5

I'd like to know if the latest generation of Android devices provide an application with access to their Secure Element in some way (other than by way of the NFC interface, which is #1 application of the SE), preferably by implementing a keystore that uses the service of their Secure Element?

My use case is storing and using a cryptographic key (e.g. an HMAC key, unique to the device), in a manner that is hard to copy to another device, or emulate. Without some hardware support (and I only see the secure element as a hardware basis), it looks like I'm doomed.

auspicious99
  • 493
  • 3
  • 17
fgrieu
  • 1,072
  • 7
  • 19

1 Answers1

5

Since Android 4.3, material in the keychain can be marked as stored in a “hardware-backed key store”. This can provide secure element access, but the hardware backing can also be ensured by TrustZone, which doesn't leave the main CPU. There's no way to query what kind of hardware backs the keystore (embedded SE, removable SE, TZ, …). The API function name isBoundKeyAlgorithm is perhaps a more precise way to qualify the intent of this attribute.

There is no guarantee that the SE is available to application even when it is present. Technically, most Android phones have long had access to a (removable) secure element, the SIM card, but this was not available to applications. Phones with NFC have a better chance.

In older Android versions, it is possible to access the SE (if any) through Seek for Android, however this only works on a few development devices so it is not an option unless you can impose a particular phone model and a custom image.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
  • Many thanks! I have checked this. It works on some relatively recent real hardware, including inability to export the key, but only for RSA keys of 2048 bits, nothing else that I could find. Also, I found no way that a remote internet server could ascertain that a key is in the keystore and was generated there, or inject such key there securely. – fgrieu Dec 18 '13 at 06:45