A best practice security principle is one of separation. If the ‘bad guys’ are outside a barrier and your assets are inside, then you are halfway there. This is the principle behind a network firewall, or process separation in an operating system. Whilst good in principle, if you are relying on separation provided by a huge, complex system – for example, Android – it is hard to imagine that this separation alone is going to be enough.
I was amazed when I first discovered my mobile phone, and almost every mobile phone for that matter, does not only run Android but also a second, secure, operating system, isolated from Android by hardware mechanisms baked into the CPU. This operating system is used at arms-length for features like biometric unlock, DRM and ‘disk’ encryption. But, wouldn’t it make sense to run our finance and other sensitive applications there as well? That way they could be safe from prying eyes and malware.
It turns out that we can do just that. Trustonic is a long-time purveyor of such secure operating systems, or Trusted Execution Environments (TEEs) as they are known. More importantly, we are part of standards body, GlobalPlatform, tasked with ensuring that TEE vendors all provide a similar level of security and consistent APIs for developers. Huawei is also a member of the body, and its TEE, iTrustee, is present on almost every Huawei phone, alongside Android.
In fact, Huawei has just released a cool new phone, the P40. For the first time it has enabled access for third party developers to use its TEE. This was made possible through Huwaei’s partnership with Trustonic, which brings Huawei into the Trustonic Application Protection (TAP) ecosystem. Anyone who develops applications using the newly released TAP 2.0 SDK can now leverage the hardware security provided by iTrustee on Huawei devices, or by Trustonic’s TEE (Kinibi) on devices from other OEMs.
So, does this all mean better security? Absolutely, it enables more than that. TAP offers a broad SDK with many security focused features, such as broad crypto libraries, secure storage, and device and app attestation. One of the technologies Trustonic and Huawei have enabled is worth citing here – the Trusted User Interface (TUI). This enables the TEE OS to take complete control of the display and touch screen. ‘Take over’ here means these hardware devices literally disappear from the hardware bus used by Android. Instead they are remapped by the TrustZone™ capabilities in the ARM CPU so that that they are only visible to the TEE OS. Drivers in the TEE OS can now connect the screen to your app, and you get full and completely unfettered access to the UI. Malware is literally locked on the wrong side of a big, fat hardware firewall.
That means no keyloggers. No screen recording, or accessibility attacks on these protected screens. Rooting Android will not help – because the screen isn’t even in Android anymore. That gives the sort of level of security that can enable some exciting new use cases.
Companies like Volkswagen want to use this to share car keys securely, and others, such as Rubean are working on Mobile POS solutions, which can meet stringent PCI requirements. This can enable a whole new meaning for ‘end to end’ social message encryption, where each ‘end’ is a concrete bunker not a far-to-hackable Android app. The much misunderstood ‘attestation’ capabilities mean that your servers confidently recognise that it is your application binary, running in a hardware secure OS that is calling your APIs. There is no impersonating an attested TEE.
Our TUIs are not simply one-size-fits-all. They are fully programmable and brandable. Below is demo screenshot (TUI is so secure, screenshots on a real device are not possible). This screen capture from our TUI emulator shows secure input and output in a rich UI.