Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Google Unveils New Encryption Features for Android Developers

Security-minded Android application developers can better secure user data, thanks to new cryptographic features in Android 9.0, Google says. 

Security-minded Android application developers can better secure user data, thanks to new cryptographic features in Android 9.0, Google says. 

Starting in Android 6.0, as part of Keystore, application developers have had at their disposal a set of cryptographic tools designed to secure user data. Keystore keeps cryptographic primitives from software libraries on secure hardware, out of the Android OS, in an attempt to protect application secrets from various forms of attacks. 

Applications can specify restrictions on how and when the keys can be used, and the latest Android iteration brings new capabilities to Keystore. Among these, there’s the ability to restrict key use to protect sensitive information, along with option to secure key use while protecting key material from the application or operating system.

Android 9.0 aims to keep sensitive information secure even if it was sent to an application while the device screen was locked (the app doesn’t need to immediately access the received data), and uses keyguard-bound cryptographic keys for that. 

In such scenarios, the Internet search giant explains, the keys can be used for encryption or verification, but not for decryption or signing. Thus, when the device is locked with a PIN, pattern, or password, attempts to use the keys for decryption will result in an invalid operation. 

“Keyguard binding and authentication binding both function in similar ways, except with one important difference. Keyguard binding ties the availability of keys directly to the screen lock state while authentication binding uses a constant timeout. With keyguard binding, the keys become unavailable as soon as the device is locked and are only made available again when the user unlocks the device,” Google says. 

Keyguard binding is enforced by the operating system, not the secure hardware, because the latter doesn’t know when the screen is locked. However, hardware-enforced Android Keystore protection features such as authentication binding can be combined with keyguard binding to deliver improved security. 

Advertisement. Scroll to continue reading.

An operating system feature, keyguard binding is available to all devices running Android 9.0; keys for any algorithm supported by the device can be keyguard-bound, Google says. 

Another new feature in Android 9.0 is Secure Key Import, which allows applications to provision existing keys into Keystore in a more secure manner. The secure key can be encrypted at origin using a public wrapping key from the user’s device and can only be decrypted in the Keystore hardware belonging to the device that generated the wrapping key. 

“Keys are encrypted in transit and remain opaque to the application and operating system, meaning they’re only available inside the secure hardware into which they are imported,” the search company explains. 

The feature should prove useful in scenarios where an application intends to share a secret key with an Android device, but wants to make sure the key is not intercepted or that it doesn’t leave the device. A secure hardware feature, Secure Key Import is only available on select Android Pie devices. 

Related: Google Introduces Security Transparency Report for Android

Related: Google Boosts Android Security with Protected Confirmation

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.