Ledger’s TEE trustlet for smartphone bitcoin wallets released
Ledger recently announced that its Android application, called the Ledger trustlet, is available for download. Trustlet users can create and import HD wallets, as well as send and receive transactions, all using a Trusted Execution Environment (TEE).
As the world becomes more connected, smartphone adoption is on the rise. The Mobile Economy 2015 report, by the GSM Association, states that Smartphone devices accounted for 60% of connections in developed markets at the end of 2014, ranging from 51% in Europe to 70% in North America.
The popularity of mobile banking has risen alongside smartphone usage. According to a 2015 survey by the Board of Governors of the Federal Reserve System, 87 percent of the U.S. adult population has a mobile phone and 52 percent of smartphone owners with a bank account have used mobile banking in the 12 months prior to the survey.
Meanwhile, 67 percent of the unbanked have access to a mobile phone while 90 percent of the underbanked have access to a mobile phone, 73 percent of which are smartphones.
However, the problem with keeping bank account data on a smartphone is that it’s a highly-connected device that has more potential for hacking or loss than a typical desktop computer.
Although phones are targeted far less often than desktops, they don’t typically have firewalls, nor do most smartphones often use anti-virus or anti-malware programs. This means that anything of value on a phone is potentially an easy target for thieves, both the physical and cyber varieties.
“As of 2014, Symantec has identified more than 1 million apps that are classified as malware. This includes 46 new families of Android malware in 2014. In addition, there are perhaps as many as 2.3 million ‘grayware’ apps that, while not technically malware, display undesirable behavior, such as bombarding the user with advertising.”
— – Symantec
There are currently over 40 Bitcoin wallets in the Google Play app store alone. Bitcoin wallets and smartphones go together like the proverbial chocolate and peanut butter, if for no other reason than convenience.
Like a moth attracted to a light bulb, this unhealthy relationship could have persisted unchecked, until Ledger decided to leverage a little known security option.
Ledger recently announced that its Android application, called the Ledger trustlet, is available for free download in the Android App store. Trustlet users can create and import HD wallets, as well as send and receive transactions, all using a Trusted Execution Environment (TEE).
The app installs within the TEE, a secure area of the main processor in a smart phone. The isolated execution environment guarantees that code and data loaded inside of it is fully protected from malware or hacking attempts.
This is a strong security advantage when running your bitcoin wallet. All private key storage and transaction signing are done from inside it, with keys never leaving the secure execution space. The process is just the same as with the external Ledger Nano, but it’s all done on the phone with no other hardware to keep track of and protect.
ARM, the maker of many Android-based smartphone CPUs, created TEEs over five years ago, with the intention that banks could use them for highly secure, mobile apps.
The technology is currently available on certain models of Samsung Galaxy smartphones, specifically Samsung phones with Trustonic TEEs that feature a “Trusted UI.” The technology itself is based on an open standard, so other phone makers can add TEEs to their phone lines without having to worry about licenses and patents.
Mycelium and GreenBits provide the first bitcoin wallets that are TEE compatible. According to Mycelium wallet’s product manager, Dmitry "Rassah" Murashchik, the limited number of smartphone companies leveraging the technology is more to do with the hardware device drivers, rather than the TEE hardware itself.
“Most phones have these chips already, but different phones require different drivers to be able to access the chips.”
— – Dmitry Murashchik, Mycelium
Despite only being available on a limited number of handset models, the number of compatible units is quite substantial. In June 2015, the EE times reported that Samsung expected to sell 45 million units of Galaxy S6 and S6 Edge smartphones last year.
The app maker, and Ledger CEO, Eric Larchevêque first unveiled a demo of the app a year ago on YouTube. However, the current interface is far smoother and more intuitive than the demo.
One interesting upgrade is the presentation of the fingertip-drawn security image created by the user when creating the account, much like the security image in online banking. In the demo version, it was just a static image, however, this trustlet adds another layer of security by displaying a video of the image being drawn. This confirms that the trustlet is being used and not a spoofed screen, making it even more difficult for a thief to recreate.
The trustlet loads like any other app from the Google Play store. Whenever a compatible wallet is loaded on the same device, the wallet will automatically recognize the trustlet and quickly pair the two together.
Early reviews of the trustlet are overwhelmingly positive, earning 4.7 out of five stars in the Google Play store, albeit from 15 early reviews. Rassah also mentioned that he has used it “for hundreds of transactions” since September, and has never had a problem: “I’m a terrible beta tester, not being able to find any bugs.”
Brave New Coin reaches 500,000+ engaged crypto enthusiasts a month through our website, podcast, newsletters, and YouTube. Get your brand in front of key decision-makers and early adopters. Don’t wait – Secure your spot and drive real impact in Q4. Find out more today!