Android P will offer a new feature called Android Protected Confirmation, which is designed to strengthen authentication on devices. How does Protected Confirmation work?
The goal of Android Protected Confirmation, a new security feature in Android P, is to enable mobile devices to execute high-assurance transactions by providing hardware rather than software-based cryptographic assurance of human presence and intent when a user responds to a prompt or dialog. By providing sufficient trust in the authentication process, users will be able to complete higher-risk actions, such as transferring large amounts of money or managing medical devices.
Android Protected Confirmation relies on a trusted execution environment (TEE), a protected execution environment composed of dedicated RAM and CPU that runs separately from the main operating system. This means that even if a device has been infected, root level malware still won’t be able to corrupt the integrity of a transaction, as the TEE takes control of the device’s display and the confirmation process. This prevents any onscreen prompt from being hijacked or selected by a malicious application.
Once an asymmetric signing key and its attestation certificate have been generated and installed on the app’s back-end server, developers building the supported devices that run on Android P can use the Android Protected Confirmation API to display a prompt to the user asking them to agree to a short statement. This statement helps the app to reaffirm that the user would like to complete a sensitive transaction.
If the user approves the dialog, data — including the prompt text that the user saw — is signed by the asymmetric signing key and is sent back to the server with a cryptographic signature and the transaction details. The signature is produced by the TEE, which protects the display of the confirmation dialog, as well as any user input.
The server checks if the signature is valid and ensures that the prompt text corresponds to the transaction details. If all is in order, the server completes the transaction with a high degree of confidence that the user has seen and approved the message in the prompt text from an enrolled device.
Because Android Protected Confirmation requires hardware integration, it will be optional in Android P, though Google has been working with Qualcomm to ensure its next-generation chipset will have TEEs and the Protected Confirmation API built in. The upcoming Pixel 3 will support Android Protected Confirmation, but it’s too early to know which other hardware partners will include the feature and when.
There is software currently in development that takes advantage of the high-assurance user confirmation that Android Protected Confirmation provides, including money transfers with the Royal Bank of Canada and products from Bigfoot Biomedical and Duo Security.
Being able to confirm that a human — not malware running on a device — was present before executing a transaction will undoubtedly spawn plenty of other applications once enough devices can take advantage of this new security feature.
Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)