Google I/O highlighted all the ways technology can take over human tasks, such as scheduling appointments over the phone and helping compose emails by auto-completing sentences, but the annual developer conference wasn't just about robots. A new security feature in Android P lets app developers make sure a human is still at the controls.
Developers can use the Android Protected Confirmations API to verify that a human interacted with the Android device to confirm sensitive transactions, such as sending money, controlling medical devices, or even voting in elections. With this API, developers can create apps that can handle tasks previously considered too risky or unsafe to perform on Android devices.
We don't vote for prime minister from our phones," Dave Kleidermacher, Google's lead for mobile security, said at Google I/O. "It's our goal to break through that ceiling.
When the app wants the user to approve or reject a transaction, it will typically display a confirmation screen or prompt and wait for the user's response. However, malware and man-in-the-middle attacks can potentially hijack the confirmation screen.
Imagine the benefits of being able to confirm that a human—not malware running on the device—was present before transferring money? Or before injecting insulin?
With the Protected Confirmations API, developers can deliver the confirmation screen to the user's Android device through a secure channel. Both the prompt and the user's response are signed with a cryptographic key generated within the device's Trusted Execution Environment (TEE). Because TEE is a tamper-proof area on the device separate from the operating system, malware or some other process cannot manipulate the prompt or the response. Since cryptographic keys never leave the TEE, malware cannot intercept the keys.
"A valid Confirmation signature accompanying an authentication response ensures that a human responded to the transaction from the enrolled device, not malware written by an adversary, or software attempting to automatically respond to received authentication requests," wrote James Barclay, Robbie Small, and Taylor McCaslin, security engineers from Duo Security.
The cryptographic signature, protected by a keyed-hash message authentication code (HMAC), indicates a high confidence the prompt was shown to the human holding the device and the confirmation came from a human interacting with the device.
The public beta for Android P is currently available and the final release is expected sometime in August. However, the Confirmations API is more than just a software feature. The API needs the device to have compatible TEE, so developers have to wait for compatible hardware to be more widely available before the feature can be used broadly. Google has partnered with Qualcomm to ensure that its next-generation chipset will have built-in protected confirmations API.
There have been a lot of concerns recently about whether two-factor authentication mechanisms can be hijacked by attackers. Attackers can social engineer victims into handing over one-time-passwords (OTP) or to accidentally confirm authentication prompts. The Protected Confirmations API can help address this worry because Android developers can use the API to ensure that the input is actually coming from the user and not some other process.
Every iteration of Android has been more secure than the last, and Android P is no exception. With the new Protected Confirmation API, Google is trying to push Android into cases that have not been previously considered for mobile devices. How well the developers deliver on the potential is uncertain, but the security is in place to make many apps possible.
"Imagine the benefits of being able to confirm that a human – not malware running on the device – was present before transferring money? Or before injecting insulin?" Barclay, Small, and McCaslin wrote.