GlobalPlatform standardises a secure channel to optimise for mobile apps security

Optimising mobile device security

Redwood City, CA, USA. June 11, 2015 GlobalPlatform has published an upgrade to its Card Specification v2.2 to protect the data exchange between a secure element (SE) and a trusted execution environment (TEE) on a mobile device.

The ‘GlobalPlatform Secure Channel Protocol 11’ addresses the increasing number of use cases, such as mobile banking, where applications utilise both the SE and TEE to protect a secure service. The document is particularly relevant to secure application developers and issuers, and can be downloaded free of charge. (See also: GlobalPlatform device compliance programme will enhance secure mobile application deployments.)

Karl Eglof Hartel
Karl Eglof Hartel

“This advancement focuses on making the best use of security that is already present on the device,” comments Karl Eglof Hartel, chair of the GlobalPlatform Card Committee and Director for Standards and Innovation in the Mobile Security business unit at Giesecke & Devrient. “Data breaches are growing daily and as more secure services are deployed to mobile devices, hackers will follow. This update seeks to better combine the security characteristics of the SE and TEE, ensuring that the communication channel between them is secure.”

In use cases like biometric authentication, virtual private networks (VPN) or mobile banking, the SE in the device is used to store the critical part of the application and its associated cryptographic keys. In parallel, the trusted application resides in the TEE to enable management of the end user and backend interaction prior to a transaction being authorised. The Secure Channel Protocol 11 protects the data being transferred between these two secure components.

“The combination of advanced cryptography and the secure components simplifies the delivery of secure services,” adds Karl Eglof. “Data is secure while stored in the SE and TEE, and this channel further strengthens the protection of sensitive data when it is in transit. We have brought forward this update to answer a market need for more effective security and to support the long-term requirements of secure application developers and issuers.”

From a technical perspective, data passed between trusted applications stored in the TEE and SE is protected by the secure channel, which is established by GlobalPlatform’s TEE SE API. Elliptic curve cryptography (ECC) is used for the generation of the session keys for encryption and authentication. It also provides perfect forward secrecy (PFS) by using ephemeral keys, preventing the decryption of the data by attackers, should they also get hold of the long-term keys.


The document can be downloaded free of charge from the GlobalPlatform website.

Recent Articles

Improving data security will create the next IoT boom

Posted on: September 18, 2020

The security of the internet of things (IoT) remains a key barrier to its proliferation. Research analysed by Business Insider found that 44% of American consumers were “very concerned” about the possibility of information and privacy leaks becoming a reality when it comes to their connected devices, indicating the scale of the concern, says Jocelyn Brown, freelance

Read more

How connected teddy bears, coffee makers and cars are challenging security teams

Posted on: September 18, 2020

In a new Palo Alto Networks study, technology leaders have acknowledged they need to step up security to face an IoT influx.Smart teddy bears, implanted heart monitors, electric cars and other connected devices are regularly connecting to corporate networks, prompting technology leaders to warn that significant action should be taken to prevent these devices from

Read more