Linux software vendor a la Mobile has released a security component that is designed to protect smartphones running the company’s mobile operating system.

The new code, called the Mobile Security Engine, uses 128-bit AES encryption and digital certificates to protect the operating system itself from being tampered with, as well as all files on the handset. It also creates a protected space, called a sandbox, where applications that lack digital signatures are stored and given only restricted access to a subset of the phone’s features and resources.

A la Mobile was founded in June 2005 with a bold ambition: to develop its Convergent Linux Platform (CLP) aimed at smartphone manufacturers, as a Linux alternative to Microsoft Windows Mobile, the Symbian operating system and PalmOS. The goal was to take a Linux kernel distribution and build around all the features needed in a full-blown operating system, according to Pauline Alker, co-founder and CEO of a la Mobile, based in San Ramon, Calif. The company is funded by Venrock Ventures, based in Menlo Park, Calif.

Linux for mobile devices has plenty of fans, including Palm, which has said it will introduce a version of PalmOS running over a Linux kernel by the end of 2007. Late in 2006, electronics maker First International Corp. unveiled a smartphone running an open Linux-based mobile software platform developed by one of its own product managers.

The security component is intended to bulletproof smartphones running the CLP software by blocking ways of hacking into the phone, says Dirk Sigurdson, the company’s senior engineer and author of the new code. Smartphones can be hacked by using software to read the phone’s flash chip, or by introducing a malware program onto the phone, or with a device known as a “flash [memory] probe,” Sigurdson says.

The new security engine becomes part of the CLP stack and runs on the smartphone’s processor. One element is the secure boot loader, which verifies the authenticity of the bootloader, using digital signatures and certificates, clearing the way for the initial boot code to be loaded. The engine also authenticates the kernel, which only then passes to the boot loader. “We prevent software-based attacks by making sure no one can replace our kernel with an unsigned kernel,” Sigurdson says.