‘Code Signing’ is Securing Mobile Apps for Enterprises, Consumers 
Smartphone app downloads will likely top 6 billion for 2010 when all the numbers are crunched, according to ABI Research. With mobile apps poised to continue to proliferate for consumer and enterprise use, “code signing’ is becoming a crucial way to authenticate and control mobile apps.
Mobile application developers are rushing to meet the needs of one of the most attractive platforms for reaching large consumer and enterprise audiences. At the same time, wireless network providers are looking to software subscription as an important new revenue source.
Smartphone app downloads will likely top 6 billion for 2010 when all the numbers are crunched, according to ABI Research. But with the great opportunities posed by these developments come the risks of buggy or malicious code that not only threaten the user, but also the integrity of networks.
Mobile application publishers and devs are looking for ways to let users distinguish their legitimate software from malware, protect their applications from tampering, and recall faulty or malicious code without impacting the rest of their published applications.
One solution to all these concerned is something called ‘code signing,” which is already in use at Windows Mobile 7 and Windows Marketplace for Mobile. These and other mobile platforms use code signing to control the software allowed on networks, taking comprehensive measures to ensure the safety of mobile apps for users and the networks upon which they increasingly rely.
Inside “Code Signing” To Safeguard Mobile Users
Inadvertently introducing malware into the wireless network environment doesn’t just put a single end user’s smart phone at risk; it can affect an entire network of devices and expose all subscribers to attack, interrupt service, and seriously damage the network provider’s reputation and financial performance.
Mobile platforms use code signing to control software allowed on networks [and] to ensure the safety of mobile apps.
Michael Lin
Senior Director, Trust Services
Symantec
In traditional software delivery models, a buyer confirms the source of the application and its integrity by examining the packaging. Software downloaded over a mobile network, however, poses a risk because the identities of the publishers are more difficult to determine.
To protect smart phone users, app stores such as Windows Marketplace now require code signing technology that essentially “signs” the mobile software code with a digital signature, creating a “digital shrink-wrap” that both validates the source of the software code and confirms that the code has not been modified.
Code signing is based on the technology known as public key cryptography. A developer or software publisher uses a “private” key to add a digital signature to a piece of software code. Mobile software platforms such as Windows Mobile 7 will use a “public” key to validate the signature during the mobile app download process and compare the “hash” used to sign the application against the hash of the downloaded application.
It is this “hash” within the digital signature that confirms the contents of the file and verifies that the code has not been altered or corrupted since it was signed. While a user can verify the contents of a file and the integrity of the software, the publisher should also have the ability to efficiently revoke a compromised certificate.
With a traditional code signing certificate, the developer signs all code with the same digital signature. But the mobile paradigm poses some unique challenges requiring unique approaches to deployment and management. Developers and publishers must be able to easily recall buggy, faulty, or compromised code without impacting other versions or applications published by legitimate developers.
Ideally, mobile code signing implementations will feature the presence of two digital certificates – one for identifying the publisher and one for identifying the content. In this scenario, the publisher uses a Publisher ID to sign the code and then uploads it for validation to a Ceritifcate Authority’s (CA) code signing service through a secure interface. Once the signature is validated, a unique Content ID is generated with the publisher’s identity and application information.
The CA can then re-sign the content with the Content ID and the code is then “good to go” for trusted distribution. If applications use potentially sensitive APIs, such as in the case of Windows’ Privileged Access for Marketplace, a third-party evaluation is required before Content ID is issued.
The mechanics of the re-signing process are transparent to the end user device as there is only a single verification performed at the client device level. But for the developer and network provider, the assigning of an event specific certificate enables the easy identification and recall of faulty code without impacting the rest of the application. Such scenarios and capabilities give network operators more control and better network protection without hampering innovation, or the experience of the end user.
In most instances, signed code from a trusted source may be automatically accepted, or a security warning will prompt the end user to view the signature information and decide whether or not to trust the code. Some network providers minimize their risk by accepting only signed applications while others require code signing in order for applications to have access to potentially sensitive APIs. If a mobile platform such as Windows Mobile 7 does not recognize an application’s signature as valid, it will not run the application at all.
A Closer Look at the “Trust Threshold” for Mobile Apps
Because the publisher validation process is a critical hurdle for application developers, great care should be taken to ensure best practices for vetting signing entities. CAs such as Symantec (through its acquisition of VeriSign) take on the responsibility of substantiating that a signing entity is a legally-registered organization.
During the code signing enrollment process, the CA will collect information about a publisher and his or her organization to authenticate identity. The validation process may take a few hours or several days, depending on the information provided and how easily it can be verified. Ideally, the CA will contact each organization using independently verified contact information to ensure that the organization requesting a certificate truly is the organization it claims to be. In the case of VeriSign, KPMG conducts annual audits to confirm the thoroughness of the well-established CA’s approach to identity assurance.
In the case of developers who wish to distribute mobile apps on Windows Marketplace for Mobile, software must undergo the code signing process provided by Symantec Authentication (formerly VeriSign).
Devs are required to sign every content update before apps are made available in the app store catalogue. Then Microsoft closely monitors the applications allowed into the program for any irregularities and uses its authority to request the revocation of certificates associated with malicious content if such irregularities are detected.
Code signing proactively demonstrates to smart phone users and network providers that the next great mobile killer apps are safe to download and run. This empowers publishers to protect their customers and their brand value. It also allows network operators and enterprise IT to minimize the risks of exposing their networks and subscribers to attack.
Michael Lin is Senior Director of Trust Services product management at Symantec.
