OK, it’s time to head out the door, so make sure you’ve got your phone, keys, and wallet.
That’s a lot of items to carry around, so what if you only had to bring your phone? After all, your keys and wallet are just legacy authentication devices. We could totally replace them with a phone! That’s the future Google is working toward as it pushes Android forward with support for driver’s licenses and digital car keys.
Google’s latest announcement details work to standardize an Android ecosystem around hardware and software, called the “Android Ready SE Alliance,” that will make all this work. “SE” here is “secure element,” a hardware component quarantined from the rest of the system, designed to only run secure computing tasks like an NFC payment. The idea is that phone manufacturers will be able to buy an “Android Ready SE” from secure element vendors like NXP, Thales, STMicroelectronics, Giesecke+Devrient, and Kigen, and Google says that these SE vendors are “joining hands with Google to create a set of open-source, validated, and ready-to-use SE Applets” that will support these emerging use cases.
With this new SE standardization effort, Google wants to support “digital keys” for your car, home, and office; mobile driver’s licenses; national IDs; ePassports; and the usual tap-and-go payments. Google notes that this initiative isn’t just for phones and tablets; Wear OS, Android Automotive, and Android TV are also supported. Having a car key in your watch or a driver’s license in your car computer sounds like a great idea, but Android TV? Why would I want a driver’s license in my television?
Google lays out the full requirements for Android Ready SE:
- Pick the appropriate, validated hardware part from their SE vendor
- Enable SE to be initialized from the bootloader and provision the root-of-trust (RoT) parameters through the SPI interface or cryptographic binding
- Work with Google to provision Attestation Keys/Certificates in the SE factory
- Use the GA version of the StrongBox for the SE applet, adapted to your SE
- Integrate HAL code
- Enable an SE upgrade mechanism
- Run CTS/VTS tests for StrongBox to verify that the integration is done correctly
What’s not clear from Google’s announcement is the difference between supporting StrongBox, Android’s usual standard for a tamper-resistant hardware security module, and being certified for “Android Ready SE.” StrongBox modules include their own CPU, secure storage, and a true random number generator, and they communicate with the rest of the system over the Keymaster HAL. StrongBox has been supported on Qualcomm chips through the Qualcomm “Secure Processing Unit” (SPU) since 2018’s Snapdragon 845. Today it looks like even the low end of Qualcomm’s lineup, like the Snapdragon 460, contains a Secure Processing Unit.
Qualcomm’s SPU isn’t good enough?
Qualcomm is conspicuously absent from Google’s blog post and the list of supported chipsets, so is the whole point of this initiative to say that on-die secure elements are not good enough? Google’s Pixel team has certainly moved in that direction with the development of the Titan M Security Chip in the Pixel 3 and up, and Samsung is building its own secure element now, too, for flagship phones. (Samsung is also not mentioned in Google’s blog post.) The post says that “most modern phones now include discrete tamper-resistant hardware called a Secure Element (SE)” and that “this SE offers the best path for introducing these new consumer use cases in Android.” This might lead one to believe the blog post is pushing for off-die secure elements, but it’s not clear how Google can use the word “most” if it’s not counting Qualcomm’s SPU. We’ve asked for clarification and will update this report if the company gets back to us.
Google is not the only company trying to lighten your daily loadout. Apple is working on digital IDs and car keys for iPhones, and Samsung is partnering with individual car manufacturers to try to beat Google to the punch on Android. There have also been plenty of one-off car key apps from companies like BMW and Tesla.
For now, Google says it’s prioritizing Mobile driver’s licenses and car keys. The company says it’s working with the ecosystem to deliver the SE applets for these two use cases “in conjunction with corresponding Android feature releases.” The Android feature release for mobile driver’s licenses is the Identity Credential API that launched with Android 11. The holdup here is mostly that your local government agency needs to both pass a law authorizing digital IDs and then make a digital ID app. As far as we can tell, there is not an Android feature release for digital car keys yet, even in Android 12. When that gets announced, it will hopefully support the Car Connectivity Consortium’s Digital Key standard, which would put Android and iOS on the same car key standard.
We’ll be on the lookout.