Go to content Phone human-readable description of the message we trying to accomplish. Search human-readable description of the message we trying to accomplish. Map pin human-readable description of the message we trying to accomplish.

I recently presented on this topic at the Global Platform TEE Seminar last month –http://teeseminar.org/about_the_workshop.asp.

Trustonic are increasingly working with developers using our SDK to secure their applications. So if you didn’t get a chance to attend that event, I’ve written up the five key steps!

Step 1 – Get the SDK

Figure 1  Trustonic Tools

You’ll need to join the Trustonic partner program, to get this underway email enquires@trustonic.com, or go tohttps://www.trustonic.com/products-services/developer-program/.

Step 2 – Move the security critical parts of your application to a Trusted application

You’ll need to identify the security critical parts of your application – the parts that perform cryptographic operations, process/use credentials, require data protection or authenticate the user. These should be implemented by your Trusted Application (TA).

Figure 2  Move Security Code to the TA

The main OS part of your application is called the client application and the trusted part the Trusted application.

Step 3 – Get coding!

Trustonic supply a plugin for eclipse, which has templates for Trusted applications. Once installed you can use this to create your Trusted application project, or base your project on one of our samples. You can use any editor you like of course.

Figure 3  Eclipse Plugin

For the Global Platform talk, I gave a real world sample – a simple one time passcode (OTP) generating application, based on the HMAC OTP RFC – https://tools.ietf.org/html/rfc4226 – “An HMAC-Based One-Time Password Algorithm”.

For this use case, the following needs to be implemented by the TA:

  1. HMAC key generation
  2. Generating the code from a HMAC of a counter value

Then we need something to look after the communication between the application and the TA. We call this theclient application or trusted application connector. On Android platforms this is essentially some Java Native Interface (JNI) code to interface with the Trustonic main OS libraries.

This will:

  1. Instantiate the TA
  2. Send commands or jobs to the TA
  3. Close the TA when we’re finished

The final part of our application is the regular main OS app. In my application these three parts are called: app (main os app), ca (client application) and ta (trusted application).

Figure 4  Main OS App, Client and TA

I decided to use maven http://maven.apache.org/ to handle building these three parts. Maven has a plugin for Android development that works well – http://simpligility.github.io/android-maven-plugin/. This saves me having to manually build each part. I can run mvn install from the command line, or setup a Run configuration to do this for me via eclipse:

Figure 5  Building it all with Maven

Step 4 – Debugging

Trustonic have an emulator that we supply with the SDK. It’s great for testing your application. While I was developing the OTP application, I deployed my application (using maven android:deploy), to my running emulator. So I could iron out the bugs and get it all working nicely.

Figure 6  OTP App Installed on the Emulator

Step 5 – Deploy to a commercial device

Once I’d completed my application, I added support for over the air provisioning of my TA using the Trustonic reference Trusted application manager (TAM). We supply sample code for this with our SDK – it’s a library to include in your application, and a call in your application to provision the TA.

Figure 7   Adding OTA Support

With that in place, I can then run my application on a commercial device, below on an S6:

Figure 8  OTP Application Running on a S6

Related content

The Benefits of Trusted User Interface (TUI)

Trusted User Interfaces (TUIs) are the next big thing for securing critical mobile apps. The Trusted User Interface feature allows a Trusted Application to interact directly with the user via a common display and touch screen, completely isolated from the main device OS.

Time for Hardware Backed Mobile Application Security

There’s much written about the need to secure mobile applications and the consequences of failing to do this well. At the same time, many claim this to be an impossible task, with numerous and varied ways for the ‘bad guys’ to win. Security is never easy – but good security can transform the way users interact with systems, enabling new ways of living and working. Done right, security makes systems simpler and easier to interact with. The days of passwords and dongles are long gone.

Trustonic Security to be Implemented in LG Mobile Smartphones

Bringing greater security to LG smartphones, responding to mobile network operator device lifecycle protection needs and helping 3rd party developers protect their apps.

22nd April 2020 – Mobile device and app security leader Trustonic has extended its partnership with LG Electronics Mobile Communications Company, which will see Trustonic Secured Platform (TSP™) deployed on LG’s smartphones. This includes the introduction of Trusted User Interface (TUI) functionality that is vital to unlocking the next generation of strong app protection in mobile banking, mobile payments and mPOS, digital car key and mobile identity-based apps.

Korea’s KB Bank Uses Trustonic In-App Protection to Enhance Mobile Banking Experience

Using Trustonic Application Protection enables KB Bank to dramatically improve the authentication experience for users of its mobile banking app and allow secure high value transactions

2nd April, 2020 – Mobile cybersecurity leader, Trustonic, today announces the successful implementation by KB Kookmin Bank (KB Bank) of Trustonic Application Protection (TAP) to enable a simpler authentication experience for users of its KB Star Banking app.

All SDK posts
Back to top