11 Security requirements

02.573GPPMobile Station Application Execution Environment (MExE) Service description Stage 1TS

This clause consists of:

– a sub-clause giving the principles behind security for MExE. These are not requirements as such but the principles behind the requirements;

– a sub‑clause specifying specific requirements that MExE implementations must adhere to;

– a sub-clause specifying the security domain classifications for MExE executables.

11.1 Security Principles

  1. The ME and the data therein are the property of the user. The user is also responsible for the payment of chargeable events involving her MS, and will be seen as the party responsible for any events (whether chargeable or not) involving her MS. Therefore the user shall have full control over all chargeable and non-chargeable events initiated by her MS (“event” includes responses made by the MS to external events, e.g. the acceptance by the MS of an incoming call). This control can be exercised either by the giving of explicit permission at the time of the event or by the giving of implicit permission to the events by the agreement to an event schedule listed clearly in a user profile.
  2. The user shall be able to request the logging of specific network events initiated by MExE MS applications/applets.
  3. The privacy of user data in the MS is of paramount importance.
  4. The SIM and operator controlled areas within the terminal are the property of the network operator. The network operator shall therefore have full control over access to the SIM and operator controlled area The operator shall also have full control over data, excluding personal user data, transmitted to or from the SIM and the operator controlled terminal area and all events initiated by the SIM or operator controlled area (“event” includes responses made to external events, e.g. the response to a command sent from the ME).
  5. As the user cannot know the capabilities of any MExE executables transferred from a MExE service environment before transfer, the MS MExE environment shall ensure that transferred MExE executables cannot compromise the above principles.

11.2 Security Requirements

  1. For MExE executables of security operator, manufacturer and user trusted domains , as defined in clause 11.3, it shall be possible to authenticate the identity of the body that authorised the application, applet or content.
  2. There shall be a secure, unforgable means for assigning the security domains defined in section 11.3 to the MExE executables transferable from the MExE service environment.
  3. The certification of authorisation associated with MExE executables transferable from the MExE service environment shall be transferred with the certified material.
  4. The MExE MS shall be able to verify the security domain, as defined in section 11.3, of MExE executables transferred from the MExE service environment.
  5. The verification process in the MS itself shall not compromise the security of the functionality and content in the MS
  6. Transferred material that fails verification shall not be installed and shall be deleted by the terminal as soon as possible.
  7. MExE executables that cannot be verified due to the absence of required verification information in the MS, shall be considered as untrusted material, as defined in section 11.3.
  8. The events that MExE executables are given permission by the user to initiate shall be securely recorded in the user profile.
  9. There shall be mechanisms within the MExE MS for ensuring that applications cannot have access to MS functionality and content beyond that allowed by their security domain, as defined in section 11.3.
  10. It shall be possible to for the user to downgrade MExE executables of operator, manufacturer or user trusted domain status to untrusted status, at installation or at any other time.
  11. The MExE MS shall be able to detect if MExE executables transferred from the MExE service environment have been modified since they were assigned a security level.
  12. MExE executables shall not be transferred to a MExE MS without the explicit permission of the MS user immediately prior to transfer or implicit permission via the user profile.
  13. Applications and applets transferred to a MExE MS shall not be able to initiate events without the explicit permission of the MS user immediately prior to event initiation or implicit permission via the user profile.
  14. The user profile data for transfer and event initiation cannot be changed without the explicit agreement of the user.
  15. The user shall be able to abort or suspend any on-going call that has been set up automatically by an application.
  16. The integrity of the SIM and existing GSM security mechanisms shall not be compromised by the introduction of MExE services.
  17. The user shall be able to request the logging of specific network events initiated by MExE MS applications/applets.
  18. MExE MS applications/applets shall not be able to send command RUN GSM ALGORITHM to the SIM.

11.3 Security domain classifications

The security domain of MExE executables shall be graded according to the measure of authorisation which they have been designated. The following 3 (the “sandbox” in which untrusted MExE executables runs is not considered to be a domain) domains shall be supported for MExE executables:

– MExE Security Operator Domain (used by the HPLMN operator);

MExE executables designated at this security domain have been authorised by the network operator (i.e. HPLMN),

– MExE Security Manufacturer Domain (system MExE executables);

MExE executables designated at this security domain have been authorised by the MExE MS manufacturer.

– MExE Security User Trusted Domain (trusted applications, applets and content);

MExE executablesMExE executables designated at this security domain have been written by user trusted software developers and verified as user trusted domain material (but not with regard to their content) via organisations such as certification authorities.

– MExE Security Untrusted (untrusted applications, applets and content);

Untrusted MExE executables have not been supplied with an associated authorisation, or the authorisation cannot be verified due to the absence of required verification information in the MExE MS.