In mobile devices, authentication protocols are used to ensure that users' intentions are communicated untampered to the applications' backend servers. Unfortunately, traditional authentication protocols do not defend against "root-attackers," i.e., attackers able to fully compromise the main operating system of a victim's device. Trusted Execution Environments (TEEs), specific hardware components available in modern mobile devices, can be used to mitigate this threat, since they run a separate, smaller codebase than the main operating system. This project explores how it is possible to use TEEs to implement "root-resilient" authentication protocols, i.e., authentication protocols effective against root-attackers. This project is divided into three main tasks. The first task consists in performing a comprehensive study of the existing Application Programming Interfaces (APIs) that developers of mobile apps can use to interact with TEEs. This study will concentrate on understanding if and how these APIs can be used to implement root-resilient authentication protocols. The second task focuses on developing an automated analysis system that will be used to perform a large-scale study assessing the security of TEE-based authentication protocols implemented by existing applications. The third task consists of implementing an authentication framework helping developers in using TEEs for authentication purposes. The project has the potential to improve the security of millions of mobile device users by enabling root-resilient authentication in thousands of mobile application programs. By performing a large-scale analysis of such mobile "apps", this project will identify weaknesses in existing programs. Additionally, the authentication framework developed by this project could potentially allow thousands of developers to implement root-resilient authentication protocols with reduced effort. The developed software, techniques, and findings will be disseminated by releasing the source code of the implemented software, publishing academic articles, and presenting results at academic conferences. In addition, produced software and data will also be shared on a dedicated website (http://homepage.divms.uiowa.edu/~bianch/mobiletees/). After project completion, produced software and data will be available for at least three years.
CRII: SaTC: Vetting and Improving the Usage of Trusted Execution Environments for Authentication in Mobile Devices