The Threat
Hooking frameworks like Frida intercepting app logic at runtime.
The Impact
Bypassed biometric checks and compromised transaction integrity.
Legacy Failure
TEE protects keys but not the execution flow surrounding them.
The Solution
Continuous hardware-level verification of the entire execution environment.
A TEE is an isolated area of a main processor that guarantees code and data loaded inside are protected with respect to confidentiality and integrity.
While the TEE keeps cryptographic keys safe, it does not prevent an attacker from using hooking tools to manipulate the application logic that triggers those keys.
TrustSig provides continuous hardware-level telemetry verification, ensuring that the environment triggering a biometric or cryptographic check has not been tampered with or faked.
The Illusion of Hardware Security
In our opinion, many developers operate under the assumption that if their application utilizes a Trusted Execution Environment (TEE) or a Secure Enclave, their sensitive operations are immune to tampering. While it is true that these hardware components provide a robust vault for cryptographic keys, we think this creates a dangerous sense of complacency.
The reality is that a TEE is only as secure as the application logic that interacts with it. If an attacker can manipulate the code that calls the TEE, the security of the vault becomes irrelevant.
The Anatomy of a Hooking Attack
Modern mobile security is often undermined by dynamic instrumentation tools like Frida. These frameworks allow an attacker to inject code into a running process, effectively hooking into functions at runtime.
When a banking app or a secure service requests a biometric check, it typically executes a series of function calls. An attacker does not need to break the encryption inside the Secure Enclave to succeed. Instead, they simply hook the function that returns the result of the biometric check. By forcing that function to return a success signal, the attacker bypasses the hardware-backed authentication entirely.
In our view, this is the Secure Enclave Gap. The hardware is doing its job perfectly, but the software environment surrounding it is compromised.
Why Legacy Defenses Fall Short
If you rely solely on standard integrity checks or TEE-based key storage, you are likely missing the bigger picture.
- Static Analysis: Traditional app integrity checks often look for signs of tampering at rest. They struggle to detect sophisticated, memory-resident hooks that only exist while the app is running.
- False Sense of Security: Developers often assume that because they use hardware-backed keys, their transaction signing process is secure. However, if the transaction data itself is modified before it reaches the TEE, the signature will be valid, but the instruction will be fraudulent.
Deterministic Bot Mitigation
At TrustSig, we believe that security must be continuous and deterministic. We do not just verify that a key is stored in a secure location; we verify the integrity of the entire execution environment.
By monitoring hardware-level telemetry, we can detect the presence of instrumentation frameworks and emulators that attempt to hook into your application. Our approach ensures that the glance or touch that triggers a biometric check is coming from a genuine, untampered consumer device.
We provide a layer of defense that sits outside the application process, making it impossible for an attacker to hide their presence through simple function hooking. By validating the hardware layout and rendering signatures of the requesting client, we ensure that your application logic remains protected from the moment it launches until the transaction is complete.
References
Secure your endpoints today
Deploy hardware-level attestation in minutes. Eradicate bot traffic with zero user friction and absolute GDPR compliance.
Start protecting free