Application Security on Mobile Networks - Code Signing from VeriSign Australia

Mobile network providers compete fiercely for subscribers and data revenue with faster networks, smarter devices and first-class applications from a growing, global developer community. With opportunity comes risk, and mobile network operators have to balance innovation and speed-to-market against security. Bug-ridden or malicious code not only disrupts the individual user's service, it puts the whole network at risk.

How Code Signing Helps Mobile Network Providers

Code Signing creates a digital "shrink wrap" that shows the source of the code and confirms that it has not been modified since the signature. In traditional software sales, a buyer can confirm the source of the application and its integrity by examining the packaging. Software downloaded over the mobile network, sometimes without the subscribers knowledge, poses a real risk. Code Signing from a trusted Certificate Authority (CA) such as VeriSign allows network providers to:

Restrict access to applications from known and approved sources
Integrate testing into the approval process for programs that access secure APIs
Revoke specific code without affecting all programs or versions from a single developer

Restrict Access to Known and Approved Sources

VeriSign® Code Signing Accounts require developers to go through a rigorous, time-tested validation process to acquire a Publisher ID. The developer uses a Publisher ID to sign code and then uploads it to a VeriSign® Flexible Signing Account or VeriSign® Authenticated Content Signing (ACS) for Symbian™. VeriSign validates the publisher signature, then strips off the publisher’s digital signature and generates a new key pair, signs the content and sends it back to the publisher with the newly generated, unique Content ID for trusted use on Windows Mobile® or Symbian Signed™ platforms. By requiring code signing or restricting enrolment for Publisher IDs through VeriSign, mobile network operators can limit access on their networks to applications created by known, verified sources.

Streamline Testing and Approval for Secure APIs

Success in the mobile market requires constant innovation to compete for subscribers and to leverage revenue-generating data services. Network providers and mobile platform vendors who integrate VeriSign® Code Signing into their approval process help speed time to market by streamlining the development process. As soon as applications have been uploaded, reviewers have easy Web-based access to application digital signatures for quick approval. A Publisher API enables Microsoft® Mobile2Market developers to integrate VeriSign Code Signing directly into their build process.

Unique Content ID to Track and Revoke

With a traditional code signing certificate, the developer signs all code with the same digital signature. A Code Signing Account uses a two-step signing process to create a unique digital signature for every code signing event. If bug-ridden or malicious code is discovered, it can be tracked and revoked more easily without disrupting access to other code and content published by a legitimate developer. This gives network operators more control and better network protection, without hampering innovation.

Private Branded Portal Signing Service

For network providers and mobile platform vendors who desire control over the code signing and approval process, VeriSign offers a private branded portal signing service based on the VeriSign® Flexible Signing Account. For more information contact: CodeSigningEMEA@verisign.com.

Learn More

White Paper: To Increase Downloads, Instil Trust First (Goes to VeriSign.com)
White Paper: Securing Code Transfer with Signing: A Technical Overview (Goes to VeriSign.com)
White Paper: The Essential Series: Code Signing (Goes to VeriSign.com)
Data Sheet: VeriSign® Signing Account (PDF)
All Code Signing Resources