Having a secure mobile device is of utmost importance in our society. It seems that Google feels the same. Google announced the Android Ready SE Alliance on March 25 in order to accelerate the adoption of new security protocols.
In 2018 Google launched its Pixel 3 which is a solid device. The Pixel 3 has amazing cameras like other Pixel devices. But the Pixel 3 is the first to come with the Titan M hardware enclave. The Titan M is a tamper-resistant piece of hardware that exists to keep users’ information safe and secure.
The Titan M is the root-of-trust for all Pixels software and firmware, and it enables tamper-resistant key storage for Android Apps using StrongBox. StrongBox is an implementation of the Keymaster HAL that resides in a hardware security module.
This important security enhancement for Android devices paves the way for Google and other OEMs to consider features that were not possible before. StrongBox and tamper-resistant hardware, in general, are becoming important requirements for emerging user features.
These features include digital keys(car, home, office), mobile driver’s license(mDL). National ID, ePassports, and eMoney solutions. All these features run on tamper-resistant hardware to protect the integrity of application executables.
Now currently modern phones almost all include discrete tamper-resistant hardware known as Secure Element. The SE will be an important piece of hardware when it comes to bringing these features to Android.
Android Ready SE Alliance aims to make Android easier to secure
This is where the Android Ready SE Alliance comes in. The alliance will help to accelerate the adoption of the new Android use cases. Vendors apart of the alliance will work with Google to create a set of “open-source, validated, and ready-to-use SE Applets”.
One such applet is the General Availability (GA) version of StrongBox for SE. OEMs who are apart of the alliance can now take advantage of the new applet which is ready to use. The applet is currently available from Giesecke+Devrient, Kigen, NXP, STMicroelectronics, and Thales.
In addition to Android phones and tablets, there are other platforms that will benefit from StrongBox. These other platforms include WearOS, Android Auto Embedded, and Android TV.
In order to use Android Ready SE OEMs must first pick the appropriate, validated hardware part from their SE vendor. Secondly, they must enable SE to be initialized from the bootloader and provision the root-of-trust (RoT) parameters through the SPI interface or cryptographic binding.
Next, the OEM must work with Google to provision Attestation Keys/Certificates in the SE factory. After that, the GA version of the StrongBox for the SE applet must be adapted to the OEM’s specific SE. Then, the OEM must integrate HAL code.
Then, they must enable an SE upgrade mechanism. Lastly, the OEM must run CTS/VTS tests for StrongBox to verify that the integration is done correctly. Google says they are working with their ecosystem to prioritize and deliver other applets.
These other applets will correspond with future Android feature releases such as mobile driver’s license and identity credentials and digital car keys. Several Android OEMs are on board to adopt Android Ready SE. It looks as if Google is getting serious about hardware privacy features.