While mobile devices continue to be fragmented in many ways, the app world is also increasingly concerned about the security of data on heterogeneous devices. The problem with fragmentation is it creates both security and development costs. Security, because each device has different capabilities and there is little visibility for developers of what level of security can be achieved on each platform. While Android and iOS have some common security primitives, they also differ in a lot of ways. Even in the Android ecosystem, some Android devices offer more security features than others. Fragmentation also increases development cost because developers have to use different APIs, maintain different source codes and develop different security tests. The consequence for the end user is the level of app and data protection is lower than it could be. This is because the app developers don’t have the expertise, visibility or time to make use of the best capabilities available on each device. These concerns are getting even worse with the addition of millions of new devices in the IoT space and personal data being transferred from one device to the other.
Since the beginning at Trustonic we have developed a Trusted Execution Environment (TEE) for bringing hardware-security to the app developers, mostly on Android, Windows and Linux. Our TEE is now deployed in over 500 millions of devices and is used by the leading service providers for protecting the assets of millions of users.
So we have been looking at what would be the next step for applying our experience and solving the fragmentation issue for the security-demanding applications. We came up with a new product called Trustonic Hybrid Protection (THP).
What is Trustonic Hybrid Protection (THP)?
Trustonic Hybrid Protection is the combination of our Trusted Execution Environment (TEE) and new software protection techniques. The idea with Trustonic Hybrid Protection is that an application can be developed once and will run on different types of devices with the best level of protection available on each device. On a device equipped with the Trustonic TEE the application will benefit from the hardware-protection level brought by the TEE. On devices without TEE support the application will use software protection techniques to protect its assets. The software protection technology supported in THP includes white-box cryptography, a special implementation of cryptographic algorithms which hides the confidential information and the cryptographic keys, and a set of code protection techniques including integrity checking, code obfuscation, anti-debug and root detection.
How do you protect an app using Trustonic Hybrid Protection?
First the app developer identifies the most sensitive parts of his app. These include items such as the cryptographic protocols, the key management, or the use of confidential data. These will be included in the Trusted Application. The Trusted Application is developed with the Trustonic API, which is the same for all the platforms. When compiling the app and the Trusted Application, the Trustonic Hybrid Protection SDK creates binaries for each target and applies the protection appropriate for each target. Trustonic Hybrid Protection is compliant with all the app stores and developers can publish their apps on the app stores as usual. When the application is downloaded and launched, it will automatically use the Trusted Application adapted for the device on which it has been installed. On a device with the Trustonic TEE, it will use the TEE, and on a device without the Trustonic TEE, it will use software protection. It is even possible to combine the TEE and software protection together for additional security.
Trustonic Hybrid Protection eases the app development process with a single tool and a single API for all devices. It also helps developers making sure their apps benefit from the most appropriate level of protection on each device.
If you want to hear more about Trustonic Hybrid Protection or see some demos, please come visit us at MWC, Hall 6 stand 6I40.