Load time code validation for mobile phone Java Cards

Over-the-air (OTA) application installation and updates have become a common experience for many end-users of mobile phones. In contrast, OTA updates for applications on the secure elements (such as smart cards) are still hindered by the challenging hardware and certification requirements.The paper describes a security framework for Java Card-based secure element applications. Each application can declare a set of services it provides, a set of services it wishes to call, and its own security policy. An on-card checker verifies compliance and enforces the policy; thus an off-card validation of the application is no longer required.The framework has been optimized in order to be integrated with the run-time environment embedded into a concrete card. This integration has been tried and tested by a smart card manufacturer. In this paper we present the architecture of the framework and provide the implementation footprint which demonstrates that our solution fits on a real secure element. We also report the intricacies of integrating a research prototype with a real Java Card platform.