Okay, it’s time to head out the door, so make sure you have your phone, keys, and wallet.
It’s a lot of takeout items, so what if you just had to bring your phone? After all, your keys and wallet are just legacy authentication devices. We could completely replace them with a phone! That’s the future Google works on as it powers Android with support for driver’s licenses and digital car keys.
The details from Google’s latest announcement work to standardize an Android ecosystem around hardware and software, called the “Android Ready SE Alliance,” that will make all of this work. “SE” here is “secure item”, a hardware component quarantined from the rest of the system, designed to run only secure computing tasks such as an NFC payment. The idea is for phone makers to be able to buy an “Android Ready SE” from secure item providers like NXP, Thales, STMicroelectronics, Giesecke + Devrient, and Kigen, and Google says these SE providers are “joining hands with Google to create a set of open source, validated, and ready-to-use SE Applets “that will support these emerging use cases.
With this new SE standardization effort, Google wants to support “digital keys” for your car, home and office; mobile driver’s licenses; national identifications; electronic passports; and the usual tap-and-go payments. Google notes that this initiative is not just for phones and tablets; Wear OS, Android Automotive, and Android TV are also supported. Having your car key on your watch or your driver’s license on your car’s computer sounds like a great idea, but Android TV? Why would I want a driver’s license on my TV?
Google sets all the requirements for Android Ready SE:
- Choose the appropriate and validated piece of hardware from your SE vendor
- Enable SE to initialize from boot loader and provision Root of Trust (RoT) parameters through SPI interface or cryptographic link
- Work with Google to provision certificates / attestation keys at the SE factory
- Use GA version of StrongBox for SE applet, tailored to your SE
- Integrate the HAL code
- Enable an SE update mechanism
- Run CTS / VTS tests for StrongBox to verify successful integration
What is not clear from Google’s announcement is the difference between supporting StrongBox, the common Android standard for a tamper-resistant hardware security module, and being certified for “Android Ready SE”. StrongBox modules include their own CPU, secure storage, and a true random number generator, and communicate with the rest of the system through the Keymaster HAL. StrongBox has been compatible with Qualcomm chips through Qualcomm’s “Secure Processing Unit” (SPU) since the 2018 Snapdragon 845. Today it appears that even the lower end of Qualcomm’s line, such as the Snapdragon 460, contains a Safe processing unit.
Qualcomm SPU not good enough?
Qualcomm is conspicuously absent from Google’s blog post and supported chipset list, so the point of this initiative is to say that built-in safe elements are not good enough? Google’s Pixel team has certainly moved in that direction with the development of the Titan M security chip in the Pixel 3 onwards, and Samsung is also building its own secure element now for flagship phones. (Samsung is also not mentioned in the Google blog post.) The publication says that “most modern phones now include discreet tamper-proof hardware called the Secure Element (SE)” and that “this SE offers the best way to introduce these new uses for consumer cases on Android. This could lead one to believe that the blog post is pushing for safe elements outside of the matrix, but it’s unclear how Google can use the word “most” if it doesn’t count Qualcomm’s SPU. We have requested clarification and will update this report if the company contacts us.
Google isn’t the only company trying to lighten your daily load. Apple is working on digital IDs and car keys for iPhones, and Samsung is partnering with individual automakers to try to beat Google on Android. There have also been many unique applications for car keys from companies like BMW and Tesla.
For now, Google says it is prioritizing mobile driver’s licenses and car keys. The company says it is working with the ecosystem to deliver the SE applets for these two use cases “along with corresponding Android feature releases.” The launch of the Android feature for mobile drivers licenses is the Identity Credentials API which was launched with Android 11. The problem here is mainly that your local government agency needs to pass a law authorizing digital IDs and then create an app digital identification. From what we can tell, there is still no Android feature release for digital car keys, even on Android 12. When announced, hopefully it will support the Car Connectivity Consortium digital key standard, which would put Android and iOS in the same car key standard.
We’ll be alert.