GlobalPlatform, an association that standardizes the management of applications on secure chip technology, has published "Trusted User Interface API Specification v1.0." The technical document is aimed at software developers who implement trusted applications that reside in the trusted execution environment and require sensitive information to be shared with and validated by the end user, the organization said in a news release.

According to the release, a trusted user interface is a specific mode in which a mobile device is controlled by the TEE — a secure area that resides in the main processor of a smartphone or any mobile device and ensures that sensitive data is stored, processed and protected in a trusted environment. The UI verifies that the information displayed on a mobile device screen comes from an approved application and is isolated from the rich operating system, which is vulnerable to malicious malware attacks.

The new specs lay out how a UI should facilitate information that will be securely configured by the end-user and securely controlled by the TEE. The standardization of the mode aims to reduce development cost, promote industry consistency and encourage market interoperability, the release said.

"As secure services such as near field communication payment applications and mobile wallets become increasingly popular on mobile devices, there is a need for greater and more interactive security that will allow an individual to authenticate themselves to those services," Gil Bernabeu, technical director of GlobalPlatform. "For example, bill payment, money transfer, purchasing products/services or document signature validation, all require some form of interaction with the end-user."

GlobalPlatform cited the example of an end user making a payment using a mobile wallet or payment application. A summary of the transaction is displayed in a new window by the TEE, ensuring that any non-secure applications stored in the rich OS environment cannot tamper with the payment details. End users can sign exactly what is shown on the screen and authenticate themselves by entering a PIN or password, the group said. As this authentication is carried out in the TEE, the activity is isolated within the handset and protected from unauthorized viewing.

"This reassures both the service provider and the end-user that the transaction is genuine and has not been undertaken or influenced by a hacker, virus or Trojan," Gil said.

As a next step, GlobalPlatform is promoting and mandating the use of a security indicator on a trusted UI. In the same way a padlock symbol on a Website is secure and trusted, the release said, inclusion of a security indicator on a user interface will reassure end-users and service providers that a UI is a "trusted UI." The screen is controlled by the TEE and isolated from the rich OS.

GlobalPlatform is also working to incorporate the management of biometrics to provide trusted fingerprint authentication, as well as potential integration with the trusted UI technology.

"The TEE will play a key role in promoting market confidence in secure mobile services," Gil said. "To ensure that it is commercially viable, we need to create standards that will reduce development time and product time to market. Interoperability and market consistency are key to achieving this. The GlobalPlatform Trusted User Interface API Specification is part of a portfolio of tools that GlobalPlatform has published to benefit this market and promote adoption and use of this important technology."

GlobalPlatform gave a presentation on the new platform at last week's "Trusted Execution Environment (TEE): Next Generation Mobile Security for Today and Tomorrow" conference in Santa Clara, Calif., an event dedicated to the TEE topic.

Learn more about security.