A Trusted-Hardware Backed Secure Payments Platform for Android

Abstract

Digital payments using personal electronic devices have been steadily gaining in popularity for the last few years. While digital payments using smartphones are very convenient, they are also more susceptible to security vulnerabilities. Unlike devices dedicated to the purpose of payments (e.g. POS terminals), modern smartphones provide a large attack surface due to the presence of so many apps for various use cases and a complex feature-rich smartphone OS. Because it is the most popular smartphone OS by a huge margin, Android is the primary target of attackers. Although the security guarantees provided by the Android platform have improved significantly with each new release, we still see new vulnerabilities being reported every month. Vulnerabilities in the underlying Linux kernel are particularly dangerous because of their severe impact on app security. To protect against a compromised kernel, some critical functions of the Android platform such as cryptography and local user authentication have been moved to a Trusted Execution Environment (TEE) in the last few releases. But the Android platform does not yet provide a way to protect a user’s confidential input meant for a remote server, or, the server’s confidential output meant for the user, from a compromised kernel. Our work aims to address this gap in Android’s use of TEEs for app security. We have proposed an API that a Trusted App running in a TEE can provide to the untrusted apps running in the REE (Rich Execution Environment).This API will allow app developers to leverage the TEE’s protection for fetching confidential input from and showing confidential output to the user. We have described how this API can be used to implement a secure payment system that can prevent fraudulent transactions even in the presence of a compromised kernel. We have implemented the proposed API on a device with a TEE built on ARM’s TrustZone technology.