Ensuring the authenticity and fidelity of captured photos using trusted execution and mobile application licensing capabilities

Abstract

Mobile devices, which users habitually carry along, have become the main data gateway for the majority of the online services. Any device is able to collect at any time various types of data through its sensors. At the same time, modern identification techniques ask users to send photos of their ID documentation in order to be verified by an online service. Those photos are captured by the device's camera and are considered extremely sensitive. They must be secured and establish that they will not be modified. This paper describes a security framework that preserves the authenticity of a captured photo and ensures that it remains intact while transferred to a remote server. The key insight is to use a background service that is tied to the photo-capturing application and uses secure key storing and cryptographic computation capabilities offered by the Trusted Execution Environment (TEE) of commodity Android devices. At the same time, we leverage Playstore's Licencing Verification Library (LVL) to remotely attest the authenticity of the photo-capturing application at registration time. We have implemented our framework as an Android application on a Nexus 5X, which is powered by a Qualcomm processor with ARM TrustZone Technology. The evaluation of our prototype implementation demonstrates the efficacy of the proposed framework in terms of performance overhead and usability.