Android Protected Confirmation leverages a hardware-protected user interface called Trusted UI to facilitate high assurance to critical transactions. Android Protected Confirmation is available to supported devices running Android 9 (API level 28) or higher.
When an app invokes Protected Confirmation, Trusted UI queries the user for confirmation. The Trusted UI asserts the user’s approval of the prompted message with a high degree of confidence even if Android or its kernel (Linux) have been compromised. Together with Keymaster, this assertion is then conveyed to a remote party.
Developers can view the Android Protected Confirmation developer documentation at developer.android.com.
Scope
The implementation of Android Protected Confirmation can be split into two
parts, both residing in the trusted execution environment (TEE). One part is an
extension to Keymaster. It allows
the generation of keys with the usage requirement Tag::TRUSTED_CONFIRMATION_REQUIRED.
The second part is an app called ConfirmationUI, which
generates confirmation tokens. These tokens are cryptographic statements and
convey to Keymaster when the user confirms a given message. This document
describes the implementation of ConfirmationUI and the confirmation statements
to Keymaster.