OK, it’s time to pull out the door, so make sure you have your phone, keys, and wallet.
There are many things to carry around, so what if you just had to bring your phone? After all, the keys and wallet are just older authentication devices. We can completely replace them with a phone! This is the future Google is working towards when it pushes Android forward with support for driver̵
Google’s latest announcement details are working to standardize an Android ecosystem around hardware and software, called the “Android Ready SE Alliance”, which will make all of this work. “SE” here is “secure item”, a quarantined hardware component from the rest of the system, designed to run only secure data processing as an NFC payment. The idea is that phone makers will be able to buy an “Android Ready SE” from secure element vendors such as NXP, Thales, STMicroelectronics, Giesecke + Devrient and Kigen, and Google says that these SE vendors “are teaming up with Google to create an open source set , validated and ready to use SE applets “that will support these new utility cases.
With this new SE standardization effort, Google wants to support “digital keys” for the car, home and office; mobile driver’s licenses; national IDs; e-pass; and the usual push-and-go payments. Google notes that this initiative is not just for phones and tablets; Wear OS, Android Automotive and Android TV are also supported. Having a car key in your watch or a driver’s license in your car computer sounds like a good idea, but Android TV? Why do I want a driver ‘s license on the TV?
Google sets all the requirements for Android Ready SE:
- Select the relevant, validated hardware part from the SE supplier
- Enables SE to be initialized from bootloader and provide root-of-trust (RoT) parameters through SPI interface or cryptographic binding
- Work with Google to obtain certification keys / certificates in the SE factory
- Use the GA version of StrongBox for the SE applet, customized for SE
- Integrate HAL code
- Activate an SE upgrade mechanism
- Run CTS / VTS tests for StrongBox to confirm that the integration has been done correctly
What’s not clear from Google’s announcement is the difference between supporting StrongBox, Android’s standard for a tamper-proof hardware security module, and being certified for “Android Ready SE.” StrongBox modules include their own CPU, secure storage and a true random number generator, and they communicate with the rest of the system over the Keymaster HAL. StrongBox has been supported on Qualcomm chips through the Qualcomm “Secure Processing Unit” (GPFG) since 2018 Snapdragon 845. Today, it looks like even the low end of Qualcomm’s lineup, like the Snapdragon 460, includes a Secure Processing Unit.
Qualcomm’s GPFG is not good enough?
Qualcomm is conspicuously absent from Google’s blog posts and list of supported chipsets, so the whole point of this initiative is to say that secure items are not good enough? Google’s Pixel team has certainly gone in that direction with the development of the Titan M Security Chip in Pixel 3 and upwards, and Samsung is now building its own secure element for flagship phones. (Samsung is also not mentioned in Google’s blog post.) The post states that “most modern phones now include discreet tamper-resistant hardware called Secure Element (SE)” and that “this SE offers the best way to introduce this new consumer issues in Android. “This may lead one to believe that the blog post is pushing for safe elements outside of death, but it is not clear how Google can use the word ‘most’ if it does not count Qualcomm’s GPFG. We have requested clarification and will update this report if the company returns to us.
Google is not the only company trying to ease the daily load. Apple is working on digital IDs and car keys for iPhones, and Samsung is working with individual car manufacturers to try to beat Google to punch on Android. There have also been many one-off key tags from companies such as BMW and Tesla.
For now, Google says they prioritize mobile driver’s licenses and car keys. The company says it is working with the ecosystem to deliver SE applets for these two utility cases “in conjunction with similar Android feature releases.” The release of the Android feature for mobile driver’s licenses is the Identity Credential API which was launched with Android 11. The maintenance here is mostly that your local authority needs to both pass a law authorizing digital IDs and then create a digital ID app. As far as we can tell, there is not an Android feature release for digital car keys yet, not even in Android 12. When announced, it will hopefully support the Car Connectivity Consortium’s Digital Key standard, which will put Android and iOS on the same car key standard .
We will be on the lookout.