Is there any mechanism available in Android platform for remote attestation?

Question

I recently read about PC/Desktops which come with TPM chips which are used for remote attestation.

So following are my questions:

1. Does any Android smartphone come with a TPM chip?

2. Is there any way for a service provider to check whether the user is accessing their service from a compromised Android OS? (i.e., Does Android platform provide any mechanism for remote attestation?)

Answer 1

1. To my knowledge, no Android smartphones comes with a TPM. However, in theory, a TPM could be implemented in software within ARM's TrustZone but I never seen this in practice.

2. Samsung KNOX offers this as part of Secure Boot and TIMA (a TEE) running within TrustZone.

   • They implemented Secure Boot which makes sure a trusted (known) environment is loaded (they're probably using something like HIBv4 - ARM's efuse) and n,
   • TIMA pause the OS from time to time and assess the integrity of Android. In TZ terms, TIMA run in the Secure World while Android is in the Normal World thus TIMA has more privilege than Android.

Secure Boot doesn't provide -at-run-time- indication about the posture of a device like Remote Attestation could do but still provides some form of guaranty over the integrity of the OS. This link also describe how they authenticate a Samsung KNOX device from which you can derive trust (Secure Boot and TIMA are running).

Other devices provides Secure Boot but, to my knowledge, KNOX is the only thing monitoring the integrity after boot up and really providing a means by which you can derive trust that those controls are in place.

Answer 2

1. There are Android phones with hardware-backed storage. This is supported since Android 4.3, ie. mid 2013, (SDK18) over the KeyChain API. From the changelog:

Android also now supports hardware-backed storage for your KeyChain credentials, providing more security by making the keys unavailable for extraction. That is, once keys are in a hardware-backed key store (Secure Element, TPM, or TrustZone), they can be used for cryptographic operations but the private key material cannot be exported. Even the OS kernel cannot access this key material. While not all Android-powered devices support storage on hardware, you can check at runtime if hardware-backed storage is available by calling KeyChain.IsBoundKeyAlgorithm().

2. Google offers over a Play Service the Safty Net API which can check if a device was compromised. Here is the description on their site:

The service provides an API your app can use to analyze the device where it is installed. The API uses software and hardware information on the device where your app is installed to create a profile of that device. The service then attempts to match it to a list of device models that have passed Android compatibility testing. This check can help you decide if the device is configured in a way that is consistent with the Android platform specifications and has the capabilities to run your app.

This is used in the Google Pay app afaik.

Answer 3

The current answers here are now out of date. The Google Pixel 2 now contains the hardware support for remote attestation, and has it's own variant to meets the needs of the TPM. "TEE - trusted execution environment"

As for the software support, that depends on what you install.

Source : https://copperhead.co/android/docs/verified_boot

Remote attestation.

Copperhead uses the hardware-backed keystore with key attestation to implement our Auditor app which provides both local verification from another Android device (via QR codes). The app also has support for regularly scheduled remote verification using our attestation server hosted at https://attestation.copperhead.co/."