Google is boosting Android Key security for mobile apps with new Keystore features to improve the safety of devices running Android Pie.
The Android Keystore provides application developers with cryptographic tools designed to secure user data and Android Pie is introducing new capabilities to Keystore to enable restrictions on key use and to secure key use while protecting key material from the application or operating system, according to a Dec. 12 blog post.
Android Pie is implementing keyguard-bound keys which ties the availability of keys directly to the screen lock state while authentication binding uses a constant timeout so that the keys become unavailable as soon as the device is locked. The keys are then only made available again when the user unlocks the device.
This feature is enforced by the operating system, not the secure hardware because the secure hardware has no way to know when the screen is locked and is available to any device running Android Pie.
Google will also add secure key import to facilitate secure key use while protecting key material from the application or operating system. Keys will be encrypted in transit and remain opaque to the application and operating system, meaning they're only available inside the secure hardware into which they are imported.
This feature will help prevent key interception when leaving the device where an application intends to share a secret key with an Android device.