The OSGi platform is a lightweight management
layer over a Java virtual machine that makes
runtime extensibility and multi-application support possible
in mobile and constraint environments. This powerfull
capability opens a particular attack vector against mobile
platforms: the installation of malicious OSGi bundles. The
first countermeasure is the digital signature of the bundles.
We developed a tool suite that supports the signature, the
publication and the validation of the bundles in an OSGi
framework. Our tools support the publication of bundles
onto a remote bundle repository as well as the validation
of the signature according to the OSGi R4 specifications. A
comparison of existing validation mechanisms shows that
our security layer is the only one that is compliant with
the specification.
