Using code signing to secure mobile apps

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Smartphone users download billions of applications each year, and while the apps add greatly to phone functionality, the risks of buggy or malicious code threatens the user and also the integrity of networks.

Mobile application publishers and developers need ways to differentiate their legitimate software from malware, protect their applications from tampering, and recall faulty or malicious code without impacting the rest of their published applications.

ANALYSIS: Outsourced apps a security minefield, study finds

Fortunately, advanced mobile software platforms such as Windows Mobile 7 and popular app stores such as Windows Marketplace for Mobile have implemented code signing technology to address many of the most frightening security concerns. These platforms use code signing to control the software allowed on networks, taking comprehensive measures to ensure the safety of mobile apps for users and the networks upon which they increasingly rely.

What is code signing?

In traditional software delivery models, a buyer confirms the source of the application and its integrity by examining the packaging. Software downloaded over a mobile network, however, poses a risk because the identities of the publishers are more difficult to determine. Inadvertently introducing malware into the wireless network environment doesn't just put a single end user's smartphone at risk, it can affect an entire network of devices and expose all subscribers to attack, interrupt service, and seriously damage the network provider's reputation and financial performance.

Realizing the responsibility they bear, app stores such as Windows Marketplace now require code signing technology that essentially "signs" the mobile software code with a digital signature, creating a "digital shrink-wrap" that both validates the source of the software code and confirms that the code has not been modified.

Code signing is based on public key cryptography. A developer or software publisher uses a private key to add a digital signature to a piece of software code. Mobile software platforms such as Windows Mobile 7 will use a public key to validate the signature during the app download process and compare the hash used to sign the application against the hash of the downloaded application.

It is this hash that confirms the contents of the file and verifies the code has not been altered or corrupted since it was signed. And while a user can verify the contents of a file and the integrity of the software, the publisher should also have the ability to efficiently revoke a compromised certificate.

With a traditional code signing certificate, the developer signs all code with the same digital signature. But the mobile paradigm poses some unique challenges requiring unique approaches to deployment and management. Developers and publishers must be able to easily recall buggy, faulty or compromised code without impacting other versions or applications published by legitimate developers.

Ideally, mobile code signing implementations will feature the presence of two digital certificates -- one for identifying the publisher and one for identifying the content. In this scenario, the publisher uses a Publisher ID to sign the code and then uploads it for validation to a certificate authority's (CA) code signing service through a secure interface. Once the signature is validated, a unique Content ID is generated with the publisher's identity and application information. The CA can then re-sign the content with the Content ID and the code is then "good to go" for trusted distribution. If applications use potentially sensitive APIs, such as in the case of Windows' Privileged Access for Marketplace, a third-party evaluation is required before Content ID is issued.

The mechanics of the re-signing process are transparent to the end user device as there is only a single verification performed at the client device level. But for the developer and network provider, the assigning of an event-specific certificate enables the easy identification and recall of faulty code without impacting the rest of the application. Such scenarios and capabilities give network operators more control and better network protection without hampering innovation, or the experience of the end user.

In most instances, signed code from a trusted source may be automatically accepted, or a security warning will prompt the end user to view the signature information and decide whether or not to trust the code. Some network providers minimize their risk by accepting only signed applications while others require code signing in order for applications to have access to potentially sensitive APIs. If a mobile platform such as Windows Mobile 7 does not recognize an application's signature as valid, it will not run the application at all.

Passing the trust threshold

Because the publisher validation process is a c021411-critical hurdle for application developers, great care should be taken to ensure best practices for vetting signing entities. CAs take on the responsibility of substantiating that a signing entity is a legally registered organization.

During the code signing enrollment process, the CA will collect information about a publisher and his or her organization to authenticate identity. The validation process may take a few hours or several days, depending on the information provided and how easily it can be verified. Ideally, the CA will contact each organization using independently verified contact information to ensure that the organization requesting a certificate truly is the organization it claims to be.

In the case of developers who wish to distribute mobile apps on Windows Marketplace for Mobile, software must undergo the code signing process. Developers are required to sign every content update before apps are made available in the app store catalog. Then Microsoft closely monitors the applications allowed into the program for any irregularities and uses its authority to request the revocation of certificates associated with malicious content if such irregularities are detected.

The implementation of code signing for mobile apps -- particularly on the Windows Mobile platform -- means that users, app developers and publishers, and network operators need not feel they must compromise security in their rush to take advantage of the world of mobile app opportunities.

Code signing proactively demonstrates to smartphone users and network providers that the next great mobile killer apps are safe to download and run. This empowers publishers to protect their customers and their brand value. It allows network operators to minimize the risks of exposing their networks and subscribers to attack without sacrificing the bottom line. And users can enjoy the confidence of security with a seamless user experience when downloading smartphone applications.

Read more about anti-malware in Network World's Anti-malware section.

This story, "Using code signing to secure mobile apps" was originally published by Network World.

Copyright © 2011 IDG Communications, Inc.

Shop Tech Products at Amazon