The Benefits of Trusted User Interface (TUI)
Richard Hayton, CTO, Trustonic
Trusted User Interfaces (TUIs) are the next big thing for securing critical mobile apps. The Trusted User Interface feature allows a Trusted Application to interact directly with the user via a common display and touch screen which is completely isolated from the main device OS.
We use our mobile phones for almost everything. Beyond calls, chat and internet access, they have become our primary channel to almost every online service. Making payments is an obvious example but, increasingly, accepting payment with smartphone mPOS apps (mobile point of sale) is important, as is applying for loans, obtaining and using travel tickets and a myriad of other use cases. Even auto makers are seeing the possibilities of using your phone as your car key – not just because it is already in your pocket, but because it enables new use cases such as car-sharing.
Trustonic Application Protection (TAP) is a toolkit that lets app writers develop applications that make use of the strongest security available – and on most Android smartphones this means the Trusted Execution Environment (TEE). An entire secure operating system running outside of the Android OS, and protected by hardware within the CPU itself, standardized by industry association GlobalPlatform, the TEE is a surprisingly little-known feature, despite being present in almost all smartphones. The TEE is leveraged by all the key Android and OEM services including Keymaster, biometric unlock, Samsung Knox, Samsung Pay and many others. Trustonic was at the forefront of TEE development from its inception, and our TEE implementation is the most prolific on the global market. Trustonic is also the only company to enable third party application developers to leverage the full power of the TEE.
On many smartphones this crucial but currently near-invisible secure subsystem has a rather amazing trick up its sleeve, which is about to make the TEE much more visible to everyday smartphone users.
When utilized correctly by app developers as part of an app’s UX, it can temporarily take over the screen and touch sensors of a smart device at the hardware level, creating a Trusted User Interface (TUI). This UI feature in developers’ toolboxes is particularly valuable during security-sensitive human interactions, because malware in the main OS cannot attack it. The Android OS literally has no access to the hardware during the period that the TUI is active – meaning that malware cannot capture the screen or simulate touches, even if the phone has been rooted.
TUI is a great feature – but until now it has been hard to use. The APIs provided are low level; start, stop, blit image, detect touch. No widgets, no fonts, no text, no OpenGL. In practice, TUI was only accessible to the very few expert developers, researchers and cybersecurity companies, like Trustonic, that were on the leading edge of new developments (we first wrote about TUI in 2015).
With our latest version of Trustonic Application Protection (TAP), TAP 1.7, we are very pleased to announce that that has all changed. TUI user interfaces can now be created using the new Layout Manager feature. This is a simple XML-based layout language, akin to Android layout, or HTML. A simple example:
The Layout Manager XML language is simple and straightforward but powerful. There is full support for True Type and Open Type fonts (ensuring an attacker cannot mislead the user by replacing font assets), internationalization, buttons, menus, scrolling text and animation. As with a modern web browser, the UI is rendered as a Document Object Model (DOM), allowing application code to manipulate it as it sees fit – from simple examples such as pinpad to full keyboards, scrolling text and images and whatever else is needed.
Whilst TAP 1.7 provides all the necessary tools to product rich layout manager UIs defined in XML, we are also announcing the beta availability of a graphical editor to create these UIs. This allows simple copy-paste editing and simulates the trusted UI directly in a web browser.
Layout Manger is backward compatible with all phones that shipped with the ‘low level’ TUI APIs – for example, from the Samsung S6 onwards (Samsung was one of the first to use the technology as the company wanted TUI to better protect the Samsung Pay UI). This enables Trustonic’s Application Development partners to fully utilize TUI – and Volkswagen Group has lead the way, protecting their digital car key sharing using TAP and TUI.
The past couple of years have seen a steady increase in understanding of TUI and its benefits, with forward-thinking developers in our dev community experimenting with TUI-protected interactions. The support for TUI is about to rapidly expand across more device makers and smartphone models and the wider app development community. With Android P, the “Protected Confirmation” UI was introduced (a simple ‘secure confirm prompt’) and while this currently is not guaranteed to use TUI, that is very much the intent, and we can expect many more devices to support TUI in future.
As with all new security features, TUI is not ubiquitous across all smartphones today – but Trustonic is committed to enabling the best security possible on every device. Our TAP platform includes a software TEE, so that when a developer writes an app to leverage the power of the hardware TEE, that app can also run on Android and iOS devices that do not provide access to the hardware protected secure TEE OS. Whilst Layout Manager is currently only targeting devices that support both a hardware TEE and hardware TUI, we will be adding support for all other classes of device in future releases.
We believe that protecting the most critical, sensitive, valuable (and hence most interesting to bad actors) interactions between users and their smartphone screens and keyboards is poised to shift rapidly towards the use of Trusted User Interface technology. This is why we are releasing our beta SDK to our developer community now.