IoT security. Is there an app for that?

By Brandon Lewis


Embedded Computing Design

June 17, 2014

IoT security. Is there an app for that?

The Internet of Things World conference investigates IoT application development, security, and business models.

Let’s be honest. When was the last time you read the ‘Terms and Conditions’ before downloading a smartphone or tablet app? No? Okay, I’ll go first.

I think I saw something about that before downloading a free flashlight app I used to find widowed socks under the bed. Then a couple weeks later this happened:

Android Flashlight App Developer Settles FTC Charges It Deceived Consumers: ‘Brightest Flashlight’ App Shared Users’ Location, Device ID Without Consumers’ Knowledge.


For Millennials like myself, the “information required” asterisk that accompanies “free” app price tags has, to date, typically carried with it the annoying but tolerable consequences of irritating pop-ups, not-so-coincidental banner ads, or spam emails that are deleted before ever being opened. With today’s smartphone, tablet, and other web-based applications, this is an expected norm. But while we currently assume that regulatory compliance and company reputation provide a level of security to our online interactions and identities, third party advertisers will be the least of our worries in the app-centric Internet of Things (IoT).

For the average person, the IoT will have the greatest day-to-day impact by blending data from multiple sources, essentially creating “personal profiles” that optimize the environment to fit tastes, habits, and schedules. But, for all the potential that melding location, usage, and other types of data brings, it also changes the game from a security perspective in that no longer is just personal and financial data at risk, but also physical infrastructure and devices that could have a direct impact on people’s lives. Take, for example, the possibility of wearable electronics issued to patients after being released from the hospital. They could conceivably:

  • Transmit location-based information so emergency services can respond to a traumatic event
  • Store and forward biometric, nutritional, and Personal Health Record (PHR) data for remote patient monitoring
  • Remotely administer topical or intravenous medication

Patient excluded, four parties could reasonably require access to application data: physicians, emergency responders, insurance providers, and the device manufacturer (not counting business associates that provide billing or legal services). While HIPAA outlines privacy rules for some of the described data, multi-source information could conceivably be accessed regularly by multiple individuals. How can we ensure that only relevant data is available to each entity, and, summoning Edward Snow

den and the Target data breach, that the information provided is securely stored and handled?

This is a big question for the IoT, as it requires enterprise-class application protection that spans from the device to back-end infrastructure. From a software perspective, this requires a layered approach to security that ensures applications are uncompromised from initial execution through future access.

As a widely used and highly scalable software platform, Java has traditionally used a sandboxing approach that isolates application execution within certain processes (so, Location-Based Services (LBSs) in our example could be activated once a biometric alert is issued). However, to manage the complexity of IoT security, Oracle has developed a number of technologies to improve data integrity from edge to cloud:

  • Application security (Java Card) –Originally developed to secure sensitive information on smart cards, Java Card technology encapsulates application data within a Virtual Machine (VM) environment that is isolated from the Operating System (OS) and hardware, and uses containers to partition individual applications from each other as well. “Applet firewalls” between various applications are used to monitor and restrict data access from one application to another.

    Java Card VMs extends the container security model to resource-constrained Internet of Things devices using “applet firewalls” that protect sensitive application data.

  • Device security (Java ME) – The recently released Java Platform, Micro Edition 8 (Java ME 8), was designed for small- to gateway-sized device development, and includes the Security and Trust Services API (SATSA), which is a collection of security-related functionality that includes encryption and decryption, user credential management, and other security provisions. SATSA can also leverage the Java Card Remote Method Invocation (JC RMI) and APDU protocol to communicate with smart cards, which enables a streamlined security and scalability from very small target devices to larger embedded systems.

Java ME 8 is supported by System-on-Chip (SoC) platforms from vendors such as Freescale, Qualcomm, and ST Microelectronics, and recently added a port for Raspberry Pi as well.

  • Network security (Oracle Identity Management) – For sensitive data being stored locally or in the cloud, Oracle Identity Management is a suite of enterprise-level authentication and authorization controls for information that needs to be accessed remotely and/or by multiple parties. In addition to mobile security features that provide secure application containerization for BYOD-style access, identity governance and access management tools also help simplify regulatory compliance.

Access Management, Identity Governance, and Mobile Security are key elements of the Oracle Identity Management (OIM) technology suite.

The business case for an IoT world

As consumer awareness rises about the risks and rewards of the IoT, comprehensive security will have a greater impact on the company reputations buyers rely on for connected applications; and, without consumer confidence, IoT apps and services will struggle to become the $19 trillion market some analysts project.

On June 17th and 18th, the Internet of Things World conference in Palo Alto, CA is assembling more than 100 speakers from across the embedded industry to define and discuss challenges like IoT application development, and will include keynotes such as “Building the Business Case for IoT” from Oracle’s Henrik Stahl. You can view the event program or find out how to take part at

If you’re interested in meeting at the show or just want to talk tech, feel free to drop me a line. Meanwhile, I’ll be looking for an app that reads the terms and conditions of my apps, although I guess I’d have to read those terms and conditions too. But nah, they’d at least have to have my best interest in mind, wouldn’t they?

For more on protecting data in the IoT, read “Internet of Things security concerns.

Brandon Lewis, Technology Editor

Brandon is responsible for guiding content strategy, editorial direction, and community engagement across the Embedded Computing Design ecosystem. A 10-year veteran of the electronics media industry, he enjoys covering topics ranging from development kits to cybersecurity and tech business models. Brandon received a BA in English Literature from Arizona State University, where he graduated cum laude. He can be reached at [email protected].

More from Brandon