Device-side Security: Samsung Pay, TrustZone, and the TEE

Worlds apart from other wallet apps

Samsung’s Galaxy-class devices supporting KNOX and Samsung Pay employ ARM® TrustZone® technology, a system-on-chip (SoC) security architecture that establishes two hardware-based “worlds” — a Normal World and a Secure World. The Normal World is where non-secure software and data processing takes place. The Secure World is reserved for storage and computing of sensitive (encrypted) data and the associated cryptographic keys.

By erecting a strong security perimeter between the two worlds, hardware logic present in the TrustZone bus fabric prevents Normal World components from accessing Secure World resources. Pictured in Figure 3, the TrustZone monitor controls switching between worlds. Applications that run in the Secure World are called Trusted Apps(TAs).

FIgure 3. TrustZone creates two parallel execution worlds

The combination of TrustZone-based hardware isolation, Trusted Boot and a trusted OS make up the TEE on Samsung devices running Samsung Pay (Figure 4).

Figure 4. Trusted Execution Environment (high-level view)

Shown in Figure 4, multiple TAs comprising the Samsung Pay architecture, such as those responsible for communications with the payment networks, run inside the TEE. There are others as well, including the trusted apps that handle user authentication and those responsible for managing data encryption and authentication keys for the Payment Framework. For user authentication, trusted drivers operating in the TEE control access to the fingerprint sensor and the touch sensor for the Trusted PIN Pad. These drivers only allow authentication information to be passed directly to the respective payment network trusted app (for Visa, MasterCard, American Express, et al) inside the TEE.

Included with its cryptographically signed certificate, each TA is given a lifetime unique identifier. Communication restrictions between trusted drivers and trusted apps are based on a whitelist of these identifiers. The whitelists, managed by the trusted drivers themselves, cannot be modified.

In addition to the NFC controller, an MST antenna enables transmission between Samsung Pay and mag stripe POS card readers. Like the fingerprint scanner and the touch sensor, use of the MST antenna is guarded by a trusted driver, which restricts access to the TAs for payment networks only. Moreover, only the card track data authorized by the corresponding payment network is passed to the merchant POS by the respective trusted app.

A number of other defense-in-depth measures come with the KNOX framework to ensure comprehensive application, OS, and device integrity, including:

TrustZone-based Integrity Measurement Architecture (TIMA)

TIMA is a unique feature on Samsung mobile devices. As previously discussed, TrustZone hardware effectively partitions memory and CPU resources into a “secure” and a “non-secure” world. TIMA, running in the Secure World, uses the TrustZone hardware to continuously monitor the integrity of the Linux kernel. Along with Secure Boot and Security Enhancements for Android (SE for Android), TIMA forms the first line of defense against malicious attacks on the kernel and core bootstrap processes. If kernel or boot loader integrity violations are detected, TIMA takes a policy-driven action in response, one of which is to disable the kernel and restart the device to a known good state, thereby safeguarding all TIMA-dependent features within the TEE, including Samsung Pay and the Samsung KNOX Workspace, from device-level attacks.

Secure Boot, Trusted Boot, and remote attestation

During the device boot process, each of the bootloaders, the TEE, and the hardened Android kernel are verified through code signing. Most importantly, only the Samsung-approved TEE hosting the security-critical payment data and operations of Samsung Pay can be loaded to the devices. This safeguard is called Secure Boot.

In addition to Secure Boot, Samsung devices employ Trusted Boot to measure and record the cryptographic fingerprints of the bootloaders, the TEE, and the Android kernel. Then, during the provisioning of payment credentials, the Samsung Pay server remotely verifies the integrity of these key pieces of system software — particularly the TEE — using remote attestation. If any one of these elements has been modified, payments credentials are not provisioned to the device.

Trusted Apps verification

Whenever a trusted app is loaded into memory, the TEE performs cryptographic verification of the binary — the app’s executable program — to further ensure that only authentic Samsung Pay TAs are executed and allowed to access payment credentials. This check is performed in addition to the initial verification performed when the Samsung Pay app is first installed on the device.

Mandatory Access Control (MAC)

By employing SE for Android, Samsung Pay enforces MAC to ensure that only the authentic Samsung Pay app is allowed to execute Samsung Pay-specific functionalities, thereby restricting access to trusted apps only.

SE for Android stops mobile apps from granting themselves extra privileges, prevents apps from sharing too much data, and prevents the bypass of security features.

User authentication

In Samsung Pay, user authentication is handled by either the fingerprint scanner or the trusted PIN pad (TPP), both of which reside in TrustZone. Only when authentication is successful is the result (the verdict — affirmative user authentication) securely transferred to the respective payment network TA, which then talks to the tokenized NFC or MST trusted app interface to execute the payment. All requests for authentication and responses specifying the verdict are encrypted with keys known only to the intended TA recipients, all of which happens securely within the TEE. Authentication verdicts are immediately cleared after transmittal to prevent any single user authentication from being used to attempt multiple payments.