Secure elements (SE) on Android and secure enclaves on iOS have emerged as trusted hardware-backed solutions for storing and protecting sensitive information, such as cryptographic keys. They are often touted as tamper-resistant, isolated, and secure environments with the highest certifications (e.g., AVA_VAN.5 under Common Criteria). However, while the hardware is robust, the software layers above it introduce significant vulnerabilities.
This blog post highlights the risks of relying solely on SEs or secure enclaves, including potential hooking attacks, emulation, and the implications of jailbroken/rooted devices. We also explore how software-level weaknesses can undermine hardware-backed security.
Secure elements (SE) on Android and secure enclaves on iOS have emerged as trusted hardware-backed solutions for storing and protecting sensitive information, such as cryptographic keys. They are often touted as tamper-resistant, isolated, and secure environments with the highest certifications (e.g., AVA_VAN.5 under Common Criteria). However, while the hardware is robust, the software layers above it introduce significant vulnerabilities.
This blog post highlights the risks of relying solely on SEs or secure enclaves, including potential hooking attacks, emulation, and the implications of jailbroken/rooted devices. We also explore how software-level weaknesses can undermine hardware-backed security.