CONFERENCE Watch Now: Threat Detection & Incident Response (TDIR) Summit - Watch Event On-Demand
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Google Unveils New Encryption Features for Android Developers

Security-minded Android application developers can better secure user data, thanks to new cryptographic features in Android 9.0, Google says. 

Security-minded Android application developers can better secure user data, thanks to new cryptographic features in Android 9.0, Google says. 

Starting in Android 6.0, as part of Keystore, application developers have had at their disposal a set of cryptographic tools designed to secure user data. Keystore keeps cryptographic primitives from software libraries on secure hardware, out of the Android OS, in an attempt to protect application secrets from various forms of attacks. 

Applications can specify restrictions on how and when the keys can be used, and the latest Android iteration brings new capabilities to Keystore. Among these, there’s the ability to restrict key use to protect sensitive information, along with option to secure key use while protecting key material from the application or operating system.

Android 9.0 aims to keep sensitive information secure even if it was sent to an application while the device screen was locked (the app doesn’t need to immediately access the received data), and uses keyguard-bound cryptographic keys for that. 

In such scenarios, the Internet search giant explains, the keys can be used for encryption or verification, but not for decryption or signing. Thus, when the device is locked with a PIN, pattern, or password, attempts to use the keys for decryption will result in an invalid operation. 

“Keyguard binding and authentication binding both function in similar ways, except with one important difference. Keyguard binding ties the availability of keys directly to the screen lock state while authentication binding uses a constant timeout. With keyguard binding, the keys become unavailable as soon as the device is locked and are only made available again when the user unlocks the device,” Google says. 

Keyguard binding is enforced by the operating system, not the secure hardware, because the latter doesn’t know when the screen is locked. However, hardware-enforced Android Keystore protection features such as authentication binding can be combined with keyguard binding to deliver improved security. 

An operating system feature, keyguard binding is available to all devices running Android 9.0; keys for any algorithm supported by the device can be keyguard-bound, Google says. 

Advertisement. Scroll to continue reading.

Another new feature in Android 9.0 is Secure Key Import, which allows applications to provision existing keys into Keystore in a more secure manner. The secure key can be encrypted at origin using a public wrapping key from the user’s device and can only be decrypted in the Keystore hardware belonging to the device that generated the wrapping key. 

“Keys are encrypted in transit and remain opaque to the application and operating system, meaning they’re only available inside the secure hardware into which they are imported,” the search company explains. 

The feature should prove useful in scenarios where an application intends to share a secret key with an Android device, but wants to make sure the key is not intercepted or that it doesn’t leave the device. A secure hardware feature, Secure Key Import is only available on select Android Pie devices. 

Related: Google Introduces Security Transparency Report for Android

Related: Google Boosts Android Security with Protected Confirmation

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Jeremy Koppen has left Mandiant after 13 years to become the CISO of Equifax.

Engineering and technology solutions provider Amentum has appointed Max Shier as its CISO.

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.