Brew essential security

Mobile communication networks are implementing technical changes of bearer networks with IP addresses as the core, and business networks will rely on bearer Networks Based on IP addresses. However, the existing IP bearer network cannot ensure the corresponding security and credibility, and the abuse and out-of-control of encryption technology pose some threats to information security. As a value-added mobile business platform, brew provides unique security.

4.3.4.1 System Security
Due to the wide coverage of security, even the OSI network layered model has different security layers. The security of the upper layer is meaningful only after the security of the lower layer is guaranteed and has a certain degree of transmission. Therefore, before an application system declares that it is a secure system, it must have sufficient security at different layers. System-level security, program resource access control security, functional security, and data domain security are sorted in a descending order of granularity. System-level security concerns of different systems are often very different. Most business systems do not even involve system-level security issues.

1) system-level security: brew's system-level security is determined by the bearer wireless network. Taking the CDMA network as an example, it can implement access IP segment restrictions, logon time period restrictions, connection connections restrictions, and the number of logins within a specific period of time. This is the first protection door of the application system.

2) Resource Access Control Security: On the brew client, the application is provided with settings related to its permissions. Only functions with the same permissions can be executed.

3) functional security: functional security will affect the BREW application process. To ensure the security of brew applications, all brew commercial applications are strictly tested. That is to say, the third-party independent test (true brew test) ensures the security of value-added business functions.

4) data domain security: In brew, the primary control of data domains is the execution of Digital Signature control. Programs that log on incorrectly cannot be executed, brew execution environment starts/enforces all other control and defense. Digital signature is a powerful weapon in the security field. The root key is in Verisign vault, and VeriSign also has a security mechanism that includes a password detection key.

In addition, brew-based value-added mobile service distribution channels are unidirectional. Once an application receives a commercial digital signature, it will never be modified, and the application will always be protected by the digital signature. In addition to the OTA and pre-installation authorized by the operator, the developer's applications are generally not accessible or tampered with by others on the BDS download server. Any modification on the phone, even one byte, will be detected and prohibited. Thus, the virus is unlikely to spread. That is to say, the release of applications is not a peering process, so there is no traditional high-speed transmission path for virus propagation. The security of resource access control makes it impossible for a program to change or erode another program. This possibility of almost no spread will make virus lovers almost sigh.

4.3.4.2 terminal security
Brew uses a mechanism named aeesafemode to prevent device crashes caused by faulty brew applications. After a mobile device crashes for the first time, this mechanism places the device in monitoring mode and starts a timer when it is restarted. The timer duration is configured by the mobile phone manufacturer.

If the timer times out, this mechanism switches the running level back to normal mode. If the device crashes again before the timer times out, the device enters safe mode again when it restarts and starts the timer. Disable all BREW application creation activities before the device returns to normal mode. You can restore the application to normal mode by calling or upgrading the problematic application. The following chart shows the Conversion Relationship between normal, monitoring, and security modes.

 

Figure 4-9: aeesafemode mechanism in brew

4.3.4.3 Content Security
For application content, brew provides complete application authentication and Management (Figure 4-10) to ensure that the applications downloaded by a user can only be used by this customer, this effectively prevents illegal copying and piracy of application software, and ensures that the legitimate rights and interests of operators, developers, and users are not infringed.

BDS
 
ADS uses the private key license signature
 
Brew app Digital Signature
 
Client Information
 
Rules
 
+
 
ADS uses Public Key decryption

 
 
Brew app Digital Signature
 
Client Information
 
Client license verification
 
ADS responds to client authentication requests
 
Signature operation
 
Signature Verification
 
Verify client information based on Terminal Information

 
 

Figure 4-10: BREW application authentication management and Digital Signature

A mobile phone is a device that must focus on security performance. applications used on your mobile phone must also be secure. Digital Signatures can play a role in achieving trust. All applications cannot run in brew without the electronic signatures of developers or carriers. For applications whose digital signatures may be replaced, it is determined that the applications may be infected with viruses and thus cannot run in the brew environment. Brew requires two electronic signatures. The first is to download the application, and the second is to confirm the downloaded application. This is to prevent the downloaded application from being tampered with into another program.

This article from the csdn blog, reproduced please indicate the source: http://blog.csdn.net/wireless_com/archive/2009/07/22/4369929.aspx