The AOSP biometic guidelines state that for class 2/3 biometrics: > Biometric acquisition, enrollment, and recognition must occur inside > the secure isolated environment to prevent data breaches and other > attacks I can see this being feasible for fingerprint-based biometrics. But I'm quite surprised that the entire process of facial-recognition on for example, a Samsung smartphone is all happening inside the TEE. That would presumably mean image capture, detection of features, preprocessing, biometric template generation has all been ported to what I'm assuming is a resource-constrained environment, yet it typically runs within a fraction of a second. I'm wondering if anyone can shed some light on this niche area and confirm whether all the processes in the pipeline occur in a TEE, or whether there is in fact a hybrid system wherein some image processing is happening outside of the TEE.

I learned that on modern mobile phones, the Android Keystore is protected using the TEE (Trusted Execution Environment), and even if you gain root access to the device, the files in the keystore located in /data/misc/keystore are useless as they are encrypted, and even the "owner" app using the keypairs are unable to access the private key material to display/export/modify it. This all makes sense. My question is: What is happening in an emulator like the one coming with Android Studio (Virtual Device Manager)? I am running an x86 Android 8.1 Oreo (API 27) there. Who's protecting the keystore, as there is no TEE present? Are the keys located in /data/misc/keystore encrypted too, or are these the real certificates and keypairs?

TPM is physically *isolated* from the rest of the system (i.e. it is a standalone chip on the mainboard), while TEE is a *secure area* of the main CPU. The key function of both TPM and TEE is to do cryptographic calculations, but can they also **store** credentials/keys used in these calculations? I know SE (Secure Element - also a standalone chip) is used exactly for storage purposes, but only 30% of modern smartphones have SE integrated (and mostly expensive models). So how is the credential **storage** task solved in TPM/TEE scenarios? Thank you!

If I uninstall apps/services on an unrooted Android device via the ADB shell (e.g. by doing pm uninstall), where is this information stored? Note that I'm not referring to settings within individual apps, but to their installation state. I've read that uninstalling apps without root privileges will only remove those apps from normal user space through modifications to a configuration file (/data/system/packages.xml), but the app files physically remain on the device to allow reinstallation. If this is true, is packages.xml encrypted (being located in the encrypted /data folder) or can its contents be modified even without root access? Motivation: Access to /data seems to require root privileges. If you soft-brick an unrooted Android device by accidentally uninstalling critical system apps (and hence modifying packages.xml) resulting in a boot loop, is there any practical way of restoring packages.xml to its stock configuration? Examples may include Samsung Knox or TEEGRIS services. *UPDATE:* To clarify, the goal is not to wipe the device as suggested in the comments (this can be done any time from the recovery mode menu), but to find out whether or not the boot loop is caused by a **persistent** misconfiguration of a file residing in a secured area (persistent meaning that it cannot be reset by flashing e.g. the HOME_CSC firmware file without wiping the entire device and losing all data). Also, the device is *not* rooted. *NOTE:* There is an interesting comment below the answer to https://android.stackexchange.com/questions/150067/can-system-apps-be-enabled-disabled-directly-from-the-filesystem : ***"It is also safe to simply remove the package-restrictions.xml file — a new 'clean' file will be recreated on next reboot."** – ccpizza Oct 3, 2021 at 16:43* As far as I understand, Android 9.0 switched from Full-Disk Encryption (FDE) to File-Based Encryption (FBE), which means that encryption is done on a file-by-file basis by default. Is it possible to delete package-restrictions.xml (instead of modifying its content in order to restore individual app settings) from an unrooted device?

There seems to be confusion regarding the behavior of pm uninstall from the ADB shell, see also here and here . **Question:** What configuration files does pm uninstall write to, is it /data/system/packages.xml, /data/system/users/0/package-restrictions.xml or both? Are there any additional files? Note: This questions specifically concerns the behavior of pm uninstall, not pm disable. Furthermore, it concerns the behavior on *unrooted* devices. Motivation: Uninstalling the wrong apps doing pm uninstall can result in a soft-brick/boot loop. Therefore, reversing the effects of pm uninstall can be the easiest way out of such problem, especially if other methods risk wiping data that needs to be rescued.

I am new to Trusty TEE OS. Is there any way to find out if an Android Device uses such an OS without rooting the device ? AFAIK there, DRM (Digital Rights Management) is the most widely used application of Trusty OS. Some examples for DRM frameworks are Widevine/PlayReady/ClearKey. Does it mean that if any of these frameworks are present in the Android device, it is safe to assume that there is an underlying Trusty TEE OS in use ? Thanks

I have gone through questions One and Two . But still I have an additional question. How do we find out that an android application uses Trusted Execution Environment (TEE) and Secure Element (SE). Particularly a hardware backed environment. Thanks