Year by year, iteration by iteration, our smartphones become more capable, more complex and more
essential for the commonplace ease of smart-world living. We trust it with our money in the smart
wallet, our identities in smart travel cards, our cars and homes with smart keys, our medical
records with health cards and the list continues to grow. The ongoing digitization of our lives
makes our smartphone a key ally in our busy lives, which makes it even more important that we can
trust it with our digital selves.
From TEE Implementation to Secure Elements
Today we see increasingly secure ways used by mobile OEMs to ensure protection of sensitive data.
A trusted execution environment (TEE) is a relatively secure area of a main processor that runs
its own OS. It is common that the biometric sensors of the phone (e.g., the fingerprint scanner)
are directly connected to the TEE, meaning that the end user’s biometric data lives only within
the TEE and never in the Android OS.
A secure element (SE) goes one step further: it is a separate microchip, with its own CPU,
storage, RAM, etc. which is designed specifically for security-relevant use cases. SEs are
resistant to a wider variety of attacks, both logical and physical, such as side-channel attacks.
HW security along with factory provisioning of trusted keys and certificates will help establish a
strong root of trust (RoT) and enable strong device attestation. Only secure elements
(silicon-based) have Common Criteria certification, no other software or basic hardware solution
has achieved this security level. Consequently, implementing a Secure Element into a mobile phone
has become a common practice.
Digital Car Keys of the Future Already Mandate Use of SE
Car Connectivity Consortium (CCC)
mandates in its Digital Key Release 2.0 specification the need for mobile devices to create
and store the Digital Keys in Secure Elements (HW Security) that provide the highest level of
protection against hardware or software-based attacks. The architecture based on emulating the key
in the SE is designed to allow vehicle owners to access their vehicles without Internet
connectivity or when in low battery mode, while also giving vehicle manufacturers the ability to
add specialized features that require Internet connectivity.
Google Fosters a World Where Android Devices Benefit From Secure Services
While many flagship phones already have SE integrated, for a long time there was no standardized
framework offering a consistent, secure user experience across devices. Therefore, Google established the
Android Ready SE Alliance, a group of SE vendors partnering with Google to create a set of open-source, validated
and ready-to-use SE Applets based on the general availability (GA) version of StrongBox, Google’s
hardware-backed Keystore for the SE. NXP is a proud member of the Alliance, working with Google to
enable Android phones, tablets and wearables to support digital car keys, GPay for E-money,
identity credentials and more.
Together with Google, NXP has created a tamper-resistant hardware security module that OEMs can
design in as an “Android Ready SE” to secure critical assets and protect user’s privacy on an
Android device. Next to secure storage of digital keys, identities and driver’s license (including
the CCC’s Digital Key Release 2.0), an
Android Ready SE will enable continued support and updates to be provided securely as the Android ecosystem
Implementing NXP’s silicon-based security solutions into Android StrongBox creates a highly
protected, self-contained environment for staging and executing various types of services and
Charles Dachs, GM and VP of Secure Embedded Transactions
Creating an Out-of-the-Box Experience
OEMs that adopt Android Ready SE for their devices will be able to add StrongBox and its benefits
to upcoming iterations of their devices. Only those devices with StrongBox will be able to offer
certain security-sensitive features such as digital car Keys or e-money solutions that use NXP’s
Additionally, HW security is not limited to contactless transactions but are extremely useful
to secure applications and protect data at large. Google, Android OEMs, SE solution providers,
along with the service providers, are working in tandem to bring new identity services to their
upcoming generation of handsets.
To learn more about mWallet 2GO, please visit