a secure, isolated environment.

GlobalPlatformThe new API “will enable developers of web services to build in advanced security features to protect online services against many types of attack and fraud”, GlobalPlatform says.

“By extending the benefits of GlobalPlatform’s secure, standardised infrastructure to web services for the first time, Web API for Accessing Secure Elements v1.0 presents web app developers with advanced security options which may help them to overcome multiple security challenges presented by the increasing connectivity of mobile devices.

“The new API enables web-based applications to access SEs of any form factor, including UICC or eUICC, embedded SEs and smart micro SD cards.”

A wide range of service providers will be able to benefit from the new API, the standards organisation adds, including:

  • Authentication: Access to an online service may be protected by a strong authentication mechanism based on credentials stored and processed within a SE
  • Digital signatures: Web applications may use a digital signature to digitally sign a document or data with a key stored in the SE
  • Payment: When online commerce transactions are made via a mobile device, the payment application may be hosted on the SE within a device, to enforce the security of the online transaction. This, GlobalPlatform says, “may alleviate the need for the user to handle multiple physical devices (eg a mobile device plus a payment card)”
  • Credential provisioning: A web service may update the content of the SE to install, update or remove an application or credential it may hold. A public transport app, for example, could credit a user’s NFC-enabled transport card or mobile device with tickets bought online. The tickets would then be stored securely in the SE, “ensuring access only to authorised parties”

“The release of this API extends the highest levels of security available currently to web services, empowering online service providers to take advantage of new use cases to protect their assets and customers in a way that has not previously been possible,” Gil Bernabeu, GlobalPlatform’s technical director, says.

Next: Visit the NFCW Expo to find new suppliers and solutions