Articles Hosted Cloud Apps News Technology Web Security Web Security

Understanding Role of Code Signing Certificates in Mobile Application Security

Mobile Applications have met with wide acceptance globally, thanks to their easy installation, streamlined interface, great user experience, and the ability to download them easily via online and offline stores. They lower the technical barriers and offer a simple and enjoyable user experience.

Mobile application has become a giant business in the last few years, and is still growing, opening multiple doors of opportunities for software developers. Customers spend a fairly good amount of money on mobile applications because although there is no dearth of free applications out there, they come with a trial period. In 2012, it is estimated that consumers spent approx. 14 billion dollars on downloading mobile applications. A number as big as that indicates a rapid evolution of mobile applications in the technology arena , and with this evolution are increasing security risks, which make mobile devices vulnerable to online fraud.

A recently released report says more than 28% of android apps and 34% of apple apps are based on the user tracking function, which puts the user data in even greater danger. Why? Because, instead of making a malware program, it is easy for hackers to hijack the application and steal the data of the user. All they need to do is change a few lines of code and inject malware to steal user’s information.

Self-Signed Certificate
Many storefronts and websites recognize the gravity of such attacks and take proper steps for application security. Most of them rely on digital signatures to verify the identity and reliability of application developers. However, that is not enough. Many websites and online stores will show you a ‘self signed certificate’ to indicate software’s security as such certificates are signed and authenticated by a person himself and not by trusted authorities. This is where a code signing certificate comes in the picture.

Code Signing Certificate
Code Signing Certificate plays a vital role in checking reliability of a third party application provider. It assures customers about the code integrity; that the developer who built a particular application is legitimate and the code has not been changed since it was signed.

How Does Code Signing Work?
Code Signing Certificate provides surety of each piece of code and manifests the identity. Below is the process of the Code Signing Certificate.

  • A Certificate authority validates software developer’s identity and authenticity.
  • Certificate authority then issues a developer ID which is used to sign a code.
  • The developer then utilizes code with the developer ID and signs files and sends them to certificate authority.
  • Finally, the re-signed and authenticated content is ready for distribution.

Time Stamping
A code that is being signed by a Code Signing certificate is reliable for a certain period and after that you have to renew it. In case if it is not renewed then your certificate will become worthless. To avoid such situation, Time stamping feature is necessary for a Code Signing Certificate. When you sign a code, a hash of your code is sent to a certificate authority for time stamping. Time stamping is essential when you allocate signed documents and assures that the code will not lapse when the certificate expires. If you ignore time stamping, then you have to resign your code and re-send out to customers. A warning “Unknown date and time” will come out when the file has not been time stamped.

Conclusion: Code Signing is essential for mobile device manufacturers, network platforms and software developers. These three are connected with each other in the mobile application market. Code Signing certificate helps developers in increasing downloads and thereby earning more revenue with distributing high volume of software.

Articles News Web Security Web Security

What is a Code Signing Certificate and How Does it Work?

There is a common misconception that Security certificates are just for Web servers. Many certificates, and code-signing certificates in particular can be useful in a plethora of fields; they can make your enterprise more secure, make your software more accepted, and even stop malware in its tracks. A Code Signing Certificate is a technology which includes the process of validation for publishers of software, content, code, and scripts based on a digital signature to authenticate their identities to web users. In addition to identifying the identity of the publisher, code signing also protects the code from being tampered with.

How to get a Code Signing Certificate?
Code Signing Certificates depend on a digital signature technology, which is issued by an internationally trusted third party called Certificate Authority (CA). A Code Signing Certificate from a trusted Certificate Authority (CA) will identify the software and publisher as trustworthy. For example, VeriSign / Symantec and Thawte utilize digital IDs for application designers. When a programmer applies for a digital ID, it is necessary to provide confirmation of identification. A public/private key couple is produced when the certificate is issued. The key continues to be on the requester’s computer and is never sent to the CA and should not be shared with anyone. The community key is presented to the CA with the certificate.

Once the certificate is issued, the developer uses the private key associated with that group key to sign the content, code, or script. When web users download the signed code, they get a copy of the certificate to authenticate the identity of the publisher/author. The Web browser verifies the digital signature, and the user trusts that the code did indeed come from that particular developer.

What happens when a Code Signing Certificate is issued:

  • The code is put through a one-way hash function. This creates a “digest” of fixed length.
  • The developer’s private key is used to encrypt this digest.
  • The digest is combined with the certificate and hash algorithm to create a signature block.
  • The signature block is inserted into the portable executable file.

Steps of Authentication Process When Code is Downloaded From Another User:

  • The certificate is examined and the developer’s public key is obtained from the CA.
  • The digest is then decrypted with the public key.
  • The same hash algorithm that was used to create the digest is run on the code again, to create a second digest.
  • The second digest is compared to the original.

Advantages of using a Code Signing Certificate:

Protects Your Code
A digital signature indicates that a piece of code belongs to you and has not been corrupted with malware. Unsigned code presents frightening warning messages in an attempt to limit the chance of malicious code harming a user’s PC, device, or network.

Increases Adoption
Because of the proliferation of malware disguised as legitimate software, customers view any software downloaded from the Web with extreme suspicion. Unexpected warning messages from their OS or browser such as those resulting from unsigned code, no matter how benign, cause many users to cancel the install.

Protects Your Reputation
Consumers expect a smooth installation process; warning messages look unprofessional and create suspicion. Code Signing allows you to forgo these types of messages and helps you train your customers to only trust digitally-signed code.

Meets the Requirements of Your Partners
Your partners and distribution channels want to ensure that they are not risking their reputation and their customers’ safety by distributing your code. Digital signatures allow them to verify that the content they are sharing is legitimate.

Simplifies Monitoring and Enforcement
A digital signature using a Code Signing Certificate helps identify the authenticity of signed code, making it easy to screen for modified files. With a DigiCert Time-stamp, any signed code remains valid even after the certificate expires. The time stamp tells users that you had a valid certificate when the software was signed.