As electronic devices are becoming more versatile, a need has arisen to protect certain functions of the electronic devices in such a manner that access to the functions can be attained only through authorized programs. For example mobile phones have been developed into communication devices suitable for versatile data processing, in which it is also possible to execute programs other than those necessary for implementing phone calls. It is also possible to install new programs in such devices and already installed programs can be updated into newer versions. However, for example mobile phone functions require a certain securing that any given program is not capable of for example determining information stored in the SIM card or making phone calls to the mobile communication network with inaccurate identification data so that another mobile subscriber is charged for the calls. In a corresponding manner devices containing for example functions relating to monetary transactions, such as using the device as a means of payment, it must be ensured than an erroneous or inappropriate program is not allowed to affect the monetary transactions or to change for example the data on the amount of money stored in the device. For the situations of the above kind the software of the device is provided with a protected part in which the necessary trust checkings and functions relating to encoding and decoding are performed. Furthermore, such devices typically contain an operating system that is used e.g. for controlling the functional blocks of the device and for transmission of data between different blocks. Between the operating system and the protected part an interface is implemented, and information is transmitted via said interface between the operating system and the protected part. For example an encrypted message received in the device is transmitted to the protected part, in which decryption is performed, whereafter the decrypted message can be transmitted to the operating system for further processing.
The programs executed in the device can be divided into various levels of authorization to use. The programs can be divided for example into such programs that do not have any authorization to use functions requiring trust, and into such programs that have the possibility to process at least some of the functions requiring trust. Thus, when the program is started the operating system or protected part checks the authorization to use of the programs and prevents or allows the access of the program to certain functions. The act of determining the authorization to use may be based for example to the origin of the program, wherein it is possible to provide for example a program produced by the manufacturer of the device with wider authorization to use than a program produced by a third party. On the other hand, for example the manufacturer of the device can provide a particular program vendor with wider authorizations (greater trust) than others, wherein it is possible to provide programs of more trustworthy program vendors with wider authorization to use than programs having a lower or undetermined vendor trust level.
One problem in the devices of the above kind is that when new programs are developed or already existing programs are developed further, it should be possible to test the programs in an environment as authentic as possible. If such a program is given the authorization to use functions requiring trust, there is a danger that the program to be developed is not safe, but it contains an error that has a harmful effect on the aforementioned functions which require trust. Denying of authorization to use on the other hand prevents an extensive testing of such a program in an authentic device. The use of a test device in the testing does not necessarily reveal all the flaws and defects of the program, wherein the final program version may still be defective or flawed, in spite of the testing.
In some solutions of prior art the trust level of the entire device has been lowered for the duration of the testing. Thus there is a risk that the tester or a third party manages to start such a program in the device that obtains confidential information relating to the security functions of the device or utilizes the device in a data network to obtain secret or confidential information.