Protected Confirmation

Android Protected Confirmation leverages a hardware-protected user interface called Trusted UI to facilitate high assurance to critical transactions. Android Protected Confirmation is available to supported devices running Android 9 (API level 28) or higher.

When an app invokes Protected Confirmation, Trusted UI queries the user for confirmation. The Trusted UI asserts the user’s approval of the prompted message with a high degree of confidence even if Android or its kernel (Linux) have been compromised. Together with Keymaster, this assertion is then conveyed to a remote party.

Developers can view the Android Protected Confirmation developer documentation at developer.android.com.

Scope

The implementation of Android Protected Confirmation can be split into two parts, both residing in the trusted execution environment (TEE). One part is an extension to Keymaster. It allows the generation of keys with the usage requirement Tag::TRUSTED_CONFIRMATION_REQUIRED. The second part is an app called ConfirmationUI, which generates confirmation tokens. These tokens are cryptographic statements and convey to Keymaster when the user confirms a given message. This document describes the implementation of ConfirmationUI and the confirmation statements to Keymaster.