ARM aims to secure smartphone transactions
Chip design company ARM and German banking security company Giesecke & Devrient have announced a partnership, which they say will lead to more secure smartphone-based online transactions.
The agreement, announced on Wednesday, centres on ARM's TrustZone technology and G&D's Mobicore secure operating system. Already built into ARM system-on-a-chip (SoC) designs such as Cortex-A9, TrustZone is a secure area used for digital transactions and digital rights management. The new deal will see the lightweight Mobicore running in that zone, alongside but separate from the main handset operating system.
In a statement, the companies said their combined technology would make it possible to enter usernames, passwords and other sensitive information into a smartphone while making sure that malware cannot see or manipulate that data.
"This collaboration with G&D will enable us to make rapid progress towards enabling secure transactions in next-generation mobile devices," said ARM marketing chief Ian Drew. "Acceptance of mobile applications such as banking, ticketing and payment solutions rests on the security of device and background systems involved."
Kai Grassie, G&D's head of new business, said the partnership will let people "access highly valuable services with convenience and security".
The idea originated from ARM's work on payments based on near-field communications (NFC), the short-range form of contactless RFID technology that is built into some new bankcards and travelcards such as London's Oyster card, ARM security technology manager Rob Brown said on Tuesday.
"We also realised we had a very neat solution for remote transactions," Brown told ZDNet UK. "Smartphones are increasingly used for browsing the internet and [we wanted to] make the online payment process easier and more convenient."
The technology "separates the problem of openness from security," Brown said.
"Things you want to hide from [an OS such as] Android, you can place in a secure domain," he noted. "When it comes to making a transaction, the processor will switch into a secure mode, so fast the user won't know it's happening. Once [the username and password are] entered and encrypted, it's back into the normal world, and the handover is made seamless to the user."
Brown suggested that ARM and G&D's work could also solve some of the wider issues in the IT space to do with strong authentication — providing a secure area for security tokens and certificates on devices that can only be accessed by service providers. He said the technology was similar to that used in point-of-sale terminals, in that it lets the various companies involved in the transaction "trust the platform, but not necessarily trust each other".
Use cases could include location-based services, where a loyalty application could interact with a smartphone mapping application while preserving the user's privacy, or strong on-device authentication for enterprise applications, Brown said.
ARM joined the GlobalPlatform smartcard industry body at the end of January. According to Brown, the company will donate the application programming interfaces (APIs) for its security technology to the group's members.
The technology will be shown running on a demonstration device at Mobile World Congress in Barcelona from 15-18 February, Brown said, adding that ARM was already talking with three major handset manufacturers about the types of services they would like to protect.
"It could be app stores," Brown said. "We are also talking with major payment service providers about how to implement a security evaluation program. There will potentially be a pilot next year — it will possibly be two years before this is a mass-market technology."