Application Development: Creating Trust From The Ground Up

By John Grimm, Senior Director, Thales e-Security

Businesses are enjoying significant new levels of efficiency with the adoption of cloud-based services and mobile computing. These trends have grown at astonishing rates, lowering costs, and creating growth in almost every industry.

However, these technologies are increasing the proportion of business logic that resides and executes on insecure devices. Given this landscape, anyone developing code that will run in distributed locations needs to help ensure the integrity of their software as it runs in environments over which they have minimal control. But how can organizations create trust in inherently untrustworthy environments? Businesses are coming back to this question time and time again as they navigate a world that is increasingly connected, distributed, and virtualized.

A sign of this tension is Facebook’s recent announcement that, starting this month, application developers will be required to move to a more secure type of hashing algorithm in support of digital signatures for their apps. The value of signing keys is a closely related component of this conversation. Although they don’t encrypt data, signing key security is the backbone of code signing technology, used to verify the source of software, prove it has not been tampered with since it was published, and verify the identity of the publisher.

This latter point is particularly important — today’s major operating systems all present warning dialogs to users prior to installing software, highlighting the lack of information about the publisher if the software is unsigned. Over time, user awareness of the risks of installing software from unknown, or untrusted, publishers has significantly increased, contributing to the likelihood of users abandoning the installation process on these grounds.

Please log in or register below to read the full article.