1

In newer versions of Android (I guess since 4.2) there is an option called "hardware-backed" and "software only". As Google supposes:

Android also now supports hardware-backed storage for your KeyChain credentials, providing more security by making the keys unavailable for extraction. That is, once keys are in a hardware-backed key store (Secure Element, TPM, or TrustZone), they can be used for cryptographic operations but the private key material cannot be exported. Even the OS kernel cannot access this key material. While not all Android-powered devices support storage on hardware, you can check at runtime if hardware-backed storage is available

ephasis is mine

What I can't understand is: the GalaxyNexus as well as the Nexus 7 have an NFC-Chip with Secure Element, but its storage-type is "software only". The Nexus 4 has an NFC Secure Element, and is "hardware-backed", while the Nexus 7 (2013) and the Nexus 5 don't have a NFC-Secure-Element but are still "hardware backed". I can check this manually inside the Settings-App, but Is there a way to check this inside my App?

As CommonsWare mentioned, I should provide links: First info that Secure Element is related to the storage-type is mentioned here: another useful source of info was Nelenkov's blog

Rafael T
  • 15,401
  • 15
  • 83
  • 144
  • @CommonsWare You are right, that it is not exactly related. It just needs a "hardware root of trust" (which can be an NFC secure Element) which the Galaxy Nexus clearly has, but is only supporting Software Only credentials. Have a look at my edit – Rafael T Nov 07 '13 at 17:07
  • So, you wish to know if the storage-type is hardware backed or not? – Vikram Nov 27 '13 at 02:51
  • exactly, this is what I want to find out inside my app. – Rafael T Nov 27 '13 at 09:00
  • 1
    I was going to suggest that you use reflection since KeyStore service is not part of the SDK >>> Obtain an `IKeystoreService` from `ServiceManager` and call the `is_hardware_backed()` method. But, as Nikolay answered below, `KeyChain#isBoundKeyAlgorithm(String)` follows the same route, calling `IKeystoreService#is_hardware_backed()` eventually. – Vikram Nov 27 '13 at 16:46

1 Answers1

5

Did you actually read the blog? :) Currently 'hardware-backed' means TrustZone (TEE)-backed for all released devices. Using the embedded secure element for this is rather tricky for political reasons, and no current Android devices have a TMP. This leaves TrustZone-based TEE implementations. BTW, Galaxy Nexus also has one, but the driver is disabled in release builds. It has been there since 4.1.

To check from an app use KeyChain.isBoundKeyAlgorithm(String algorithm).

Nikolay Elenkov
  • 52,576
  • 10
  • 84
  • 84
  • Wow, Mr. Elenkov himself is answering ;). I read your blog (along all the posts about SecureElements and how to use them). This probably confused me a bit. Thanks for giving the proper answer. – Rafael T Nov 27 '13 at 10:04