4

In the FinTech area there is a lot of talk about the use of Trusted Execution Environment (TEE). I know that on both iOS and Android it is possible to use some key store API's to generate keys and use them for signing/decrypting. But the code oneself writes is running as a normal app.

My question is, is this the only available use of TEE? Or is it possible for a normal application developer (i.e. one who isn't the manufacturer of the handset etc.) to write an app where the code in the app itself runs in the TEE? I have not been able to find documentation with Google or with Apple that describes how this would be done. Is there special API's available?

Morty
  • 1,706
  • 1
  • 12
  • 25

2 Answers2

5

There are different TEEs out there on different devices. OP-TEE, Trusty TEE, QSEE, TLK, Kinibi (previously t-base, previously mobicore), etc.

From what I know, only Kinibi (since mobicore) allows for app developers to develop/deploy Trusted Applications along with the normal app (without the need for an OEM to sign).

At least with Global Platform standard APIs, your TA may be source compatible across TEEs..

David Artmann
  • 4,272
  • 1
  • 16
  • 24
Bryan Buckley
  • 1,201
  • 11
  • 9
0

As M. Chang pointed, according to source.android.com it's not possible right now. So, I believe the answer for you question is no. Normal application developer can't write this kind of app.

Third-party application development is not supported in this version of Trusty.

Hopefully it will change.

Important: Trusty and the Trusty API are subject to change.

mrdaliri
  • 7,148
  • 22
  • 73
  • 107
Martin
  • 69
  • 3
  • 6
  • 1
    Trusty is the TEE on only a few devices. This is mentioned here https://doridori.github.io/android-security-the-forgetful-keystore/#comment-3256986772 – Dori Apr 19 '17 at 13:42