Load time code validation for mobile phone Java Cards

Over-the-air (OTA) application installation and updates have become a common experience for many end-users of mobile phones. In contrast, OTA updates for applications on the secure elements (such as smart cards) are still hindered by the challenging hardware and certification requirements. The paper describes a security framework for Java Card-based secure element applications. Each application can declare a set of services it provides, a set of services it wishes to call, and its own security policy. An on-card checker verifies compliance and enforces the policy; thus an off-card validation of the application is no longer required. The framework has been optimized in order to be integrated with the run-time environment embedded into a concrete card. This integration has been tried and tested by a smart card manufacturer. In this paper we present the architecture of the framework and provide the implementation footprint which demonstrates that our solution fits on a real secure element. We also report the intricacies of integrating a research prototype with a real Java Card platform. a 2013 Elsevier Ltd. All rights reserved.