We use our mobile phones for almost everything. Beyond calls, chat and internet access, they have become our primary channel to pretty much every online service. Making payments is an obvious example, but increasingly accepting payment with smartphone mPOS apps (mobile point of sale) is important, as is applying for loans, obtaining and using travel tickets and a myriad of other use cases. Even auto makers are seeing the possibilities of using your phone as your car key – not just because it is already in your pocket – but because it enables new use cases such as car-sharing.
Trustonic Application Protection (TAP) is a toolkit that lets app writers develop applications that make use of the strongest security available – and on most Android smartphones that means the Trusted Execution Environment (TEE). An entire secure operating system running outside of the Android OS and protected by hardware within the CPU itself, the TEE is a surprisingly little-known feature, despite being present in almost all smartphones. The TEE is leveraged by all the key Android and OEM services – Keymaster, biometric unlock, Samsung Knox, Samsung Pay, and many others. Trustonic was at the forefront of TEE development from its inception, and our TEE implementation is the most prolific on the global market. Trustonic is also the only company to enable 3rd party application developers to leverage the full power of the TEE.
On many smartphones, this crucial but currently near-invisible secure subsystem has a rather amazing trick up its sleeve, which is about to make the TEE much more visible to everyday smartphone users.
When utilized correctly by app developers as part of an app’s UX, it can temporarily take over the screen and touch sensors of a smart device at the hardware level, giving what is called a Trusted User Interface (TUI). This is a UI feature in the developer’s toolbox that is particularly valuable during security-sensitive human interactions because malware in the main OS cannot attack it. The Android OS literally doesn’t have any access to the hardware during the period that the TUI is active – meaning that malware cannot capture the screen or simulate touches, even if the phone is rooted.
TUI is a great feature – but until now it has been impossibly hard to use. The low-level APIs provided are extremely low level – start, stop, blit image, detect touch. No widgets, no fonts, no text, no OpenGL. In practice, TUI was accessible to the very few expert developers, researchers and cybersecurity companies like Trustonic on the leading edge of new developments (we first wrote about TUI on this Blog in 2015).
With our latest version of Trustonic Application Protection (TAP), TAP 1.7, we are very pleased to announce that that has all changed. TUI user interfaces can now be created using the new Layout Manager feature. This is a simple XML-based layout language, akin to Android layout, or HTML. A simple example: