With rapid growth of mobile devices and the emergency of mobile cloud services, it is a trend to use mobile devices for mobile-centric applications, and expand the mobile capabilities and provide needed security by mobile cloud services. However, due to the mobility of the device and the semitrust of the mobile cloud, how to build trust in the mobile applications is a big concern. In this paper, we propose a dual-root trust online transaction model that provides a dual-root trust model including both the user's mobile device and a delegation mobile cloud. We design a dual-root trust protocol by leveraging a modified CP-ABE cryptography and the trust execution environment embedded in a mobile device to provide device-specific transaction confirmations for online transactions initiated by the mobile user. The performance evaluation of the protocol demonstrates that it is a lightweight scheme for mobile devices since most cryptographic functions are delegated from users to the mobile cloud.