I want to develop a trusted application running on the TEE/TrustZone that is embedded in Android Devices.
I contacted a TEE provider and enquired about joining the developer program and getting there SDK.
However the cost is tens of thousands of Euros to join, which is prohibitively expensive for your average android developer.
Is it possible to develop TEE trusted apps without the huge expense?
Is it possible to use "factory built in " trusted apps already in the TEE?
many thanks
Lee
Could you explain your requirements a bit more? Has the TEE OS already been selected and you want to write an app for it? Are you trying to write an Android app that stores keys in the trusted environment through Android or TEE OS APIs (i.e. hardware-backed storage)? It is possible to secure keys in Android without developing your own TrustZone executable but if you want to execute code for DRM or payment systems, yeah, some of the TrustZone OSes that run on some Android devices have pretty expensive SDKs.
Check out 4.3's new security features for hardware backed RSA storage.
Android 4.3 APIs | Android Developers
Android also now supports hardware-backed storage for your KeyChain credentials, providing more security by making the keys unavailable for extraction. That is, once keys are in a hardware-backed key store (Secure Element, TPM, or TrustZone), they can be used for cryptographic operations but the private key material cannot be exported. Even the OS kernel cannot access this key material. While not all Android-powered devices support storage on hardware, you can check at runtime if hardware-backed storage is available by calling KeyChain.IsBoundKeyAlgorithm().
KeyChain
KeyChain.IsBoundKeyAlgorithm()
Hi Mathew
I am interested in using TEE technology to develop a trusted user interface application e.g. trusted access to display and user touches.
I haven't selected a particular TEE yet.
How many different TEEs are there out there in Android devices?
Is it possible to find out what proportion of Android devices have a TEE and also which TEE developer's TEE is in each device?
Do any Android devices ship with more than one TEE in them?
Do all the TEEs follow GlobalPlatform's TEE standard?
It would be great for Android developers if the TEE standard mandated some default trusted apps included in every TEE that any Android developer could use for free. Tee manufacturers could still make money by charging developers to develop new trusted apps.
cheers
The need for such Trusted App (TA) is very real - obvious example would be a PIN entry that cannot be intercepted from the main OS. However, building such TA on your own might be challenging b/c you would need to deal with all the variety of different screens / digitizers, and all that code will have to run inside TEE, which is supposed to be "lean". Nevertheless, I hope that in a close future main TEE vendors would start shipping their TEEs with Trusted Input apps built-in. I also hope there will be a hardware LED light shaped like a LOCK so when it is ON, the user would know that the screen is controlled by Trusted App and that it is safe to enter their PINs (similar to what browsers show for HTTPS websites, but clearly outside of the main screen so it cannot be spoofed). More, I hope that such "standard" Trusted Input TA would get exposed somehow to Android Java developers through some sort of Trusted Input API. And that API would fall back to regular input if the phone does not have TEE or required TA is missing.
Anyways, below I have tried to provide some answers to your questions based on my recent research.
Q: How many different TEEs are there out there in Android devices?
A: I've seen about 10 different TEE implementations. Here is the 2 most popular for Android: 1) t>base by Trustonic (estimated to about 400 mil installations); 2) QSEE by Qualcomm - mostly targeting phone manufactures, was used in most phones that were based on Qualcomm Snapdragon SoC - for example Nexus 4, Nexus 5, LG G2, HTC One series, Moto X, Samsung Galaxy S4, and Samsung Galaxy Note 3. Here is more information
Q: Is it possible to find out what proportion of Android devices have a TEE and also which TEE developer's TEE is in each device?
A: I estimate that about 25% of active Android phones have TEE in them, and > 50% of new phones released in 2015 have TEE in them. Here and here
Also, here is an idea on how to programmatically check what TEE is installed on the phone (if any)
Q: Do any Android devices ship with more than one TEE in them?
A: No, as far as I know, it is always just one (or none) TEE per phone
Q: Do all the TEEs follow GlobalPlatform's TEE standard?
A: Most of them, but not all of them. However, my guess would be that 99% of new Android phones with TEE have their TEE compliant with GP specs
Hi, alexx, I am currently porting some algorithm to QSEE, but I haven‘t choose the compiler tools yet. Do you happen to know if QSEE support trust APP based on AArch64 ISA (armv8-a), or where can I get related information? thanks a lot ! !