Android System Securing, Hardening, & Privacy

Side-Channel Attacks on Android TEE: Extracting Cryptographic Keys

By Antigravity Research Published May 29, 2026 ⏱️ 7 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to Android TEE and Cryptographic Security

The Android Trusted Execution Environment (TEE) stands as a foundational pillar in the device’s security architecture, designed to protect sensitive operations and data from the rich execution environment (REE), where the main Android OS runs. Built upon technologies like ARM TrustZone, the TEE creates an isolated, hardware-backed environment for executing trusted applications (TAs) that handle critical tasks such as secure boot, DRM, biometric authentication, and, crucially, cryptographic key management. Keys generated or stored within the TEE are theoretically inaccessible to malware or even a compromised Android kernel, offering a high level of assurance for sensitive operations.

However, no security mechanism is entirely impregnable. While the TEE effectively mitigates software-based attacks from the REE, it remains potentially vulnerable to hardware-level or physical attacks. Among these, side-channel attacks (SCAs) represent a significant threat, as they do not attempt to bypass logical security controls but rather exploit unintentional information leakage during cryptographic computations.

Understanding Side-Channel Attacks

Side-channel attacks leverage information inadvertently leaked by a physical implementation of a cryptosystem. Unlike traditional cryptanalysis that targets mathematical weaknesses of algorithms or brute-force attacks that try all possible keys, SCAs analyze physical manifestations of computations. These manifestations, known as side channels, include:

  • Timing Analysis: Measuring the precise time taken for operations.
  • Power Analysis: Analyzing variations in power consumption during operations.
  • Electromagnetic (EM) Analysis: Detecting electromagnetic radiation emitted by the device.
  • Acoustic Analysis: Listening to subtle sounds produced by components.

For TEEs, SCAs are particularly insidious because they target the physical execution of trusted applications rather than their logical vulnerabilities. Even if the TEE’s code is perfectly secure from a software perspective, its physical manifestation on the silicon can leak exploitable information, potentially allowing an attacker to derive cryptographic keys or sensitive data.

Targeting Cryptographic Operations in TEEs

Cryptographic algorithms, by their very nature, involve complex computations that manipulate sensitive data, including secret keys. When these computations are performed, they generate physical side-channel leakages. For example, during an AES encryption, the power consumption of the processor fluctuates based on the data being processed and the operations being performed (e.g., S-box lookups, XORs). These fluctuations are often correlated with intermediate values derived from the secret key.

A well-known leakage model in power analysis is the Hamming weight or Hamming distance model. The Hamming weight of a binary number is the count of ‘1’s in its representation. The power consumed by a digital circuit often correlates with the number of bits toggling (Hamming distance) or the number of bits set to ‘1’ (Hamming weight) during a computation. Attackers exploit this by profiling the device’s power consumption while it processes known inputs with a secret key. By correlating these power traces with hypothetical intermediate values computed using guessed key bytes, an attacker can identify the correct key.

Practical Scenario: Power Analysis on a TEE-Protected AES Operation

Let’s consider a conceptual scenario where an attacker attempts to extract an AES key protected within an Android TEE using Differential Power Analysis (DPA) or Correlation Power Analysis (CPA). This example simplifies real-world complexity for illustrative purposes.

Attack Setup

  • Target Device: An Android smartphone with a TEE.
  • Measurement Hardware: A high-bandwidth oscilloscope, a low-noise amplifier, and a current probe or shunt resistor to tap into the device’s power supply line (e.g., VDD_CORE for the SoC).
  • Software Access: The attacker needs the ability to repeatedly trigger a TEE-protected AES encryption or decryption operation with chosen plaintexts or ciphertexts. This might involve exploiting a vulnerability in a less-secure trusted application or using a debug interface.
  • Triggering Mechanism: A trigger signal (e.g., GPIO or a specific software event) synchronized with the start of the cryptographic operation to align power traces accurately.

Data Acquisition

The attacker would repeatedly invoke the TEE’s AES function with a large number of known plaintexts (e.g., 1,000 to 100,000 encryptions). For each encryption, a power trace (a waveform representing power consumption over time) is recorded. The goal is to collect enough traces to average out random noise and reveal the systematic leakage related to the key-dependent computations.

# Conceptual command to trigger a TEE-protected AES encryption via ADB shell adb shell /data/local/tmp/tee_crypto_client encrypt -p "00112233445566778899AABBCCDDEEFF" -i 10000 -o /data/local/tmp/traces # This would represent triggering the TA multiple times. # In a real attack, the client would need to communicate with the TA and the traces # would be captured by external hardware.

Data Analysis: Correlation Power Analysis (CPA)

CPA involves correlating hypothetical power models with the actual measured power traces. The typical steps for recovering a single byte of an AES-128 key (e.g., the first byte of the first round key) are:

  1. Target an Intermediate Value: Identify an intermediate value in the AES algorithm that depends on a small part of the secret key (e.g., one byte) and the known plaintext, and is expected to leak information. A common target is the output of the first S-box operation in the first round of AES. For example, for the first byte of the input to the S-box, it’s `plaintext[0] XOR key[0]`.
  2. Hypothesize Power Consumption: For each possible value of the target key byte (0-255), and for each collected power trace, calculate the hypothetical intermediate value (e.g., the S-box output). Then, apply a leakage model (e.g., Hamming weight of the S-box output) to predict the power consumption.
  3. Calculate Correlation: For each key byte guess, compute the Pearson correlation coefficient between the array of hypothetical power consumptions (for all plaintexts) and the actual power traces (at the specific time point where the S-box operation is expected to occur).
  4. Identify the Correct Key Byte: The key byte guess that yields the highest correlation coefficient is the most likely candidate for the actual key byte.
import numpy as np from scipy.stats import pearsonr from cryptography.hazmat.primitives.ciphers.algorithms import AES # Simplified S-box lookup (actual AES S-box is larger) aes_sbox = [ # ... 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, # ... full S-box ] # Assume 'power_traces' is a numpy array (num_traces, trace_length) # Assume 'plaintexts' is a numpy array (num_traces, 16) - each row is a plaintext def calculate_hamming_weight(byte_val): return bin(byte_val).count('1') # Target the first byte of the AES key (key_byte_index = 0) # And the first byte of the plaintext (plaintext_byte_index = 0) # Assuming the S-box operation occurs around a certain 'time_point_of_interest' # This time_point_of_interest would be found by analyzing power traces. time_point_of_interest = 120 # Example index best_key_byte_guess = -1 max_correlation = -1.0 # Iterate through all possible values for the key byte for guess_key_byte in range(256): hypothetical_leakages = np.zeros(len(power_traces)) # For each trace, compute the hypothetical S-box output and its Hamming weight for i in range(len(power_traces)): current_plaintext_byte = plaintexts[i][plaintext_byte_index] intermediate_sbox_input = current_plaintext_byte ^ guess_key_byte sbox_output = aes_sbox[intermediate_sbox_input] hypothetical_leakages[i] = calculate_hamming_weight(sbox_output) # Calculate Pearson correlation between hypothetical and actual power at time_point correlation_coefficient, _ = pearsonr(hypothetical_leakages, power_traces[:, time_point_of_interest]) if abs(correlation_coefficient) > abs(max_correlation): max_correlation = correlation_coefficient best_key_byte_guess = guess_key_byte print(f

        
        
        

            

                
            

            

                
Android Mobile Specs & Compare Directory

                
Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

                Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Security #Cryptographic Keys #Power Analysis #Side-Channel Attack #TEE

Related Technical Guides

Understanding StrongBox Cryptographic Primitives: Behind the Scenes of Hardware-Backed Key Operations

May 29, 2026

Building Your Own Sandbox: Automating Android Malware Analysis with Cuckoo Droid Customization

May 30, 2026

TrustZone Privilege Escalation: Exploiting Secure World Flaws for Android Root Access

May 29, 2026