How virtual trusted execution environments can drive mobile payment growth and innovation
As a mobile channel protection company, we understand that it can sometimes be challenging to visualise the threats facing applications and how and where protection mechanisms operate.
It might help to imagine for a moment that a mobile application is a bit like a passport. As you flick through your passport you’ll notice lots of anti-tampering and integrity control measures in there. Different layers have been added over the years, from the watermarks to the hologram images and unique ID numbering. But by far the most modern and impressive form of integrity control is the chip inside your passport that enables it to be immediately scanned and verified.
At Licel we’ve just launched a virtual trusted execution environment (known as a vTEE) that is the software equivalent of the chip inside your passport. The Licel vTEE is a digital chip that operates inside mobile applications to provide an ultra-secure, isolated environment for sensitive transactions and operations to take place.
In the following paragraphs I’ll explain what vTEEs are and why they have the ability to transform app security and accelerate growth for innovative payment solutions.
How secure are our modern payment habits?
In recent years the use of mobile phones for payment transactions has become so normalised that you might look twice if you see somebody using an Oyster Card on the London Underground.
For many of us, mobile payments have become such a mainstay of everyday life that we don’t even think about it when we make them.
But it’s worth reminding ourselves that the mobile phone hasn’t been designed specifically to make and receive payments securely in the same way that a chip card or card reader has. It’s perhaps unsurprising that mobile fraud has increased in parallel with our evolving payment habits. Losses from online payment fraud are expected to reach $362 billion between 2023 and 2028.
There’s a danger, then, that increasingly sophisticated cyber threats might check the growth of innovative payment solutions like mobile wallets and SoftPOS solutions (where vendors can use their mobile device as a payment terminal.)
These are two of the many potential use cases that we had in mind when we were developing the Licel vTEE solution.
Let’s explore them both in a bit more detail.
How vTEEs enhance app security and drive growth
Operating inside mobile apps, vTEEs provide a secure execution environment for trusted applications to perform sensitive transactions and operations. As well as a secure storage space for sensitive key material and assets, vTEEs also come with dynamic security mechanisms based on the very latest cryptographic techniques.
The Licel vTEE can also leverage DexProtector’s (our mobile application protection solution) security measures. That means it can call on various layers of protection, including white-box cryptography, device binding, runtime application self protection, encryption, and obfuscation, among others.
These protection layers are hugely important for mobile wallet and SoftPOS solutions as they both process sensitive payment transactions such as PIN entry, and store payment credentials. The vTEE makes sure that these tasks take place in an isolated and secure environment that cannot be tampered with or exploited by attackers.
With mobile fraud being such a persistent problem, this additional layer of integrity control is absolutely vital. Indeed, regulations such as PCI MPoC (for SoftPOS solutions) and EMVCo SBMP TEE (for mobile wallets) actually require developers to make use of trusted execution environments to make sure that attacks targeting sensitive transactions cannot succeed.
The v in vTEE stands for “virtual”, but most trusted execution environments are still physical, hardware-based solutions that consistently come up against the same challenge; they take a long time to be fixed or updated if and when vulnerabilities are discovered.
The best tech embraces harmony between hardware and software - indeed, without hardware we wouldn’t have been able to develop our vTEE. But a virtual trusted execution environment can have a massive impact on efficiency in this case. A traditional hardware TEE could be out of action for weeks or months whereas for a vTEE this would be days or even hours. This can be the difference between maintaining or losing revenues and reputations.
What does the future hold for vTEEs?
Earlier in this article we used your physical passport to imagine the vTEE as being like the chip inside that passport. Well, right now governments around the world are working on plans to make passports and other IDs digital. As a virtual chip, the vTEE could become the ideal digital replacement for the passport chip, ensuring integrity when sensitive operations are made with digital IDs such as ordering ePrescriptions, accessing government services, or applying for a bank account.
vTEEs could also help to provide a secure environment for training AI models and protecting its data from tampering. Reverse engineering attempts by bad actors or competitors would also be blocked as the vTEE could secure both the model and its parameters.
The vTEE’s enhanced security functionalities could even be a perfect match for protecting the rendering of sensitive data for AR and VR processes. By providing a secure environment for executing code, the vTEE could protect them against malware and other malicious activities.
Find out more about the Licel vTEE.
Authors
