Organization standardizes the interface between web
applications and secure elements, enabling secure storage and processing for online
12 January, 2017 – GlobalPlatform has defined a standardized
communications interface between web applications and secure element (SEs), which
will enable developers of web services to build in advanced security features to protect
online services against many types of attack and fraud.
By allowing web services to utilize a dedicated tamper resistant piece of hardware
within a device, known as a SE, the newly released Web
API for Accessing Secure Elements v1.0 enables sensitive data from online
applications to be securely stored and processed in a secure, isolated environment. By
doing so, it enables web services to address multiple use cases that are central to the
deployment of value added services:
- Authentication – access to an online service may be protected by
a strong authentication mechanism based on credentials stored and processed
within a SE.
- Digital signatures – web applications may use a digital signature to
digitally sign a document or data with a key stored in the SE.
- Payment – when online commerce transactions are made via a
mobile device, the payment application may be hosted on the SE within a device, to
enforce the security of the online transaction. This may alleviate the need for the user to
handle multiple physical devices (e.g. a mobile device plus a payment card).
- Credential provisioning – a web service may update the content of
the SE to install, update or remove an application or credential it may hold. For
example, a public transport app may credit a user’s NFC-enabled transport card or
mobile device with tickets bought online. The tickets would be stored securely in the SE,
ensuring access only to authorized parties.
By extending the benefits of GlobalPlatform’s secure, standardized infrastructure to
web services for the first time, Web
API for Accessing Secure Elements v1.0, presents web app developers with
advanced security options which may help them to overcome multiple security challenges
presented by the increasing connectivity of mobile devices. The new API enables
web-based applications to access SEs of any form factor, including UICC or eUICC,
embedded SEs and smart micro SD cards.
Gil Bernabeu, GlobalPlatform’s Technical Director, comments: “The release of this
API extends the highest levels of security available currently to web services,
empowering online service providers to take advantage of new use cases to protect their
assets and customers in a way that has not previously been possible.
“This is particularly relevant in light of the many security challenges that we face
globally as the Internet of Things (IoT) leads to an unprecedented volume of connected
devices and greatly increases the attack surface at risk. With this new API, used in
conjunction with other complementary GlobalPlatform technology for SE Access Control,
secure messaging and Trusted Execution Environment (TEE) standardization, online
service providers can now benefit from far greater security and privacy than ever
In October 2016, SIMalliance announced that it had transferred ownership of the
Open Mobile API (OMAPI) Specification to GlobalPlatform. The OMAPI Specification
defines how mobile applications may access different SEs in a mobile device and is
currently referenced by GSMA, mandated by EMVCo in devices used for contactless
payments, and implemented in over 250 models of Android NFC smartphone.
Gil concludes: “We are pleased that the release of this web API has come so quickly
following the transferral of ownership of the OMAPI Specification to GlobalPlatform.
Our goal is very much to expand the existing OMAPI Specification to serve new use cases
and environments and a web API is the logical next step towards ensuring that
secure and trusted applications across many platforms, in addition to Android, can utilise
the SE to offer enhanced security benefits.”
GlobalPlatform’s Web API for Accessing Secure Elements v1.0 has been
developed to be complementary to W3C standards, with no overlap of functionality.
Please visit the device specifications page of the GlobalPlatform website to access the
For further media information, please contact Rob Peryer or Erin Lovett at
firstname.lastname@example.org / email@example.com or
on +44 (0) 113 350
Keep up to date with the latest news from GlobalPlatform:
Notes to editors:
GlobalPlatform defines and develops specifications to facilitate the secure deployment
and management of multiple embedded applications on secure chip technology. Its
standardized infrastructure empowers service providers to develop services once and
deploy across different markets, devices and channels. GlobalPlatform’s security and
privacy parameters enable dynamic combinations of secure and non-secure services
from multiple providers on the same device, providing a foundation for market
convergence and innovative new cross-sector partnerships.
GlobalPlatform is the international industry standard for trusted end-to-end secure
deployment and management solutions. The technology’s widespread global
adoption across finance, mobile/telecom, government, healthcare, retail and transit
sectors delivers cost and time-to-market efficiencies to all. GlobalPlatform supports the
long-term interoperability and scalability of application deployment and management
through its secure chip technology open compliance program.
GlobalPlatform defines a TEE as a secure area in the main processor in a smartphone,
or any connected device. It ensures sensitive data is stored, processed, and
protected in an isolated and trusted environment.
As a non-profit, member-driven association, GlobalPlatform has cross-market
representation from all continents. 120+ members contribute to technical committees and
market-led task forces. For more information on GlobalPlatform membership visit www.globalplatform.org.