Securing Smartphones: A Micro-TCB Approach

As mobile phones have evolved into ‘smartphones’, with complex operating systems running thirdparty software, they have become increasingly vulnerable to malicious applications (malware). We introduce a new design for mitigating malware attacks against smartphone users, based on a small trusted computing base module, denoted μTCB. The μTCB manages sensitive data and sensors, and provides core services to applications, independently of the operating system. The user invokes μTCB using a simple secure attention key, which is pressed in order to validate physical possession of the device and authorize a sensitive action; this protects private information even if the device is infected with malware. We present a proof-of-concept implementation of μTCB based on ARM’s TrustZone, a secure execution environment increasingly found in smartphones, and evaluate our implementation using simulations.