Android is the most popular mobile operating system in the world. This popularity is not only shared by users but also third parties who seek to exploit security vulnerabilities. This is not news, by now we all know that protecting sensitive data and applications is more important than ever.
The Android Open Source Project (AOSP) has risen to this challenge by integrating several Android security measures over the years.
Today, we take a look at the so-called Trusted Execution Environment (TEE).
Let’s explore what the Trusted Execution Environment in Android is, what Android TEE’s components are (TrustZone Android and Trusty Android), and how you can get professional help in running Trusted Applications in TEEs.
What is TEE (Trusted Execution Environment) on Android?
A TEE Trusted Execution Environment is a protected environment provided by a hardware feature within the main processor. It is designed to run code, isolated from unauthorized access. This isolation ensures sensitive tasks and data remain secure during execution, even if the main OS gets compromised.
Used correctly, Android TEE has the potential to address a variety of security concerns. By isolating applications, it reduces the attack surface and makes it difficult to exploit the code and data of those applications. That’s why it is an important component for enhancing security for Android devices.
Android TEE cannot simply be accessed by every developer. Device manufacturers include Trusted Applications (TA) that operate within the TEE, establishing services for developers to leverage in their own applications.
As a developer who requires to run applications in a safe and confidential environment, these services provided by Trusted Applications are the answer.
For product manufacturers who build their own devices, an Android OS customized to their hardware and requirements provides the option to add an Android TEE and run apps (if the developer expertise to do so is available). Alternatively, they send in their applications and have them signed by the Original Equipment Manufacturer (OEM) so that they can run in a (hopefully) existing TEE.
The TEE technology creates a secure environment by employing a combination of hardware and software-based isolation methods.
Firstly, the mentioned TEE hardware feature establishes the isolated and hardware-backed secure zone within the Android device. In this secure zone sensitive data —like device-specific cryptographic keys — are stored by the manufacturer.
Secondly, a separate operating system runs on the secure zone, called the Trusted OS. It works independently of the main Android OS, and allows the execution of apps which are known as Trusted Applications (TA).
Together, these two form the safe execution environment on Android devices.
Beyond the secure zone of the TEE lies the familiar territory of the Android operating system.
In technical terms, the part of the main processor running standard Android OS is called Rich Executing Environment (REE) to distinguish from Android TEE Trusted Execution Environment. The REE executes all the “untrusted” applications that will process data as usual.
In short, REE encompasses the entire operating system and user-space applications. TEE operates alongside REE, providing an additional layer of security for specific applications and certification processes.
As devices and applications have become more interconnected and complex, it’s simply natural that concerns about data privacy and security are rising. When running an app on a device, there is no way to be 100%-sure that the apps' execution can not be accessed. Sure, there are measures to prevent exploitation, but even these are only partially reliable.
With Android TEE, hardware OEMs are able to provide Trusted Applications that are protected from potential vulnerabilities or attacks on the main operating system making them more secure.
Use cases for which this extra protection is sensible:
Most commonly, TEE is used for Digital Rights Management (DRM) purposes. For instance, to ensure that only authorized media is run or to verify that apps haven't been modified to bypass ads.
However, the use cases mentioned above are also widespread and valid, especially when it comes to dedicated Android devices. A good example are Android POS systems that are used in retail stores to process payments and access sensitive data such as credit card information.
By processing such data in a TEE Trusted Execution Environment, device manufacturers can ensure that no-one else can gain access to it (and especially NOT the attackers!)
So, what makes Android TEE actually trustworthy? There are several factors:
Hardware partition and a dedicated space ensure the integrity and confidentiality of sensitive operations and data.
Modern processors such as ARM and Intel x86 provide isolated execution environments within the processor, separate from the main system (not necessarily running Android). With dedicated hardware, Android TEE can resist various software-based attacks.
Prior to execution, the TEE Trusted Execution Environment undergoes a verification process through verified boot, establishing a secure chain of trust. This foundation safeguards the entire system, mitigating the risk of unauthorized modifications.
Android verified boot checks the authenticity and integrity of each component of the process, including the bootloader, Android kernel, and system software. It makes sure that only trusted software components are loaded and executed during the device's boot-up.
Okay, so we have hardware isolation and the secure boot process verifies that everything is in its accurate condition within the Android TEE. Now, you have to run Trusted Applications.
Here, runtime isolation provides an additional but essential layer of security. TEE makes sure that different Trusted Applications do not interfere or interact with each other. It controls and disables access to the data and code of other applications.
In other words, there’s not only isolation from outside systems, but also compartmentalization inside the system during runtime.
In an ideal and perfect world, Android TEE would be the perfect solution for confidential processing. However, it comes with some limitations, even if it is currently the best solution.
As TEEs largely depend on the hardware, not all Android devices come equipped with this functionality.
For the devices that are already equipped with TEE, you’ll have to trust the hardware OEM to have built it correctly, since you have no access to it. The hardware architecture of TEEs varies, and some designs are better than others.
Apart from that, Android TEEs have their own attack vectors. There can be technical vulnerabilities in the Trusted OS and Trusted Apps that can be exploited by a highly trained attacker. However, with advancements and newer solutions, TEEs have become safer with time.
TrustZone is the TEE hardware feature developed by Arm. It underlies the Android TEE functionality on many Android devices, since Arm is the most commonly used architecture. It provides the capability to partition Arm processors into a TEE and REE.
In short, Android firmware TrustZone components lay the foundation for most Android TEEs.
The hardware isolation provided by TrustZone for Android is required for the same use cases introduced earlier, mainly running the Trusted OS and Applications but also storage of cryptographic keys etc.
Quick reminder: The TEE - the ‘Secure World’ - created by TrustZone is managed by the Trusted OS. The REE - the ‘Normal World’ - is where all the regular stuff happens, managed by the Android OS. TrustZone TEE makes sure that the Normal World can not interfere with and access the Secure World’s memory.
Trusty is Google's Trusted Operating System for TEE that runs alongside Android on compatible devices.
Trusty works upon the hardware isolation provided by Arm TrustZone to create software-level isolation – completing the TEE Trusted Execution Environment on Android.
Trusty is commonly used for cryptographic functions. For instance, if you’re running a Trusted Application that relies on cryptography, like the Android Keystore for managing encryption keys, it uses the secure environment provided by Trusty.
Similarly, Trusty Android also enables the verified boot process.
Traditionally, TEE operating systems come from third-party vendors or are developed internally by OEMs. Developing or licensing a TEE is costly for System-on-Chip (SoC) vendors and OEMs.
Plus, relying on third-party systems is not always reliable. Although Android supports different TEE implementations, including Trusty, each Android TEE Trusted Execution Environment has its own way of handling Trusted Applications. This can cause compatibility problems if OEMs try to ensure that their apps work on all Android devices.
Moreover, Trusty for Android is an open-source OS. That is, its source code is freely available for anyone to inspect and use. This transparency can allow independent code verification — which is an added layer of security — if the final product is built on the source code that has been inspected and compiled.
In short, there are three most prominent advantages of using Trusty:
TrustZone and Trusty work together to enable the execution of Trusted Applications (TAs) within the safe, isolated space they’ve created. In short, Arm TrustZone is a TEE hardware feature, while Trusty is Googles Trusted OS. Together they to form a complete TEE Trusted Execution Environment.
Here’s how Arm TrustZone and Trusty create a chain of trust that enables Trusted Applications:
Let’s say an application needs to utilize the Android Keystore or verify the OS integrity using Android Verified Boot (AVB).
First, a "chain of trust" is established in the Android Trusted Execution Environment. The keys reside securely within the TrustZone environment.
Their verification ensures the integrity of the bootloader, which in turn confirms the kernel's and OS's authenticity. This chain of trust allows the application to trust the operating system.
As a developer building products that rely on high security standards, it makes sense to utilize Android TEE in your Android-based devices.
However, adding Android TEE functionality to your Android-based product isn't as simple as enabling a setting. To use TEE features like Trusty, companies need to relay on their hardware OEMs support or build a custom Android OS specifically designed for their hardware product.
This AOSP-based ROM is built on the manufacturer's Board Support Package (BSP), which provides hardware-specific instructions for Android.
Sounds complicated? It is. This is why you need practical expertise to safely run a TEE app on Android.
But learning and doing it all by yourself isn’t your only option. We at emteria understand the complexities involved. With expertise in implementing Android TEE, we can help you:
Basically, you can make using Android TEE easier and more fruitful with our help.
To wrap it up, Android TEE offers a powerful way to secure your Android-based products. With dedicated hardware support by Arm TrustZone and Trusty operating system, you can isolate sensitive tasks and protect them from potential threats.
Now that you've gained a comprehensive understanding of Android's Trusted Execution Environment and and its components, you must be itching to implement it. But whether you’ve worked with Trusted Applications before or are just starting out, having professional assistance can make your task a 100-times easier.
With expertise in Android security and TEE integration, emteria will help you utilize the full potential of TEE on Android and safeguard your digital assets against emerging threats. So, if you want to work with an expert TEE service Android, get in touch right away.