The Mission to Secure Android Devices

placeholder

Year by year, iteration by iteration, our smartphones become more capable, more complex and more essential for the commonplace ease of smart-world living. We trust it with our money in the smart wallet, our identities in smart travel cards, our cars and homes with smart keys, our medical records with health cards and the list continues to grow. The ongoing digitization of our lives makes our smartphone a key ally in our busy lives, which makes it even more important that we can trust it with our digital selves.

From TEE Implementation to Secure Elements

Today we see increasingly secure ways used by mobile OEMs to ensure protection of sensitive data. A trusted execution environment (TEE) is a relatively secure area of a main processor that runs its own OS. It is common that the biometric sensors of the phone (e.g., the fingerprint scanner) are directly connected to the TEE, meaning that the end user’s biometric data lives only within the TEE and never in the Android OS.

A secure element (SE) goes one step further: it is a separate microchip, with its own CPU, storage, RAM, etc. which is designed specifically for security-relevant use cases. SEs are resistant to a wider variety of attacks, both logical and physical, such as side-channel attacks. HW security along with factory provisioning of trusted keys and certificates will help establish a strong root of trust (RoT) and enable strong device attestation. Only secure elements (silicon-based) have Common Criteria certification, no other software or basic hardware solution has achieved this security level. Consequently, implementing a Secure Element into a mobile phone has become a common practice.

Digital Car Keys of the Future Already Mandate Use of SE

The Car Connectivity Consortium (CCC)  mandates in its Digital Key Release 2.0 specification the need for mobile devices to create and store the Digital Keys in Secure Elements (HW Security) that provide the highest level of protection against hardware or software-based attacks. The architecture based on emulating the key in the SE is designed to allow vehicle owners to access their vehicles without Internet connectivity or when in low battery mode, while also giving vehicle manufacturers the ability to add specialized features that require Internet connectivity.

Google Fosters a World Where Android Devices Benefit From Secure Services

While many flagship phones already have SE integrated, for a long time there was no standardized framework offering a consistent, secure user experience across devices. Therefore, Google established the Android Ready SE Alliance,  a group of SE vendors partnering with Google to create a set of open-source, validated and ready-to-use SE Applets based on the general availability (GA) version of StrongBox, Google’s hardware-backed Keystore for the SE. NXP is a proud member of the Alliance, working with Google to enable Android phones, tablets and wearables to support digital car keys, GPay for E-money, identity credentials and more.

Together with Google, NXP has created a tamper-resistant hardware security module that OEMs can design in as an “Android Ready SE” to secure critical assets and protect user’s privacy on an Android device. Next to secure storage of digital keys, identities and driver’s license (including the CCC’s Digital Key Release 2.0), an Android Ready SE  will enable continued support and updates to be provided securely as the Android ecosystem evolves.

Implementing NXP’s silicon-based security solutions into Android StrongBox creates a highly protected, self-contained environment for staging and executing various types of services and authentication tasks.

Charles Dachs, GM and VP of Secure Embedded Transactions

Creating an Out-of-the-Box Experience

OEMs that adopt Android Ready SE for their devices will be able to add StrongBox and its benefits to upcoming iterations of their devices. Only those devices with StrongBox will be able to offer certain security-sensitive features such as digital car Keys or e-money solutions that use NXP’s MIFARE DESFIRE.

Additionally, HW security is not limited to contactless transactions but are extremely useful to secure applications and protect data at large. Google, Android OEMs, SE solution providers, along with the service providers, are working in tandem to bring new identity services to their upcoming generation of handsets.

To learn more about mWallet 2GO, please visit here.


Tags: Mobile, Wearables

Author

Gregor Klezin

Gregor Klezin

Director for Global Mobile Payment Solutions, NXP Semiconductors

Gregor Klezin is Director for Secure NFC and UWB Services & Solutions at NXP. He brings more than 19 years of experience in mobile payments, digital wallets, mobile transit, contactless technologies like MIFARE, NFC and UWB as well as secure cloud services. He is strongly focused on building global solutions, services and alliances within the mobile ecosystem by working closely with device manufacturers (mobile phones, wearables, computing, etc.), public transport operators, payment networks, service providers and solution providers.