Sequitur Labs Inc. Proprietary ©2014 1

Securing Android Apps using Trusted Execution Environment (TEE)- 07/08/14

Presented by:Mike Hendrick

VP Product Dev @ Sequitur Labs

Sequitur Labs Inc. Proprietary ©2014 2

COMPANY BACKGROUND

Founding

Experience

Team Incorporated in 2010 Prior decade of work on mobile

platforms Domain expertise in

authorization/authentication Large enterprise policy

frameworks

Phil Attfield – CEO, (Founder Signal9, acquired by McAfee)

Paul Chenard - CTO Mark Reed – COO Abhijeet Rane – VP Marketing Mike Hendrick – VP Product

Dev

Deep Experience in Network security Embedded systems / mobile Massive scale telecom systems Boeing, T-Mobile, Qualcomm,

HP

AT&T Trustonic ARM (working relationship) Atmel (working relationship)

Customers and Partners

Sequitur Labs Inc. Proprietary ©2014 3

OVERVIEW

Our Vision

Develop enabling technologies and solutions to better secure and manage connected devices of today and the future.

PCs Tablets IoTSmartphonesServers

Sequitur Labs Inc. Proprietary ©2014 4

WHY DOES IT MATTER? EVERYONE IS AT RISK.

Business enablers: Mobile + Devices + Cloud

New devices and use cases Changing IT and information

consumption environment for end users and enterprises

Changing and diverse security and manageability requirements

Traditional IT perimeter has vanished

The promise of mobility can only be realized if TRUST exists between users, services and devices

$5.5 millionU.S. average cost of data breach.

Sequitur Labs Inc. Proprietary ©2014 5

Trustonic TEE

Trustonic

Trustonic Microkernel

Trustonic DriverKernel Module

API

Trustonic Driver Kernel Module

Trustonic Driver

Trustonic Driver API

TRUSTZONE AND THE TEE ARM provides the

reference design for the TrustZone to be incorporated by

SoC manufacturers Device OEMs

Trustonic provides a Trusted Execution Environment (TEE) Protects against software

attack from open/Rich OS Provides scalable and

secure environment for apps like user auth, anti-malware, transactions

Two separate domains, normal and secure Extends across entire

system Secure

Processing path On/off-chip memory I/O and display

Increasingly available on devices

Sequitur Labs Inc. Proprietary ©2014 6

A HEALTHY ECO-SYSTEM IS FORMING AROUND THE TEE

Trustonic TEE Eco-system

Sequitur Labs Inc. Proprietary ©2014 7

DeadBolt™ – STREAMLINING ACCESS TO THE TEE

TrustZone enabled SoC

Trustonic Trusted Execution Environment

Sequitur Trusted ApplicationsSecure Storage

TEE-SSLAuthenticatio

n+++

Sequitur DeadBolt™ Java LibrarySecure Storage

TEE-SSLAuthenticatio

n+++

Android Application

Sequitur Labs Inc. Proprietary ©2014 8

DeadBolt Encrypt

DeadBolt Encrypt – provides data at rest encrypted storage

256 AES CBC cypher Encrypt an OutputStream Decrypt an InputStream DBCryptParams – specifies crypto parameters

APK_BOUND KEY_BOUND DEV_BOUND CUSTOM_BOUND NOT_BOUND

Errors Exception Version

Sequitur Labs Inc. Proprietary ©2014 9

Using FileOutputStream:

FileOutputStream fos = new FileOutputStream(pictureFile);

Using DBEncryptFileOutputStream:

DBEncryptFileOutputStream fos = new DBEncryptFileOutputStream(picturefile, MainActivity.main_activity, new DBCryptParams(MainActivity.CryptoParamMask, MainActivity.CryptoPassword));

DeadBolt Encrypt – Difference from Standard Android

Sequitur Labs Inc. Proprietary ©2014 10

Preform SSL encryption in the TEE

Only call is to initialize the connection DBSSL.Init(context);DBSSLSocketFactory.InitHttpsDefault();

Or

Socket sock=DBSSLSocketFactory.createSocket(host,port);

DeadBolt SSL

Sequitur Labs Inc. Proprietary ©2014 11

Local Authorization via Trusted User Interface Number PIN Code AlphaNumeric Passcode

One Time Password – HOTP based on RFC 4226

Remote Authorization Key Pair Generation Secure delivery of Key to Server Message Signing and Encryption Message Validation and Decryption

DeadBolt Authorization (Future)

Sequitur Labs Inc. Proprietary ©2014 12

DEVELOPING TEE SECURED APPS WITH DeadBolt™

Does not require developers with systems level development experience

Does not require learning new platform primitives

Significantly lower cost of initial and ongoing investment

Rapid time to market

Start developing app

Download and include DeadBolt™

in your app(development

license)

Complete app development and

testing

Get activation license for

commercial distribution

Publish app on public or private

app store

$$

Sequitur simplifies the development and commercial activation of a TEE secured app

Sequit

ur

Develo

per

Port

al

Sequitur Labs Inc. Proprietary ©2014 13

DeadBolt™ - KEY BENEFITS

Enterprise Developers

Enterprise ISVs/SIs/

Consultants

Device OEMs

Reduce time to market and cost

Easily leverage hardware based security

Deliver new value to customers

Deliver secure application platforms

Sequitur Labs Inc. Proprietary ©2014 14

SEQUITUR LABS INC.

Contact

Abhijeet Rane, VP Marketing, Abhijeet.rane@seqlabs.com Jennifer Multari, MarCom Manager,

Jennifer.Multari@seqlabs.com Mike Hendrick, VP Product Development,

Mike.Hendrick@seqlabs.com www.seqlabs.com