How hardware-based technology keeps mobile devices secure
Government agencies are constantly looking to leverage the latest technologies to improve operational efficiency, optimize budget expenditure and enable new services either for their workforce or the public. Traditional consumer devices such as smartphones often play a key role in achieving these goals.
However, agencies face a few challenges in meeting their objectives when it comes to using mobile devices:
Mobile software protection is nearing its limit. Because security is based on software protecting software, it will never be as reliable as hardware-backed protection.
Risk management teams tend to deploy iOS devices, but because Apple controls most everything on its devices, application developers struggle to provide flexible solutions and leverage true (hardware-based) security.
With Android devices, meanwhile, developers often lack information on available and accessible hardware security.
A potential solution is the Trusted Execution Environment, which provides hardware-based mobile security without increasing the device's bill of materials. Standardized by GlobalPlatform -- a non-profit organization that creates and publishes specifications for secure chip technologies such as Secure Elements -- the TEE is a secure area of the main processor where mobile applications can run. Already extensively used in the financial and enterprise technology spaces, services leveraging the TEE are also being delivered to government agencies in both the United States and Europe.
From a technology standpoint, the TEE is an operating environment that resides on a device's main application processor and offers hardware isolation from Android that protects applications’ code, logic and data. Even on compromised devices (e.g. those that have been rooted or infected with malware), the TEE continues to protect such applications. Unlike other discrete hardware-secured environments, applications running in the TEE can access all a device's computing power and memory. In addition, it enables privileged access to peripherals, such as the touchscreen or the fingerprint sensor, thus preventing malware from either mimicking the user interaction or stealing credentials.
Leading companies have made tools available to enable the easy development and deployment of applications targeted at the TEE. It is not necessary to redevelop a whole mobile application from scratch, as the goal is to isolate the sensitive components into a separate trusted application that will be executed within the TEE. This can be done by using a TEE provider’s software development kit, based on the industry-standard GlobalPlatform application programming interfaces.
The deployment and lifecycle management of a trusted application can be simply carried out via a secured server, which will both verify that the device is genuine and enable application management. The server can be in-house or cloud-based, making the solution providers fully independent from hardware manufacturers and giving them the autonomy to develop, deploy and manage their own solutions.
When the TEE is pre-embedded within the device, TEE vendors ensure full integration with hardware manufacturers, meaning that government agencies do not need to interact with the TEE itself. In order to benefit from applications leveraging the TEE, government agencies can request TEE vendors to contract with their preferred solution providers. An application using the TEE can either be installed as a standalone application, or it can be easily integrated with a chosen enterprise mobility management partner.
Because of its unique security features and ease of access on Android, there is huge value to be derived by government departments in leveraging the TEE and switching to a more open environment that allows more flexibility and control of deployed solutions. TEE is still unknown to many federal agencies, but that is starting to change. To maximize the use of mobile devices while minimizing the associated risks, government entities are being encouraged to migrate as soon as possible to hardware-backed security.