Session: BONDI Widget Security

Paddy Byers

Paddy Byers

Presenter: Paddy Byers
Room: Huxley 344B
Time: 13:00 – 13:55; Friday 25 September

Web applications on mobile devices depend on the ability to access services or data associated with the phone platform – whether it is access to information about the phone’s location, or access to personal information – and application environments need to provide access to these features. In the past, this has been a problem because there is no standardised mechanism for a web application to do this. During 2008, the OMTP launched the BONDI initiative to address this shortfall, and published the BONDI v1.0 specification in May 2009.

The viability of this new application environment depends on being able to protect the user from exposure to security risks. Without this, hostile sites or Widgets could compromise user data, expose the user to additional cost, proliferate viruses, or steal personal data. To address this, BONDI developed a fine-grained and configurable access control system that mediates all accesses by web applications to JavaScript device APIs. Security policies, which contain the access control rules, can be configured via an openly specified format.

This talk will examine this and other security aspects of the BONDI specification. It explains the key requirements and constraints that BONDI sought to address, and explains the security concepts, architecture and specification in detail.