GlobalPlatform Publishes Specification For The 'Trusted' User Interface on Mobile Devices

30 October 2013 – GlobalPlatform, the association which standardizes the management of applications on secure chip technology, has launched its ‘Trusted User Interface API Specification v1.0’. The technical document will be of interest to software developers implementing trusted applications which reside in the trusted execution environment (TEE) and require sensitive information to be shared with, and validated by the end user.

A trusted user interface (trusted UI) is a specific mode in which a mobile device is controlled by the TEE – a secure area that resides in the main processor of a smartphone (or any mobile device) and ensures that sensitive data is stored, processed and protected in a trusted environment. The trusted UI verifies that the information displayed on a mobile device screen comes from an approved trusted application and is isolated from the rich operating system (OS), which is vulnerable to malicious malware attacks.

GlobalPlatform’sTrusted User Interface API Specification v1.0 specifies how a trusted UI should facilitate information that will be securely configured by the end user and securely controlled by the TEE. The standardization of the mode aims to reduce development cost, promote industry consistency and encourage market interoperability.

“As secure services such as near field communication (NFC) payment applications and mobile wallets become increasingly popular on mobile devices, there is a need for greater and more interactive security that will allow an individual to authenticate themselves to those services,” explains Gil Bernabeu, Technical Director of GlobalPlatform. “For example, bill payment, money transfer, purchasing products / services or document signature validation, all require some form of interaction with the end user.”

An example of this is if an end user makes a payment using a mobile wallet or payment application. A summary of the transaction is displayed in a new window by the TEE, ensuring that any non-secure applications stored in the rich OS environment cannot tamper with the payment details. The end user is able to sign exactly what is shown on the screen and authenticate themselves by entering a PIN or password. As this authentication is carried out in the TEE, the activity is isolated within the handset and protected from unauthorized viewing. “This reassures both the service provider and the end user that the transaction is genuine and has not been undertaken or influenced by a hacker, virus or Trojan,” adds Gil.

As a next step GlobalPlatform is promoting and mandating the use of a security indicator on a trusted UI. In the same way a padlock symbol on a webpage internet browser indicates that the website is secure and trusted, the inclusion of a security indicator on a user interface will reassure end users and service providers that a UI is a ‘trusted UI’;  the screen is controlled by the TEE and isolated from the rich OS. Initial work is also being undertaken by GlobalPlatform to incorporate the management of biometrics to provide trusted  fingerprint authentication, and potential integration with the trusted UI technology.

“The TEE will play a key role in promoting market confidence in secure mobile services,” continues Gil. “To ensure that it is commercially viable, we need to create standards that will reduce development time and product time to market. Interoperability and market consistency are key to achieving this. The GlobalPlatform Trusted User Interface API Specification is part of a portfolio of tools that GlobalPlatform has published to benefit this market and promote adoption and use of this important technology.”

On Thursday 31 October, 'GlobalPlatform Presents the Trusted Execution Environment (TEE): Next Generation Mobile Security for Today and Tomorrow' conference. To be held in Santa Clara, California, this is the first dedicated event on the TEE topic. To find out more and register visit https://globalplatform.wpengine.com/TEEevent/.

For further information on the trusted UI, read GlobalPlatform’s made simple guide.
As a member-driven association with cross-market representation from all world continents, GlobalPlatform membership is open to any organization operating within this landscape.  Its 100+ members contribute to technical committees and market-led task forces.  www.globalplatform.org.