New Specifications for Security Layers in Mobile Phones Published

The UK's Home Secretary Jacqui Smith has welcomed the release of the Advanced Trusted Environment recommendations document from the mobile industryÃ's device requirements body, OMTP. This will lead to enhancements in the underlying security of mobile phones over the next few years and are the results of two years worth of effort by the major players in the mobile phone industry.

In welcoming the recommendation, the Home Secretary stated "I am pleased that the mobile industry continues to show its commitment to enhance the security of mobile phones and in particular that a key part of the OMTP requirements is increasing hardware security so that hackers cannot profit from stolen phones by changing their unique identity".

The recommendation looks at a number of key areas to protect mobile devices as they begin to support such features as pay-per-view TV and mobile commerce transactions. Also included are enhancements to existing hardware security in phones, providing the underpinnings to key virus and malware protection in phones provided by an Application Security Framework. To achieve this, the document outlines a series of tools and mechanisms designed to enhance current security processes in technical areas such as: Secure Data Storage for protecting sensitive information, Trusted Execution Environments for isolating and protecting sensitive software, Flexible Secure Boot and Runtime Integrity Checking for detecting whether the device has been tampered with, and Secure User Input / Output to ensure the integrity of data on user interfaces.

Jack Wraith, the Chairman of the Mobile Industry Crime Action Forum said "I am encouraged by the work of the OMTP and its support to ensure that customers using mobile devices can continue to do so in a secure and safe environment. MICAF has over the last five years worked closely with all parties to improve the security standards of mobile phones and in particular have put in place processes and procedures to ensure that when a phone is stolen and reported to a customerÃ's home network it is blocked so that it is no longer of any use to a thief. These enhanced security standards will go a long way to ensure we stay a step ahead of the people out there who are consistently trying to circumvent the security processes and procedures in place and allow us to maintain the robustness and integrity of the mobile handset for some years to come"

The TR1 document has been in production for two years and builds upon the groundwork of the Trusted Environment (TR0).

Whilst TR0 established the basics of a trusted environment for mobile phones, TR1 is forward looking, aiming to provide the base security in handsets for future highly sensitive applications such as m-commerce and broadcast. The recommendations further enhance the work designed to protect the unique identity of the device and stored data, making the userÃ's data safer and the device even more difficult to re-enable after theft.

TR1 also provides the underpinning of trust for other services on the device. An Application Security Framework designed to protect the user from malware and to enforce corporate security policies could potentially be undermined if the hardware platform it is running on is insecure.

The core enablers of the Advanced Trusted Environment are the requirements for Trusted Execution Environments and Secure Storage. These provide the basis upon which the extended enablers are built.

Posted to the site on 22nd May 2008