Software Downloading

Contributed by Bart van Rijnsoever

Software downloading is likely to become an important feature in a next generation of mobile communication systems, particularly when software radios become a reality. We may distinguish between two different application areas of software downloading: downloading of an application and downloading of software that implements the basic (communication) functions. An application enhances the basic functionality of a mobile phone. It may be related to a particular connection (e.g., an application that allows you to consult a particular database), or it may be independent of any connection (e.g., an address-book application).

Application downloading is more powerful if the applications are interoperable between different types and brands of mobile terminal. (This holds especially for applications related to a connection.) An application may then be supplied by a third party. Interoperability can be achieved by writing an application in a high-level programming language like Java.

Software that implements the basic functionality of a mobile phone is downloaded for the purpose of bug-repair, functionality enhancement, or (in case of software radio) complete change of functionality. In many cases, this software will be supplied by the manufacturer of the mobile phone, so that interoperability is less an issue.

Software downloading is likely implemented on the air interface. Howver for certain GSM applications it would also be thinkable that the SIM-interface or a peripheral interface is used for this purpose.

Security requirements

The security of traditional mobile communication has attracted a lot of attention, and it has been assured in a proper way, e.g., in GSM. New security needs are however raised by software downloading and, more in general, by the increased importance of software in mobile phones.

Access control to software download functionality

Software downloading is a powerful tool. It allows to change and enhance the functionality of a mobile phone. The manufacturer, the service provider, and the end-user may have an interest to restrict access to this tool. The manufacturer may want to prevent that a third party supplies basic software for his phones (if only to ensure proper functioning of the device). The service provider may want to prevent that a user is allured to download services of another service provider. The end-user may want to prevent that unwanted software is downloaded into his phone.

Access control to mobile phone functionality

Downloaded software may originate from trusted or non-trusted sources. A non-trusted source is for example the provider of some game service. Software from a non-trusted source should not be given full control over all mobile phone functions. It should e.g. not be allowed that a service provider autonomously inserts his phone number into the list of pre-set phone numbers. Integrity The integrity of basic phone software (whether downloaded or not) is important to ensure proper functioning of the device. Further, phone software may implement security-related functionality. An example is access control to software download functionality. If (application) software is downloaded from a server in the network, its integrity is important to ensure proper functioning and to prevent deception of the end-user.

Authentication

If (basic) software is downloaded into the phone, the source of that software needs to be established in order to enforce access control to the software download functionality. If (application) software is downloaded from a server in the network, the end-user will have to be sure that the software provider is who he claims to be.

Confidentiality

(Basic) software that runs in a mobile phone (or, rather, that to a large extent implements a mobile phone) is a valuable asset that may incorporate important intellectual property rights. A competing phone maker or service provider might be interested to learn more about this software. Hence a possible need to ensure its confidentiality. (Application) software may be part of confidential communication between software provider and end-user.

Next we will describe tools to address the security requirements listed above. The tools are categorized according to where they are applied:

against attacks on the software download process,
against attacks on the software stored or executing in the mobile phone, or
against attacks by downloaded software on the functionality of the mobile phone.

Security Tools: Download process

The air interface is especially vulnerable to attacks, because it is relatively easily accessible. The security requirements relevant to the download process are integrity, authentication, and confidentiality of the downloaded software. In cryptography there are many tools to provide digital signatures (i.e., integrity and authentication) and encryption. There are a number of open issues and problems related to the application of these tools in the context of software downloading into mobile terminals.

The first issue is the openness of the system. If the issuer of the downloaded software can be an arbitrary supplementary service provider (i.e., if the system is open), we need standard digital signature and encryption schemes and a key management mechanism. Open systems are mostly based on public key cryptography. If the system is closed, key management can be simpler because it is known in advance with whom the mobile terminal will communicate. For closed systems, secret key cryptography can be used, although this is less secure. A second issue is performance and footprint in the mobile terminal of the security algorithms. Especially public key cryptography may be costly in this respect. A third issue is how to embed digital signatures and public key certificates in the protocols that will be used in software downloading.

Download process Wireless Application Protocol

The Wireless Application Protocol (WAP) is a recent development supported by all major mobile phone manufacturers. It provides the following communication stack for downloading into mobile phones and other mobile devices. (WWW reference: http://www.xwap.com)

Application Layer

Session Layer

Security Layer

Transport layer

GSM or other system

The system is based on the Internet, only very much scaled down to comply with the limited capabilities of mobile phones. What is downloaded is a wireless variant of HTML, namely WML (Wireless Markup Language). So, WML is not executable software. It may however contain scripts, similar to JavaScript in the Internet. Further, some phone specific functionality has been added. WAP takes download security into account. A separate security layer has been defined that is to provide encryption, authentication, integrity, and key management. We need to learn more about WAP. It seems a very promising system that takes care of download security as far as applications are concerned. Downloading of other types of software (e.g., software that implements the basic operation of the phone) still is a more open issue.

Security tools: Software in mobile phone

Software in the mobile phone may become the subject of attacks, whether the software is resident or has been downloaded. Software integrity is especially relevant when the software controls the software download functionality or when it plays another security related role. Software confidentiality is relevant in case of state-of-the-art software algorithms that constitute considerable intellectual property rights. A basic question that needs answering is to what extent protection against this kind of attack is required. At least part of the security can be achieved by physical means. Integration of functionality on a single IC or on a multi-chip module makes it more difficult to interfere with the communication between for example processor and memory. Also it is more difficult to change software without damaging an essential part of the system. Cryptography can enhance the level of security achieved by physical means. This is a rather new subject, and we only list tools that may prove useful.

In cryptography, integrity is checked by means of a hash function that delivers a digest (or hash) of the software code. The hash is compared with a predetermined value to establish whether the software has been modified. The challenge is to make this secure: The hash should be checked by a tamper resistant device that can implement sanctions if the test does not work out well (e.g., a processor or the SIM).

The hash should be calculated over the software that is actually running in the mobile phone. The hash should not be a replay of a previously calculated hash.

Confidentiality requires that encrypted software is decrypted in or close to the processor. If decryption is part of the instruction fetch, it may cause serious performance degradation. Another problem is how to get decryption keys into the processor.

Security tools: Executing downloaded code

The software downloaded into the mobile terminal may have been supplied by a non-trusted party, e.g., by a supplementary service provider. This means that the software may try to implement attacks. We distinguish between the following attacks:

The integrity attack is to influence processes or data in a harmful way. The attack may concern both downloaded code and native code. An example is a downloaded application that prevents that a connection to a competing supplementary service provider is established.
The availability attack is to prevent that resources are used by other code. Examples are downloaded applications that claim the entire display or that catch all key-board entries. The disclosure attack discloses private or confidential information. An example is a downloaded application that sends the list of pre-set telephone numbers to a service provider without asking the user. The annoyance attack is to annoy the user e.g. by playing sounds on the speaker.

A mobile phone is a consumer product that should be robust, and attacks should be prevented from succeeding.

Several tools have been developed for this purpose, especially in the context of downloading Java applets into Web-browsers. The approach that has been taken by Java is four-fold:

Language: the Java language does not allow constructs that can potentially be used by attackers, like pointers.
Verifier: before execution, it is checked that downloaded Java (byte)-code is well behaving (no stack overflows, no illegal type casts, .. )
Class loader: downloaded Java code is placed in a dedicated part of the memory structure, so that it cannot replace resident or trusted code.
Security manager: before a security-related method is called, it is checked that the downloaded code is trusted. In Java, it is possible to distinguish between trusted and non-trusted applications. The security manager allows a trusted application to call certain methods that are forbidden for non-trusted applications. More flexibility is being added to this model by implementing fine-grained access control to methods on the basis of the origination of the application. Authentication of the originator of an application is part of the software downloading process.

JPL's Wireless Communication Reference Website

Chapter: Network Concepts and Standards Section: Wireless Computing