Prior assumptions about Trusted Execution Environment (TEE) application distribution and security maturity lack empirical validation, particularly for IoT security and AI model protection. Method: We conduct the first large-scale empirical study of 241 open-source TEE applications—spanning Intel SGX and ARM TrustZone—employing a hybrid approach combining manual code review with customized static analysis to assess SDK usage patterns, cryptographic implementations, and input validation practices. Contribution/Results: Our analysis reveals that 32.4% of projects redundantly reimplement cryptographic logic, 25.3% embed hardcoded cryptographic keys—a critical vulnerability—and 61 applications exhibit severe security flaws. Notably, 30% of applications target IoT security and 12% focus on AI model protection, exposing significant gaps between real-world deployment scenarios and prior academic assumptions. These findings fundamentally challenge existing perceptions of TEE adoption and security readiness, providing rigorous, evidence-based guidance for improving TEE SDK usability and developer support tooling.

Trusted Execution Environments (TEEs), such as Intel SGX and ARM TrustZone, provide isolated regions of CPU and memory for secure computation and are increasingly used to protect sensitive data and code across diverse application domains. However, little is known about how developers actually use TEEs in practice. This paper presents the first large-scale empirical study of real-world TEE applications. We collected and analyzed 241 open-source projects from GitHub that utilize the two most widely-adopted TEEs, Intel SGX and ARM TrustZone. By combining manual inspection with customized static analysis scripts, we examined their adoption contexts, usage patterns, and development practices across three phases. First, we categorized the projects into 8 application domains and identified trends in TEE adoption over time. We found that the dominant use case is IoT device security (30%), which contrasts sharply with prior academic focus on blockchain and cryptographic systems (7%), while AI model protection (12%) is rapidly emerging as a growing domain. Second, we analyzed how TEEs are integrated into software and observed that 32.4% of the projects reimplement cryptographic functionalities instead of using official SDK APIs, suggesting that current SDKs may have limited usability and portability to meet developers' practical needs. Third, we examined security practices through manual inspection and found that 25.3% (61 of 241) of the projects exhibit insecure coding behaviors when using TEEs, such as hardcoded secrets and missing input validation, which undermine their intended security guarantees. Our findings have important implications for improving the usability of TEE SDKs and supporting developers in trusted software development.