Skip to main content
  1. Articles/

Q: Is there any mechanism available in Android platform for remote attestation?

This was originally posted as an answer to the question "Is there any mechanism available in Android platform for remote attestation?" on security.stackexchange.com.
3 upvotes
11k views
  1. There are Android phones with hardware-backed storage. This is supported since Android 4.3, ie. mid 2013, (SDK18) over the KeyChain API. From the changelog:

Android also now supports hardware-backed storage for your KeyChain credentials, providing more security by making the keys unavailable for extraction. That is, once keys are in a hardware-backed key store (Secure Element, TPM, or TrustZone), they can be used for cryptographic operations but the private key material cannot be exported. Even the OS kernel cannot access this key material. While not all Android-powered devices support storage on hardware, you can check at runtime if hardware-backed storage is available by calling KeyChain.IsBoundKeyAlgorithm().

  1. Google offers over a Play Service the Safty Net API which can check if a device was compromised. Here is the description on their site:

The service provides an API your app can use to analyze the device where it is installed. The API uses software and hardware information on the device where your app is installed to create a profile of that device. The service then attempts to match it to a list of device models that have passed Android compatibility testing. This check can help you decide if the device is configured in a way that is consistent with the Android platform specifications and has the capabilities to run your app.

This is used in the Google Pay app afaik.