I want to develop a trusted application running on the TEE/TrustZone that is embedded in Android Devices.
I contacted a TEE provider and enquired about joining the developer program and getting there SDK.
However the cost is tens of thousands of Euros to join, which is prohibitively expensive for your average android developer.
Is it possible to develop TEE trusted apps without the huge expense?
Is it possible to use "factory built in " trusted apps already in the TEE?
many thanks
Lee
Hi Mathew
I am interested in using TEE technology to develop a trusted user interface application e.g. trusted access to display and user touches.
I haven't selected a particular TEE yet.
How many different TEEs are there out there in Android devices?
Is it possible to find out what proportion of Android devices have a TEE and also which TEE developer's TEE is in each device?
Do any Android devices ship with more than one TEE in them?
Do all the TEEs follow GlobalPlatform's TEE standard?
It would be great for Android developers if the TEE standard mandated some default trusted apps included in every TEE that any Android developer could use for free. Tee manufacturers could still make money by charging developers to develop new trusted apps.
cheers
The need for such Trusted App (TA) is very real - obvious example would be a PIN entry that cannot be intercepted from the main OS. However, building such TA on your own might be challenging b/c you would need to deal with all the variety of different screens / digitizers, and all that code will have to run inside TEE, which is supposed to be "lean". Nevertheless, I hope that in a close future main TEE vendors would start shipping their TEEs with Trusted Input apps built-in. I also hope there will be a hardware LED light shaped like a LOCK so when it is ON, the user would know that the screen is controlled by Trusted App and that it is safe to enter their PINs (similar to what browsers show for HTTPS websites, but clearly outside of the main screen so it cannot be spoofed). More, I hope that such "standard" Trusted Input TA would get exposed somehow to Android Java developers through some sort of Trusted Input API. And that API would fall back to regular input if the phone does not have TEE or required TA is missing.
Anyways, below I have tried to provide some answers to your questions based on my recent research.
Q: How many different TEEs are there out there in Android devices?
A: I've seen about 10 different TEE implementations. Here is the 2 most popular for Android: 1) t>base by Trustonic (estimated to about 400 mil installations); 2) QSEE by Qualcomm - mostly targeting phone manufactures, was used in most phones that were based on Qualcomm Snapdragon SoC - for example Nexus 4, Nexus 5, LG G2, HTC One series, Moto X, Samsung Galaxy S4, and Samsung Galaxy Note 3. Here is more information
Q: Is it possible to find out what proportion of Android devices have a TEE and also which TEE developer's TEE is in each device?
A: I estimate that about 25% of active Android phones have TEE in them, and > 50% of new phones released in 2015 have TEE in them. Here and here
Also, here is an idea on how to programmatically check what TEE is installed on the phone (if any)
Q: Do any Android devices ship with more than one TEE in them?
A: No, as far as I know, it is always just one (or none) TEE per phone
Q: Do all the TEEs follow GlobalPlatform's TEE standard?
A: Most of them, but not all of them. However, my guess would be that 99% of new Android phones with TEE have their TEE compliant with GP specs
Hi, alexx, I am currently porting some algorithm to QSEE, but I haven‘t choose the compiler tools yet. Do you happen to know if QSEE support trust APP based on AArch64 ISA (armv8-a), or where can I get related information? thanks a lot ! !