Approov Blog An Analysis of Hardware-Backed Key Attestation for Mobile Security

Companies such as Google and Apple promote hardware-backed key attestation as a security measure for protecting mobile apps and APIs. This approach ensures that cryptographic keys are stored and used within secure hardware components, such as Trusted Execution Environments (TEEs), Secure Elements (SEs), or hardware security modules (HSMs). We will look at the limitations, why this must never be used alone, and explain why if it is used, verification must always be off the device.