Trusted User Interface

Background

The Trusted User Interface allows a Trusted Application to interact directly with the user via a common display and touch screen.  It protects the confidentiality and integrity of the information exchanged between a Trusted Application and the user from the Rich OS, using hardware isolation built in to most modern smartphones. These features are then made possible:

  • Secure Input: The information entered by the user to a Trusted Application cannot be derived or modified by any software within the Rich OS or by another unauthorized Trusted Application.
  • Secure Display: The information displayed by the Trusted Application cannot be accessed, modified, or obscured by any software within the Rich OS or by another unauthorized Trusted Application.
  • Security Indicator: The secure display can be complemented by a Secure Indicator. The Trusted Application securely displays a secret, previously shared with the user and the entity they are transacting with, making the user confident that the screen displayed is actually displayed by a Trusted Application.

How does this improve the security of my application?

Trusted User Interface prevents malware seeing user interactions. Ask yourself:

  • Does your application need to display information to the user securely?
  • Does your application require the user to authenticate themselves, perhaps via PIN or passcode?
  • Could your service benefit from higher trust interacting with a more secure device?

Let’s look an example to illustrate the point. Take a payment mobile application, the user is required to enter their PIN to approve a transaction, just like we do at the supermarket when paying with a credit or debit card. For arguments sake, the phone is compromised; it is infected with malware that can capture user input. When the user enters their PIN, malware sees it resulting in the attacker having knowledge of very sensitive data which can later be used to replay or instigate unauthorised payments.

With Trusted User Interface the logic for authenticating the user is implemented as a Trusted Application, and user input is captured by the Trusted User Interface feature.  When the user enters their PIN the main OS (and consequently any malware) cannot see the touch events and cannot capture the display.

In action

The video below shows the Trustonic demo PIN pad example running on a Samsung Galaxy S6.

  • The developer options show touches and show pointer location are enabled to illustrate what the rich operating system sees.
  • When we launch the PIN pad example, we enter the trusted display - touch events are no longer seen by the rich operating system.