This year Trustonic’s Trusted User interface (TUI) technology was integrated in Samsung’s flagship devices: the Galaxy Note 4 and Galaxy S6 – https://www.trustonic.com/products-services/trustonic-for-samsung-knox. With this technology Trustonic’s Trusted Execution Environment (TEE) can process user interactions (display and touch) independently from Android in a hardware isolated enclave, made possible by ARM’s TrustZone™.
This is a huge leap forward for TEE technology and realises the power of TrustZone to not only provide secure execution of code, but to secure sensitive user interactions. It brings a new dimension to application security and trust. In this blog we take a look at what Trusted UI is, and what it brings to the security of applications.
What is a Trusted Execution Environment?
Trustonic has developed a world class Trusted Execution Environment: a safe place for cryptographic operations, storing sensitive data (keys, private data, etc.), and executing sensitive operations all running alongside the main operating system. This functionality is invisible to the end users but to application developers it is an ideal area for security critical operations. Using the Trustonic SDK, application developers create a Trusted Application: a unit of execution that runs in the TEE, and is callable by the main application running in a Rich OS such as Android. The concept draws from technologies such as SIM cards, embedded secure elements, and TPM chips, but has numerous benefits above and beyond.
What is a Trusted User Interface?
The Trusted User Interface feature allows a Trusted Application to interact directly with the user via a common display and touch screen. It protects the confidentiality and integrity of the information exchanged between a Trusted Application and the user from the Rich OS by use of hardware isolation built in to most modern smartphones. These features are then made possible
Secure Input: The information entered by the user to a Trusted Application cannot be derived or modified by any software within the Rich OS or by another unauthorized Trusted Application.
Secure Display: The information displayed by the Trusted Application cannot be accessed, modified, or obscured by any software within the Rich OS or by another unauthorized Trusted Application.
Security Indicator: The secure display can be complemented by a Secure Indicator. The Trusted Application securely displays a secret, previously shared with the user and the entity they are transacting with, making the user confident that the screen displayed is actually displayed by a Trusted Application.
Trustonic supply an SDK (https://www.trustonic.com/products-services/developer-program/) that allows the developer to use these features.
How does this improve the security of my application?
In a nutshell – Trusted User Interface prevents malware seeing user interactions. Ask yourself:
- Does your application need to display information to the user securely?
- Does your application require the user to authenticate themselves, perhaps via PIN or passcode?
- Could your service benefit from higher trust interacting with a more secure device
Perhaps most importantly – what would be the cost to your business if a scalable attack were possible against your application that captured user credentials or stole private data?
Let’s look an example to illustrate the point. Take a payment mobile application, the user is required to enter their PIN to approve a transaction, just like we do at the supermarket when paying with a credit or debit card. For arguments sake, the phone is compromised; it is infected with malware that can capture user input. When the user enters their PIN, malware sees it resulting in the attacker having knowledge of very sensitive data which can later be used to replay or instigate unauthorised payments.
Enter Trusted User Interface. The logic for authenticating the user is implemented as a Trusted Application and user input is captured by the Trusted User Interface feature. When the user enters their PIN the main OS (and consequently any malware) cannot see the touch events and cannot capture the display.
Using the Trustonic SDK the developer is encouraged to identify the security critical parts of their application and implement that logic in Trustonic’s TEE. This in itself is good practice, these operations now run inside a dedicated OS, designed specifically for trusted execution. By securing user input we also defend the application against a whole class of scalable attacks which is good for everyone.