Manage your own security domain on your smartphone

Mobile network operators’ role as keystone players in the smartphone ecosystem is challenged by other actors and technologies that aim to reduce the importance of the Universal Integrated Circuit Card (also known as SIM card). Modern Universal Integrated Circuit Cards are Java Cards that also include a Global Platform conformant Secure Element, usually under the mobile operator’s control. We argue that mobile operators still have the opportunity to defend their role by offering easy access for customers and service providers to the Secure Element on the Universal Integrated Circuit Card for storing data and executing applications with high demands for security. The mobile operators could let the customers or service providers own and manage their private Global Platform specified supplementary security domain on the Secure Element. Such access to supplementary security domains on the Universal Integrated Circuit Card can enable new ecosystems and new business models created around this asset. This paper describes a novel smartphone, customer and service provider oriented, technical approach to management of the secure element. We have designed and implemented SecurePlay, a client side, proxy based "lightweight" Trusted Service Manager prototype and have successfully used it to manage Secure Elements on Universal Integrated Circuit Cards in the Telenor operated mobile phone network in Norway. SecurePlay allow operators to cost efficiently enable end users’ ownership and operation of their own private security. Implementation details of a proof-of-concept prototype are presented.