Mobile OSes and applications form a large, complex and vulnerability-prone software stack. In such an environment, security techniques to strongly protect sensitive data in mobile devices are important and challenging. To address such challenges, we introduce the concept of the trusted data vault, a small trusted engine that securely manages the storage and usage of sensitive data in an untrusted mobile device. In this paper, we design and build DroidVault— the first realization of a trusted data vault on the Android platform. DroidVault establishes a secure channel between data owners and data users while allowing data owners to enforce strong control over the sensitive data with a minimal trusted computing base (TCB). We prototype DroidVault via the novel use of hardware security features of ARM processors, i.e., TrustZone. Our evaluation demonstrates its functionality for processing sensitive data and its practicality for adoption in the real world.