Hybrid integration of software development kit with secure execution environment

1 - 20 . (canceled) 21 . A portable communication device comprising: one or more processor circuits; and one or more memory units coupled to the one or more processor circuits and storing computer readable code implementing a secure application in a trusted execution environment, which when executed by the one or more processor circuits, performs operations including: receiving, by the secure application from a mobile application executing in an application execution environment of the portable communication device, a first storage request to store first sensitive data, the first sensitive data being a token or a cryptogram generation key, the first storage request including a first encrypted data type identifier and first encrypted sensitive data; decrypting, by the secure application, the first encrypted data type identifier and the first encrypted sensitive data using a transport key; determining, by the secure application, whether the first decrypted data type identifier indicates that the first sensitive data is a token or a cryptogram generation key; re-encrypting, by the secure application based on the first decrypted data type identifier, the first sensitive data using a key to generate re-encrypted first sensitive data; and storing the re-encrypted first sensitive data outside the trusted execution environment. 22 . The portable communication device of claim 21 , wherein the first sensitive data is the token, wherein the first decrypted data type identifier indicates that the first sensitive data is the token, wherein the key is a token-storage key, and wherein the operations further include: receiving, by the secure application from the mobile application, a second storage request, the second storage request including a second encrypted data type identifier and second encrypted sensitive data; decrypting, by the secure application, the second encrypted data type identifier and the second encrypted sensitive data using the transport key; determining, by the secure application, that the second decrypted data type identifier indicates the second sensitive data to store is a token; re-encrypting, by the secure application, the second sensitive data using the token-storage key to generate a re-encrypted token; and storing the re-encrypted token outside the trusted execution environment. 23 . The portable communication device of claim 21 , wherein the first sensitive data is the cryptogram generation key, wherein the first decrypted data type identifier indicates that the first sensitive data is the cryptogram generation key, wherein the key is a key-storage key, and wherein the operations further include: receiving, by the secure application from the mobile application, a cryptogram generation request to generate a transaction cryptogram, the cryptogram generation request including the re-encrypted first sensitive data and transaction data; decrypting, by the secure application, the re-encrypted first sensitive data using the key-storage key; encrypting, by the secure application, the transaction data using the cryptogram generation key to generate the transaction cryptogram; and sending, by the secure application to the mobile application, the generated transaction cryptogram. 24 . The portable communication device of claim 23 , wherein the transaction data is received by the mobile application from an access device, and the mobile application transmits the generated transaction cryptogram to the access device to conduct a transaction. 25 . The portable communication device of claim 23 , wherein the cryptogram generation key is a limited-use key. 26 . The portable communication device of claim 25 , wherein the operations further include: receiving, by the secure application from the mobile application, a key replenishment request, the key replenishment request including the re-encrypted cryptogram generation key and a transaction verification log; decrypting, by the secure application, the re-encrypted cryptogram generation key using the key-storage key; generating, by the secure application, a hash value computed over at least the transaction verification log using the decrypted cryptogram generation key; and sending, by the secure application to the mobile application, the hash value. 27 . The portable communication device of claim 26 , wherein the mobile application sends the hash value to a server to request a new limited-use key. 28 . The portable communication device of claim 21 , wherein the first sensitive data is the token, wherein the first decrypted data type identifier indicates that the first sensitive data is the token, wherein the key is a token-storage key, and wherein the operations further include: receiving, by the secure application from the mobile application, a request to retrieve the token, the request including the re-encrypted first sensitive data; decrypting, by the secure application, the re-encrypted first sensitive data using the token-storage key; and sending, by the secure application to the mobile application, the token. 29 . The portable communication device of claim 21 , wherein the first encrypted sensitive data is received by the mobile application from a server, and the first encrypted sensitive data is signed by the server, and wherein the operations further include: verifying, by the secure application, that the first encrypted sensitive data was signed by the server using a certificate associated with the server. 30 . A method for managing sensitive data in a portable communication device having a mobile application executing in an application execution environment and a secure application executing in a trusted execution environment, the method comprising: receiving, by the secure application from the mobile application executing in the application execution environment of the portable communication device, a first storage request to store first sensitive data, the first sensitive data being a token or a cryptogram generation key, the first storage request including a first encrypted data type identifier and first encrypted sensitive data; decrypting, by the secure application, the first encrypted data type identifier and the first encrypted sensitive data using a transport key; determining, by the secure application, whether the first decrypted data type identifier indicates that the first sensitive data is a token or a cryptogram generation key; re-encrypting, by the secure application based on the first decrypted data type identifier, the first sensitive data using a key to generate re-encrypted first sensitive data; and storing the re-encrypted first sensitive data outside the trusted execution environment. 31 . The method of claim 30 , wherein the first sensitive data is the token, wherein the first decrypted data type identifier indicates that the first sensitive data is the token, wherein the key is a token-storage key, the method further comprising: receiving, by the secure application from the mobile application, a second storage request, the second storage request including a second encrypted data type identifier and second encrypted sensitive data; decrypting, by the secure application, the second encrypted data type identifier and the second encrypted sensitive data using the transport key; determining, by the secure application, that the second decrypted data type identifier indicates the second sensitive data to store is a token; re-encrypting, by the secure application, the second sensitive data using the token-storage key to generate a re-encrypted token; and storing the re-encrypted token outside the trusted execution environment. 32 . The me