Writing your first application using the TEE

I recently presented on this topic at the Global Platform TEE Seminar last month -http://teeseminar.org/about_the_workshop.asp.

Trustonic are increasingly working with developers using our SDK to secure their applications. So if you didn’t get a chance to attend that event, I’ve written up the five key steps!

Step 1 – Get the SDK

Figure 1  Trustonic Tools

You’ll need to join the Trustonic partner program, to get this underway email enquires@trustonic.com, or go tohttps://www.trustonic.com/products-services/developer-program/.

Step 2 – Move the security critical parts of your application to a Trusted application

You’ll need to identify the security critical parts of your application – the parts that perform cryptographic operations, process/use credentials, require data protection or authenticate the user. These should be implemented by your Trusted Application (TA).

Figure 2  Move Security Code to the TA

The main OS part of your application is called the client application and the trusted part the Trusted application.

Step 3 – Get coding!

Trustonic supply a plugin for eclipse, which has templates for Trusted applications. Once installed you can use this to create your Trusted application project, or base your project on one of our samples. You can use any editor you like of course.

Figure 3  Eclipse Plugin

For the Global Platform talk, I gave a real world sample – a simple one time passcode (OTP) generating application, based on the HMAC OTP RFC - https://tools.ietf.org/html/rfc4226 - “An HMAC-Based One-Time Password Algorithm”.

For this use case, the following needs to be implemented by the TA:

  1. HMAC key generation
  2. Generating the code from a HMAC of a counter value

Then we need something to look after the communication between the application and the TA. We call this theclient application or trusted application connector. On Android platforms this is essentially some Java Native Interface (JNI) code to interface with the Trustonic main OS libraries.

This will:

  1. Instantiate the TA
  2. Send commands or jobs to the TA
  3. Close the TA when we’re finished

The final part of our application is the regular main OS app. In my application these three parts are called: app (main os app), ca (client application) and ta (trusted application).

Figure 4  Main OS App, Client and TA

I decided to use maven http://maven.apache.org/ to handle building these three parts. Maven has a plugin for Android development that works well - http://simpligility.github.io/android-maven-plugin/. This saves me having to manually build each part. I can run mvn install from the command line, or setup a Run configuration to do this for me via eclipse:

Figure 5  Building it all with Maven

Step 4 - Debugging

Trustonic have an emulator that we supply with the SDK. It’s great for testing your application. While I was developing the OTP application, I deployed my application (using maven android:deploy), to my running emulator. So I could iron out the bugs and get it all working nicely.

Figure 6  OTP App Installed on the Emulator

Step 5 - Deploy to a commercial device

Once I’d completed my application, I added support for over the air provisioning of my TA using the Trustonic reference Trusted application manager (TAM). We supply sample code for this with our SDK – it’s a library to include in your application, and a call in your application to provision the TA.

Figure 7   Adding OTA Support

With that in place, I can then run my application on a commercial device, below on an S6:

Figure 8  OTP Application Running on a S6