Good delivers smart card-level authentication to Android phones

Continuing the RSA 2015 theme that hardware-based security delivers better threat protection than software approaches, Good Technology is rolling out what it is calling the industry’s first Trusted Execution Environment for enterprise mobility management. Available initially for Android smartphones and tablets, Good’s solution protects your log-in credentials in a secure container, separate from Google’s operating system.

By isolating credentials into a separate container, Good says that even if Android gets compromised, malicious software won’t be able to intercept your passwords or PINs.

Chief technology officer Nicko van Someren says that Good was able to deliver this feature based on the TrustZone architecture on ARM-based processors. ARM processor cores can run the Android OS and have a secure component to house the separate trusted operating system to handle PINs.

Hardware-based approach

By migrating security to the hardware – in this case, a component of the ARM chip – Someren says that this approach is equivalent to having an enterprise-grade smart card for your phone or tablet. To use TrustZone, devices must have a ROM that supports this feature. Most high-end Android devices already ship with a TrustZone support today.

As part of its vision to expand secure mobility, Someren says that Good’s Trusted Execution Environment solution will help change the perception of Android. Current enterprise activation number is about three to one between iOS and Android, with businesses favoring Apple’s operating system because of security.

However, that may change as Trusted Execution Environment (TEE) will be able to protect login credentials even if Android is fully attacked.

As the credentials and the authentication lives outside of the rich operating system – Android – and inside the trusted operating system, malware would not be able to penetrate. User’s credentials cannot be accessed even if the device is rooted, and malicious attacks cannot intercept the user’s PIN or log keystrokes.

Simple PINs

Someren says that the TEE requires a trusted code, which is signed, to authenticate. This makes it secure and reduces friction as users no longer need complicated passcodes with hardware-based security.

In addition to achieving greater security in the event of a malicious code attack on Android, TEE also provides the benefit of simple PINs. Organizations and IT managers could ease requirements to allow shorter PIN codes without compromising security.

TEE will be able to authenticate itself with the back-end server using a PIN and the device’s hardware.

Single sign-on

Like Microsoft’s Device Guard for Windows 10, Good’s TEE will also allow horizontal single sign-on. Once a user authenticates with the system, the user will automatically be signed on to other apps that are part of Good’s suite. This suite includes over 1,600 partner and customer applications developed on the Good Dynamics Secure Mobility Platform.

Someren and his team demonstrated horizontal single sign-on on an Android Kyocera smartphone. With Good’s suite installed, a user would log into Good, and a user would also be logged on to connected apps, like Microsoft’s Lync communication tool.

In the past single sign-on across different third-party apps was not possible because it would expose the log-in credentials. This is no longer the case with TEE.

TEE will be available to customers starting May.