OK, it’s time to walk out the door, so make sure you have your phone, keys and wallet.
There are a lot of items to carry, so what if you just had to bring your phone? After all, your keys and wallet are just legacy authentication devices. We could totally replace them with a phone! This is the future Google is working on as it takes Android forward with support for driver’s licenses and digital car keys.
The details of Google’s latest announcement work to standardize an Android ecosystem around hardware and software, called the “Android Ready SE Alliance,” which will do all of this work. “SE” here is “secure element”, a hardware component quarantined from the rest of the system, designed to perform only secure computing tasks, such as an NFC payment. The idea is that phone manufacturers can buy an “Android Ready SE” from vendors of secure elements like NXP, Thales, STMicroelectronics, Giesecke + Devrient and Kigen, and Google says these SE vendors are “joining hands with Google to create a set of open source, validated, ready-to-use SE Applets “that will support these emerging use cases.
With this new SE standardization effort, Google wants to support “digital keys” for your car, home and office; mobile driver’s licenses; National IDs; ePassports; and the usual tap-and-go payments. Google notes that this initiative is not just for phones and tablets; Wear OS, Android Automotive and Android TV are also supported. Having your car key on your watch or your driver’s license on your car computer sounds like a great idea, but Android TV? Why would I want a driver’s license on my television?
Google introduces all requirements for Android Ready SE:
- Choose the validated and appropriate piece of hardware from your SE vendor
- Enable SE to be booted from the bootloader and provision the root-of-trust (RoT) parameters through the SPI interface or cryptographic link
- Work with Google to provision certificates / attestation keys at the SE factory
- Use the GA version of StrongBox for the SE applet, adapted to your SE
- Integrate the HAL code
- Enable an SE update mechanism
- Run CTS / VTS tests for StrongBox to verify that the integration was done correctly
What is not clear in the Google ad is the difference between support for StrongBox, the usual Android standard for a tamper-resistant hardware security module, and being certified for “Android Ready SE”. StrongBox modules include their own CPU, secure storage and a true random number generator, and they communicate with the rest of the system via the Keymaster HAL. The StrongBox has been supported on Qualcomm chips through Qualcomm’s “Secure Processing Unit” (SPU) since the 2018 Snapdragon 845. Today, it appears that even the bottom end of Qualcomm’s lineup, like the Snapdragon 460, contains a unit secure processing.
Is Qualcomm’s SPU not good enough?
Qualcomm is conspicuously absent from the Google blog post and the list of supported chipsets, so the purpose of this initiative is to say that the on-die security elements are not good enough? The Google Pixel team has certainly moved in that direction with the development of the Titan M Security Chip on Pixel 3 and above, and Samsung is building its own security element now, too, for the main phones. (Samsung is also not mentioned in the Google blog post.) The post says that “most modern phones now include discrete tamper-resistant hardware called the Secure Element (SE)” and that “this SE offers the best way to introduce these new uses to consumer cases on Android. “This may lead one to believe that the blog post is pushing for external secure elements, but it is not clear how Google can use the word” more “if it is not counting the SPU from Qualcomm. We ask for clarification and will update this report if the company contacts us.
Google is not the only company that is trying to lighten its daily load. Apple is working on digital IDs and car keys for iPhones, and Samsung is partnering with individual car makers to try to beat Google on Android. There have also been many key applications for cars from companies like BMW and Tesla.
For now, Google says it is prioritizing driver’s licenses and cell phone car keys. The company says it is working with the ecosystem to provide SE applets for these two use cases “in conjunction with the corresponding Android feature releases”. The Android feature launch for mobile driver’s licenses is the Identity Credential API, launched with Android 11. The obstacle here is mainly that your local government agency needs to pass a law authorizing digital IDs and then make an ID app digital. As far as we can tell, there is still no Android feature release for digital car keys, even on Android 12. When this is announced, we hope it will support the Car Connectivity Consortium digital key standard, which would put Android and iOS on same car key pattern.
We will be attentive.