Dejamobile reports on the development of a generic TEE solution for securing HCE mobile payment apps

'Enhancing HCE mobile payments with TEEs' white paper covershot

PARTNER NEWS: Card issuers could soon be able to more easily make use of trusted execution environments (TEEs) to add security to their HCE mobile payments apps, mobile transaction specialist Dejamobile explains in a new white paper which is now available to download free of charge from the NFCW Knowledge Centre.

‘Enhancing HCE mobile payments with TEEs’ details work taking place in France to develop a ‘generic secure trusted application’ that any card issuer or HCE provider would be able to integrate into their mobile payments service to provide additional security.

The project is a collaboration between Dejamobile, France-based payment scheme operator Cartes Bancaires (CB) and TEE provider Trustonic.

“Conceptually, from an application developer’s perspective, secure elements and trusted execution environments are somewhat similar,” Dejamobile explains in the white paper.

“An SE is efficient in protecting both code and data, but it also has several drawbacks.

Demanding

“A secure element has very limited computation and memory capabilities, making it hard to use today when applications are demanding more and more computational power and end users expecting a high-performance experience, especially during biometric authentication.

“Moreover, a SE cannot communicate with the user through a trusted user interface, so it can’t currently provide a secure method for user authentication either through PIN code entry on screen or through biometrics.

“Finally, it is often costly to implement solutions using SEs, for both hardware, technical and ecosystem reasons.

“Compared to the SE approach, a TEE offers better technical capabilities in terms of performance, memory and processing power.

“The security offered by a TEE relies on environment separation. GlobalPlatform-compliant TEEs are designed to ensure hardware based separation from the rich OS. This allows TEEs to deliver high performance computational power and strong security, without requiring an extra chip to be integrated in the system.”

Dejamobile's HCE-TEE architecture adds security on the user device
SECURI-TEE: Dejamobile’s HCE-TEE architecture adds security on the user device

“Dejamobile has designed and implemented a TEE-based toolbox, a generic ‘trusted app’ for HCE solution providers”, the company explains in the paper. “It allows HCE solution providers to replace all the sensitive operations of their applications, such as manipulating critical assets or authenticating users.

“The trusted app implements the minimum necessary set of HCE payment business logic, allowing HCE solution providers to benefit from an optimal flexibility in their architecture design.”

“All the critical assets are managed by the trusted application,” Dejamobile adds. “The sensitive operations are delegated to the trusted execution environment.”

Readers interested in finding out more about the use of TEEs in the context of HCE mobile payments, how TEEs can provide stronger security and minimize the possibility of successful attacks, and how a generic secure trusted application would work in practice can download the full white paper from the NFCW Knowledge Centre.