Skip to main content
banner image
venafi logo

Google Will Mandate Key Attestation in Android 13

Google Will Mandate Key Attestation in Android 13

April 1, 2022 | Brooke Crothers

Google is upgrading how Android key attestation works starting in Android 12.0.  This will provide an option to replace in-factory private key provisioning with a combination of in-factory public key extraction and over-the-air certificate provisioning with short-lived certificates, according to Google. This “Remote Key Provisioning” scheme will be mandated in Android 13.0.

Are you facing a machine identity crisis? Venafi can help you out.

Attestation has been mandated since Android 8.0 and has become more central to trust for a variety of features and services such as SafetyNet, Identity Credential, Digital Car Key, and a variety of third party libraries, according to Google.

“In light of this, it is time we revisited our attestation infrastructure to tighten up the security of our trust chain and increase the recoverability of device trust in the event of known vulnerabilities,” Google said in the March 25 Android Developers Blog.

Why the change?

To date, there has been a software key stored on every Android phone, provided by the device manufacturer when the phone is made, signed by a root key that's provided by Google.

But device manufacturers will no longer be provisioning attestation private keys directly to devices in the factory, removing the burden of having to manage these secrets in the factory, Google said.  This will now be done by Remote Key Provisioning.

And there’s a reason for this.

In the current attestation scheme, if an Android device is compromised in a way that affects the trust signal of an attestation, or if a key is leaked, the key must be revoked, according to Google.

“Due to the increasing number of services that rely on the attestation key signal, this can have a large impact on the consumer whose device is affected,” Google said.

The change will allow Google to stop provisioning to devices that are on known-compromised software and remove the potential for unintentional key leakage. “This will go a long way in reducing the potential for service disruption,” according to Google.

The two primary motivating factors for changing the way we provision attestation certificates to devices are to allow devices to be recovered post-compromise and to tighten up the attestation supply chain.

--Upgrading Android Attestation: Remote Provisioning, Google Developers Blog, March 25, 2022

Remote Provisioning

This is how Google describes it.

A unique, static keypair is generated by each device, and the public portion of this keypair is extracted by the OEM in their factory. These public keys are then uploaded to Google servers, where they serve as the basis of trust for provisioning later. The private key never leaves the secure environment in which it is generated.

Google continues.

“When a device is unboxed and connected to the internet, it will generate a certificate signing request for keys it has generated, signing it with the private key that corresponds to the public key collected in the factory. Backend servers will verify the authenticity of the request and then sign the public keys, returning the certificate chains. Keystore will then store these certificate chains, assigning them to apps whenever an attestation is requested,” according to Google.

“This flow will happen regularly upon expiration of the certificates or exhaustion of the current key supply. The scheme is privacy preserving in that each application receives a different attestation key, and the keys themselves are rotated regularly. Additionally, Google backend servers are segmented such that the server which verifies the device’s public key does not see the attached attestation keys. This means it is not possible for Google to correlate attestation keys back to a particular device that requested them.”

Pratik Savla, Senior Security Engineer at Venafi, said this will, ostensibly, improve security.

"Short-lived certificates provide a relatively shorter window of opportunity for any malicious actor to abuse certificates and the corresponding infrastructure they support and secure," Savla said. 

"That has significant and direct implications on any incident containment and response. This could even affect the actions of opportunistic attackers who prefer to lay low for a sizable period of time. From that standpoint, this move certainly helps in improving security," Savla added.

Related Posts

Like this blog? We think you will love this.
image representing big data
Featured Blog

Le chiffrement homomorphe : Définition et utilisation

Qu'est-ce que le chiffrement homomorphe ? Le

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Brooke Crothers
Brooke Crothers
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more