Google Boosts Android Security with Protected Confirmation
23.10.2018 securityweek
Android

Google further improved the security of Android with the inclusion of a new API in the latest operating system release.

Called Protected Confirmation, the API would take advantage of a hardware-protected user interface (Trusted UI) to perform critical transactions. When an application uses the API, the user is presented with a prompt, asking them to confirm the transaction.

After user confirmation is received, the information is cryptographically authenticated, meaning that Protected Confirmation can better secure the transaction. The Trusted UI, which is in control, keeps the data safe from fraudulent apps or a compromised operating system.

The API, Google says, can also be used to boost the security of other forms of secondary authentication, such as a one-time password or a transaction authentication number (TAN), mechanisms that fail to provide protection if the device has been compromised.

With Protected Confirmation, the confirmation message is digitally signed but, because the signing key only resides in the Trusted UI’s hardware sandbox, it is not possible for malicious apps or compromised operating systems to trick the user into authorizing anything. The signing keys are created using the AndroidKeyStore API.

“Before it can start using Android Protected Confirmation for end-to-end secure transactions, the app must enroll the public KeyStore key and its Keystore Attestation certificate with the remote relying party. The attestation certificate certifies that the key can only be used to sign Protected Confirmations,” Janis Danisevskis, Information Security Engineer, Android Security, explains.

Android Protected Confirmation, Danisevskis says, makes many other use cases possible as well, such as person-to-person money transfers (e.g. Royal Bank of Canada), authentication (e.g. Duo Security, Nok Nok Labs, and ProxToMe), and medical device control (e.g. Insulet Corporation and Bigfoot Biomedical).

Insulet, a manufacturer of tubeless patch insulin pumps, has already showed how they can modify an insulin management system to leverage Protected Confirmation to confirm the amount of insulin to be injected. This should improve quality of life and reduce cost, given that a person with diabetes would be able to use their smartphone instead of a secondary device for control.

“We've been working with FDA as part of DTMoSt, an industry-wide consortium, to define a standard for phones to safely control medical devices, such as insulin pumps. A technology like Protected Confirmation plays an important role in gaining higher assurance of user intent and medical safety,” Danisevskis continues.

An optional feature in Android, Protected Confirmation has low-level hardware dependencies. Google Pixel 3 and 3XL are the first smartphones to support the API, but the feature may not be integrated into devices from other manufacturers.