Android Pie introduced a new security feature called Android Protected Confirmation for performing critical transactions, like banking and controlling medical devices. The Pixel 3 and Pixel 3 XL are the first to support the new functionality, with Google continuing to detail the security features on their latest phone this week.
According to Google, Android Protected Confirmation is the “first major mobile OS API that leverages a hardware protected user interface (Trusted UI) to perform critical transactions completely outside the main mobile operating system.”
For example, a banking application might invoke a Trusted UI to verify a large monetary transaction or transfer. The interface is somewhat reminiscent of the bootloader with a stark white background noting that you’re in Android Protected Confirmation and the exact nature of the transaction to approve.
This confirmation provides an extra layer of security for the action you’re about to take.
To confirm, users are asked to double-press the power button with the prompt appearing next to the physical button, with cancel done by clicking the volume up key. This provides an assurance that an end-user originated the command, with Protected Confirmation resistant to fraudulent apps or compromised operating systems.
Once confirmed, your intention is cryptographically authenticated and unforgeable when conveyed to the relying party, for example, your bank. Protected Confirmation increases the bank’s confidence that it acts on your behalf, providing a higher level of protection for the transaction.
Protected Confirmation can also be used to bolster One Time Passwords or Transaction Authentication Numbers. These existing methods are again not protected against compromised devices that can corrupt or intercept one-time confirmation text messages.
Once the user approves a transaction, Protected Confirmation digitally signs the confirmation message. Because the signing key never leaves the Trusted UI’s hardware sandbox, neither app malware nor a compromised operating system can fool the user into authorizing anything.
Android Protected Confirmation can be adopted by any third-party app, with banking and medical partners showing off various examples at I/O 2018:
Royal Bank of Canada person to person money transfers; Duo Security, Nok Nok Labs, and ProxToMe for user authentication; and Insulet Corporation and Bigfoot Biomedical, for medical device control.
The latter use case sees Google working with the FDA as part of a medical industry standard to “safely control medical devices, such as insulin pumps” from smartphones. Meanwhile, the company noted earlier this week that Google Pay is working to take advantage of this feature as well.
The Pixel 3 and Pixel 3 XL are the first devices to support Android Protected Confirmation, with backing from the Titan M security chip. The feature is still considered optional in Android Pie because it requires low-level hardware, but Google is working with other manufacturers to adopt these features.