Security Blog
The latest news and insights from Google on security and safety on the Internet
Android Protected Confirmation: Taking transaction security to the next level
19 tháng 10, 2018
Posted by Janis Danisevskis, Information Security Engineer, Android Security
[Cross-posted from the
Android Developers Blog
]
In Android Pie, we introduced Android Protected Confirmation, the first major mobile OS API that leverages a hardware protected user interface (Trusted UI) to perform critical transactions completely outside the main mobile operating system. This Trusted UI protects the choices you make from fraudulent apps or a compromised operating system. When an app invokes Protected Confirmation, control is passed to the Trusted UI, where transaction data is displayed and user confirmation of that data's correctness is obtained.
Once confirmed, your intention is cryptographically authenticated and unforgeable when conveyed to the relying party, for example, your bank. Protected Confirmation increases the bank's confidence that it acts on your behalf, providing a higher level of protection for the transaction.
Protected Confirmation also adds additional security relative to other forms of secondary authentication, such as a One Time Password or
Transaction Authentication Number
. These mechanisms can be frustrating for mobile users and also fail to protect against a compromised device that can corrupt transaction data or intercept one-time confirmation text messages.
Once the user approves a transaction, Protected Confirmation digitally signs the confirmation message. Because the signing key never leaves the Trusted UI's hardware sandbox, neither app malware nor a compromised operating system can fool the user into authorizing anything. Protected Confirmation signing keys are created using Android's standard
AndroidKeyStore
API. Before it can start using Android Protected Confirmation for end-to-end secure transactions, the app must enroll the public KeyStore key and its
Keystore Attestation
certificate with the remote relying party. The attestation certificate certifies that the key can only be used to sign Protected Confirmations.
There are many possible use cases for Android Protected Confirmation. At Google I/O 2018, the
What's new in Android security
session showcased partners planning to leverage Android Protected Confirmation in a variety of ways, including Royal Bank of Canada person to person money transfers; Duo Security, Nok Nok Labs, and ProxToMe for user authentication; and Insulet Corporation and Bigfoot Biomedical, for medical device control.
Insulet, a global leading manufacturer of tubeless patch insulin pumps, has demonstrated how they can modify their FDA cleared Omnipod DASH TM Insulin management system in a test environment to leverage Protected Confirmation to confirm the amount of insulin to be injected. This technology holds the promise for improved quality of life and reduced cost by enabling a person with diabetes to leverage their convenient, familiar, and secure smartphone for control rather than having to rely on a secondary, obtrusive, and expensive remote control device. (Note: The Omnipod DASH™ System is not cleared for use with Pixel 3 mobile device or Protected Confirmation).
This work is fulfilling an important need in the industry. Since smartphones do not fit the mold of an FDA approved medical device, we've been working with FDA as part of
DTMoSt
, an industry-wide consortium, to define a standard for phones to safely control medical devices, such as insulinSince smartphones do not fit the mold of an FDA approved medical device, we've been working with FDA as part of
DTMoSt
, an industry-wide consortium, to define a standard for phones to safely control medical devices, such as insulin pumps. A technology like Protected Confirmation plays an important role in gaining higher assurance of user intent and medical safety.
To integrate Protected Confirmation into your app, check out the
Android Protected Confirmation training article
. Android Protected Confirmation is an optional feature in Android Pie. Because it has low-level hardware dependencies, Protected Confirmation may not be supported by all devices running Android Pie. Google Pixel 3 and 3XL devices are the first to support Protected Confirmation, and we are working closely with other manufacturers to adopt this market-leading security innovation on more devices.
Không có nhận xét nào :
Đăng nhận xét
Nhãn
#sharethemicincyber
#supplychain #security #opensource
android
android security
android tr
app security
big data
biometrics
blackhat
C++
chrome
chrome enterprise
chrome security
connected devices
CTF
diversity
encryption
federated learning
fuzzing
Gboard
google play
google play protect
hacking
interoperability
iot security
kubernetes
linux kernel
memory safety
Open Source
pha family highlights
pixel
privacy
private compute core
Rowhammer
rust
Security
security rewards program
sigstore
spyware
supply chain
targeted spyware
tensor
Titan M2
VDP
vulnerabilities
workshop
Archive
2024
thg 5
thg 4
thg 3
thg 2
thg 1
2023
thg 12
thg 11
thg 10
thg 9
thg 8
thg 7
thg 6
thg 5
thg 4
thg 3
thg 2
thg 1
2022
thg 12
thg 11
thg 10
thg 9
thg 8
thg 7
thg 6
thg 5
thg 4
thg 3
thg 2
thg 1
2021
thg 12
thg 11
thg 10
thg 9
thg 8
thg 7
thg 6
thg 5
thg 4
thg 3
thg 2
thg 1
2020
thg 12
thg 11
thg 10
thg 9
thg 8
thg 7
thg 6
thg 5
thg 4
thg 3
thg 2
thg 1
2019
thg 12
thg 11
thg 10
thg 9
thg 8
thg 7
thg 6
thg 5
thg 4
thg 3
thg 2
thg 1
2018
thg 12
thg 11
thg 10
thg 9
thg 8
thg 7
thg 6
thg 5
thg 4
thg 3
thg 2
thg 1
2017
thg 12
thg 11
thg 10
thg 9
thg 7
thg 6
thg 5
thg 4
thg 3
thg 2
thg 1
2016
thg 12
thg 11
thg 10
thg 9
thg 8
thg 7
thg 6
thg 5
thg 4
thg 3
thg 2
thg 1
2015
thg 12
thg 11
thg 10
thg 9
thg 8
thg 7
thg 6
thg 5
thg 4
thg 3
thg 2
thg 1
2014
thg 12
thg 11
thg 10
thg 9
thg 8
thg 7
thg 6
thg 4
thg 3
thg 2
thg 1
2013
thg 12
thg 11
thg 10
thg 8
thg 6
thg 5
thg 4
thg 3
thg 2
thg 1
2012
thg 12
thg 9
thg 8
thg 6
thg 5
thg 4
thg 3
thg 2
thg 1
2011
thg 12
thg 11
thg 10
thg 9
thg 8
thg 7
thg 6
thg 5
thg 4
thg 3
thg 2
2010
thg 11
thg 10
thg 9
thg 8
thg 7
thg 5
thg 4
thg 3
2009
thg 11
thg 10
thg 8
thg 7
thg 6
thg 3
2008
thg 12
thg 11
thg 10
thg 8
thg 7
thg 5
thg 2
2007
thg 11
thg 10
thg 9
thg 7
thg 6
thg 5
Feed
Follow @google
Follow
Give us feedback in our
Product Forums
.
Không có nhận xét nào :
Đăng nhận xét