Today Good is announcing that the Good Dynamics MAM framework will soon be able to take advantage of devices that incorporate ARM TrustZone. The end result is that users will be able to replace longer passwords with shorter PINs.
Here’s a quick overview of how this works:
ARM-based devices that support ARM’s TrustZone technology can provide what’s known as a Trusted Execution Environment (TEE). The normal operating system on a device can’t see what’s going on in the trusted environment, and the trusted environment can retain its integrity even if the rest of the device is compromised. When the trusted environment is active, it has complete control of the device’s memory, touch inputs, screen buffer, and peripherals. There’s also a system to pass messages between the two environments.
Good is taking advantage of TrustZone by storing the keys for Good Dynamics-enabled Android apps in the trusted environment. To unlock an app, a user enter their PIN in the UI of the trusted environment, which verifies it and then allows the keys to be used to access Good Dynamics-enabled apps in the normal environment.
A shorter PIN is considered sufficient because the trusted environment is very difficult to attack with brute force. The PIN must be physically entered on the device, and a policy limiting the number of attempts can be set. The isolation of the trusted environment also keeps malware in the normal environment from stealing the PIN.
The process of switching in and out of the trusted environment is hidden from users—the only thing that’s different is that they can use a PIN instead a longer password like they would on device that doesn’t support TrustZone.
This is significant development because there’s been a lot of talk and excitement over the years about using TrustZone in the enterprise. Samsung Knox devices have used TrustZone in various ways, but this is the first time we’ve heard about it being used for a third-party app-level mobile app management framework.
For right now, only a small subset of flagship Android devices support this. Because of agreements with technology partners, Good was only allowed to mention that Samsung Galaxy S5 and newer devices will support the trusted environment features.