In our latest industry interview, Stephanie El Rhomri, NFC & Payment Vendors Business Line Manager at FIME and Chair of GlobalPlatform’s Device Compliance Program Work Group, discusses the role of the trusted execution environment (TEE) in the secure management of applications on mobile devices and addresses the importance of promoting confidence and stability within the marketplace.
Why is mobile security becoming increasingly significant?
Although mobile devices today host multiple applications, many of these are non-sensitive and the personal or financial impact of any corruption to an individual would be minimal.
Today, the mobile services marketplace is starting to witness the deployment of an increasing amount of 'secure' applications such as identity, mobile wallets or corporate applications that operate and are executed within the device. The consequences of a malicious party hacking an individual's smartphone to source personal or corporate data could be serious.
And as our mobile devices become even more sophisticated, so do the hackers. It is therefore important that we put the right security measures in place today to stop a major breach tomorrow.
Where does the TEE come in?
Simple operating system (OS) updates of one component do not provide sufficient security to protect these types of sensitive applications. Instead, a clearly defined and universally agreed 'root of trust' is needed.
A 'root of trust' is created when a set of functions are trusted by all parties engaged in the delivery of the mobile service to maintain the integrity of the service and privacy of the consumer's data. The TEE – a secure area that resides in the main processor of a connected device and ensures that sensitive data is stored, processed and protected in a trusted environment – is fundamental within the root of trust.
But how does the industry ‘know’ it can trust TEE products? As they play such a vital security role, we need to consider what can be done to achieve confidence and stability within this marketplace.
How is GlobalPlatform facilitating TEE adoption?
GlobalPlatform has been instrumental in standardizing TEE technology. Now the association is turning its attention to ensuring the TEE ecosystem is stable and that products perform as expected once live in the field. As a testing provider, FIME also recognizes that products must perform as advertised and the only way to promote confidence is by conducting rigorous and industry approved tests.
Over the last few years, GlobalPlatform has worked to establish a functional compliance test program, which has seen a number of products receive the GlobalPlatform 'Qualified' mark. FIME is delighted to have played a part in this important program with its Global Device test tool, which streamlines the testing process and has approved a number of products on behalf of GlobalPlatform.
In addition to this activity, in 2014, GlobalPlatform published the first Trusted Execution Environment (TEE) Protection Profile (PP). The industry recognized document, supported by national certification bodies worldwide, identifies the security needs of the TEE to support different market requirements. It achieves this by combining the standard security methodology outlined by Common Criteria, with the best practice specifications as defined by GlobalPlatform in relation to TEE architecture and interfaces.
GlobalPlatform’s TEE PP has been officially listed in the Common Criteria portal on its website, under the Trusted Computing category. This important milestone means that industries using TEE technology to deliver services such as premium content and mobile wallets, or enterprises and governments establishing secure mobility solutions, can now formally request that TEE products are certified against this security framework. GlobalPlatform is also developing a TEE security certification secretariat which is set to launch later this year. This initiative will facilitate adoption for technology providers and reinforce GlobalPlatform’s position in driving confidence in new technologies.
What has FIME been working on recently in support of the TEE?
FIME brings together a combination of security and functional testing, and services, to support vendors in the evaluation of their products. For FIME, this approach has the potential to truly support the TEE marketplace, and enable the technology to achieve its full market adoption to support the delivery of trusted applications.
FIME is witnessing a real momentum within the TEE marketplace globally. Its services are being called upon to advise and test on TEE functionality and security. We expect this level of engagement to increase as cloud-based payments gain traction. The TEE, therefore, could address an immediate need in today's marketplace, if we promote and generate confidence in our standardized, secure and qualified GlobalPlatform products.