It’s TEEtime: A New Architecture that Brings Sovereignty to Smartphones

Modern smartphones are complex systems in which control over phone resources is exercised by phone manufacturers, operators, OS vendors, and users. These stakeholders have diverse and often competing interests. Barring some exceptions, users, including developers, entrust their security and privacy to OS vendors (Android and iOS) and need to accept the constraints they impose. The manufacturers protect their firmware and peripherals from the OS by executing in the highest privilege and leveraging dedicated CPUs and TEEs. OS vendors need to trust the highest privileged code deployed by manufacturers. This division of control over the phone is not ideal for OS vendors but is primarily disadvantageous for the users, who cannot freely install and isolate their applications or flexibly configure their access to peripherals.

In this work, we propose TEEtime -- a new smartphone architecture based on trusted execution that maintains compatibility with the existing smartphone ecosystem while allowing to balance the control that different stakeholders exert over phones. In particular, TEEtime makes users sovereign over their phones: It allows them to install sensitive applications in isolated domains with protected access to selected peripherals (e.g., display) alongside an OS (e.g., Android). TEEtime achieves this without relying on virtualization and hence without having to trust any hypervisor: TEEtime only assumes trust in a phone's firmware. Compared to existing (smartphone) TEE architectures, TEEtime is the first TEE architecture that allows isolated execution domains to gain protected and direct access to peripherals. TEEtime is based on Armv8-A and achieves peripheral isolation using a novel mechanism based on memory and General Interrupt Controller (GIC) protection. We demonstrate the feasibility of our design by implementing a prototype of TEEtime, and by running exemplary sensitive applications on top of our prototype.