This work addresses the challenge of dynamically analyzing trusted applications (TAs) on mobile devices, which is hindered by their closed-source nature and ecosystem fragmentation, impeding effective vulnerability discovery. To overcome this, the authors propose a cross-TEE dynamic analysis framework grounded in GlobalPlatform API standardization. By intercepting execution at the API layer and employing a “greedy high-level emulation” strategy that prioritizes non-standard interfaces offering the highest fuzzing utility, the framework enables retargetable dynamic fuzzing and debugging of TAs across multiple vendors. The approach successfully emulates 67 TAs across four major TEE implementations and uncovers 17 zero-day vulnerabilities in 11 of them, demonstrating its effectiveness and practicality in real-world scenarios.

Mobile devices rely on Trusted Execution Environments (TEEs) to execute security-critical code and protect sensitive assets. This security-critical code is modularized in components known as Trusted Applications (TAs). Vulnerabilities in TAs can compromise the TEE and, thus, the entire system. However, the closed-source nature and fragmentation of mobile TEEs severely hinder dynamic analysis of TAs, limiting testing efforts to mostly static analyses. This paper presents T\"AMU, a rehosting platform enabling dynamic analysis of TAs, specifically fuzzing and debugging, by interposing their execution at the API layer. To scale to many TAs across different TEEs, T\"AMU leverages the standardization of TEE APIs, driven by the GlobalPlatform specifications. For the remaining TEE-specific APIs not shared across different TEEs, T\"AMU introduces the notion of greedy high-level emulation, a technique that allows prioritizing manual rehosting efforts based on the potential coverage gain during fuzzing. We implement T\"AMU and use it to emulate 67 TAs across four TEEs. Our fuzzing campaigns yielded 17 zero-day vulnerabilities across 11 TAs. These results indicate a deficit of dynamic analysis capabilities across the TEE ecosystem, where not even vendors with source code unlocked these capabilities for themselves. T\"AMU promises to close this gap by bringing effective and practical dynamic analysis to the mobile TEE domain.