Ensuring TEE integrity: trusted application validation

Christian DAMOUR, Head of Marketing – Security at FIME and Chair of the TEE Attack Expert Working Group

Standardized security certification of trusted execution environment (TEE) products is a big step forward, but is only half of the security story. We also need confirmation that trusted applications (TAs) running on top of a certified TEE can indeed be trusted. Here, a formal scheme is still lacking when the TEE is certified according to GlobalPlatform’s scheme for TEE security.

We are dealing with two types of TAs: security enforcing and non-security enforcing. Each requires the industry to take a different approach. This topic will be discussed in greater detail during my presentation at the TEE conference.

What are the requirements of the different TAs?

Security enforcing TAs – such as mobile payments, eID and signatures, DRM or corporate applications – will need to achieve full security certification, as TEE products do.

Conversely, non-security enforcing (non-SEF) TAs – such as loyalty, rewards and couponing – are less sensitive, but weaknesses can threaten the security of the platform (the TEE) and/or the other TAs. It is therefore best practice to ensure that non-SEF applications enforce some security rules via a validation process.

In both cases, a certified TEE may have developer guidance which applies to both kinds of TA developers, involving security rules to be enforced at TA level and to be checked by a lab through the certification or validation process.

Trusted applications: validation vs. certification

Security enforcing TAs have assets to be protected and the services they offer need to be trusted. For this reason, the TEE does not offer enough security to protect the assets and the integrity of the services when in use. Additional security certifications are therefore required for security enforcing TAs.

Non-SEF TAs, on the other hand, have no such certification requirements as the benefits would be limited compared to the time and financial investments involved. A compromise needs to be found between full security certification and no security at all, as these applications could be used as a springboard to attack either the TEE itself or other TAs. Current best practice would see non-SEF TAs validated against selected development security rules. This is a short and cost-effective process, involving no penetration testing and, where possible, using automated tools.

What are the next steps for the market?

Security certification of TEE products has been standardized already, using either Common Criteria or GlobalPlatform’s scheme, with both processes based on the GlobalPlatform TEE Protection Profile.

For certification of security enforcing TAs a composition approach, based on either Common Criteria or the GlobalPlatform scheme, is needed. This could take the form of an extension to the GlobalPlatform Composition Model for card-based secure elements. The certification of TAs could then be approached in two ways. Firstly, a Common Criteria-certified TEE product could be used as the benchmark, or a GlobalPlatform-certified TEE could be used. For the latter, however, a formal certification process for TAs still needs to be defined.

For non-SEF TA validation to become a standard practice, we need the following:

  • The definition of a common set of security rules, via an extension of the GlobalPlatform Composition Model for card-based secure elements.
  • An agreed common process, involving the definition of a validation authority or certification body to run the scheme. This authority will accredit the laboratories, qualify the tools, endorse the validation results and issue validation approvals. It remains to be seen, but a body such as GlobalPlatform could take on this role.
  • Accredited laboratories to run the validation process and check the TAs against the pre-defined set of security rules.

The industry has come a long way in the last year but there is much still to be done. My peers and I will discuss this topic, and more, on 13 October in Santa Clara. We look forward to seeing you there. Also, don’t forget to come to the FIME demonstration table to receive an introduction to our GlobalPlatform-qualified TEE test tool, Global Device.


Welcome coffee, lunch and the cocktail reception are included in the below fees.

GlobalPlatform Members

  • Members can send up to 3 employees to the event for free.
  • US$99 (700 CNY) for each additional member.


Registration fee is:

(2100 CNY)

A TEE instructor-led training session is available 13-14 September. The course, given in English language, is open to both GlobalPlatform members and non-members. It is designed to improve knowledge of the TEE specifications, efficient implementation, and effective use a TEE environment.  Learn more


Quick Links
Connect With Us

Become a member of GlobalPlatform. Influence the future direction of TEE Specifications, learn and discuss mobile security best practice solutions, enhance your global positioning within the TEE ecosystem. Join now.

Privacy / Use Policy | Copyright © 2018 GlobalPlatform. All Rights Reserved