Creating a Strong Foundation for Mobile Security with the Mobile TPM

Date Published: January, 01, 2015

The British newspaper The Telegraph recently reported that the three biggest issues for mobile security are data loss, theft, malware and unsecured networks – no big surprise there for those of us in the industry.

Business and trade publications likewise have been awash with news of recent data breaches and malware. RiskIQ’s recent study found that “…the number of malicious apps on the Google Play store increased by 388 percent from 2011 to 2013…”.

We might be preaching to the choir, but mobile device security clearly is of the utmost urgency. With more companies allowing BYOD of phones, tablets and laptops, enterprises will need to look beyond traditionally reactive security measures.

TCG has long advocated a more proactive security approach: the root of trust. By creating a strong foundation, security can be layered and deployed with confidence.

Now until June 3, TCG has opened for public review a new specification for a mobile root of trust, the TPM 2.0 Mobile Reference Architecture Specification.

This specification offers developers and others in the mobile development and infrastructure industries the opportunity to review and provide feedback for an updated approach to deploying a root of trust in mobile phones or similar mobile devices.

The Reference Architecture specification describes the security-related architectural components of a contemporary mobile device, with the focus being on features implemented in hardware or closely related to hardware. The specification describes mobile device boot sequences, defines requirements for a TPM Mobile implementation (including Roots of Trust requirements) in a Protected Execution Environment, and defines requirements that the Protected Environment must meet to host a TPM Mobile, with three example implementation models of the Protected Environment described in informative annexes.

Use cases for a trusted mobile platform with a foundation of trust include secure transactions, secure software downloads and updates, secure authentication and more. More info on use cases can be found at

TCG also has released a complementary spec for public review. The TPM 2.0 Mobile Command Response Buffer Interface Specification defines an interface between a TPM 2.0 and software. Software interacting with the TPM often directs commands through a TPM driver, whereby the TPM driver performs the actual interface access. With the CRB interface it is possible to write such a driver for a discrete TPM as a discrete component on a peripheral bus or a TPM in an execution mode in a Protected Environment. It can be seen here at:

If you are interested in mobile security, please go to our mobile developers page and see both specs and additional information:


Membership in the Trusted Computing Group is your key to participating with fellow industry stakeholders in the quest to develop and promote trusted computing technologies.

Join Now

Trusted Computing

Standards-based Trusted Computing technologies developed by TCG members now are deployed in enterprise systems, storage systems, networks, embedded systems, and mobile devices and can help secure cloud computing and virtualized systems.

Read more


Trusted Computing Group announced that its TPM 2.0 (Trusted Platform Module) Library Specification was approved as a formal international standard under ISO/IEC (the International Organization for Standardization and the International Electrotechnical Commission). TCG has 90+ specifications and guidance documents to help build a trusted computing environment.

Read More