Codes discovered at the developer level at Google suggest that Android may some day employ its own standard security features for digital drivers licenses. This is not the first time we’ve heard of digital drivers licenses – places like Wyoming, Maryland, and Louisiana have their own digital drivers license programs already either live or in the works. Google is attempting to get ahead of the pack with deeply embedded security for digital drivers licenses (and similar products) for the future.
Give me this first batch of news in a nutshell
Google developers have begun developing Android code that’ll allow drivers licenses to be stored on and used with your phone. Your phone will be able to show and use this ID with the help of a fingerprint scanner, retina scanner, or password. Security will be provided at a system level.
Because several states have begun work on digitizing state IDs and drivers licenses, now’s a good time for Google to step forward with deep security for smartphones. It’s extremely likely that Apple’s working on something very similar as we speak. We know Google’s working on this because of the Open Source nature of Android – all development is posted online, all the time.
Above you’ll see some interesting early work done by the AAMVA on Mobile DL (mobile drivers license, mDL) software. This is, in a very basic way, the same sort of thing Google Developers are working on for Android. Instead of an app, though, they’re working on allowing the secure elements in this process go system-deep. Some of the imagery in this article comes directly from the AAMVA’s latest Whitepaper on mDL.
The first Google/Android appearance
If you take a peek at what the XDA Developers located the codes in the AOSP (Android Open Source Project) listing for IdentityCredential API in Android. This code was submitted by developer Shawn Willden, and reviewers (thus far) include David Zeuthen and Michael Hoelzl.
Keywords like Automotive_EVS, Secure_Element, and Credstore pretty neatly wrap up what this whole code store is all about. IdentityCredentialStore (we’ll call it IDS) is the name of the game. According to the documents we’ve reviewed this afternoon, IdentityCredentialStore “stores credentials that identify a person.” Pretty simple, yes?
How Android keeps your ID secure
This IDS system works with secure hardware running Android. In this case, that could mean a smartphone with a fingerprint scanner. Credentials – your ID – are cryptographically verified in two ways. One way is with static digital signatures “provided by the issuing authority”. The other is with dynamically-generated digital signatures provided by the security hardware.
The issuing authority’s server needs to be able to do the following things in order to create and provision a digital identity credential – a driver’s license on your smartphone. The lengths to which this code is complex and secure is necessary, so that the authority’s server can:
• Ensure it trusts the secure hardware before provisioning
• Validate correct data is provisioned
• Prepare necessary keys and certificates to prove the validity of the data to readers
Once the licensed identity is in your phone and secure, it’s only a matter of another device checking for authenticity. Before now, the most common way to check an ID was an ocular inspection. The bouncer (or whoever) would look at you, look at your ID, and say nope, you are not Dr. Judy Billingham. Now, the check will be both the visual and the digital – a real computer-based scan.
But what if my phone is low on power?
No worries. Some phones will be able to use a “direct access” feature that uses minimum resources, and NFC, to transmit and verify your ID. Some devices will not be able to use this feature. It’s actually MORE likely that the cheaper the phone, the more likely they’ll be able to use direct access for low power ID scanning. This is because all their security code and business is in one place – on one processor.
NOTE: I put this “low power” part here because the most common question we’ve had so far was about low batteries. What happens when I run out of battery, do I get pulled over and go to jail? Well… maybe? More likely you’ll have a spare card in your pocket – or you’ll be more vigilant about keeping your phone powered up.
Different security levels
The cheapest phone you’ll be able to get that’s still got digital ID capabilities will probably use a Software Only solution. There’s also a Hardware-based Trusted Execution Environment, an Embedded Secure CPU solution, and a Hardware Discrete Secure CPU solution. Those are listed from least to most secure, and likely from least to most expensive.
The Hardware Discrete Secure CPU uses a processing environment physically separate from that of the smartphone’s primary processor. If the processing hardware for security is physically separate from the processing unit where the rest of the transaction takes place, the entire process is more secure than it would be otherwise.
Above you’ll see a video from Last Week Tonight with John Oliver. The report came at a time in which Apple was asked by the FBI to break in to an iPhone. Oliver explained why that’s not a great idea. In this, you’ll learn about or be refreshed on how iPhone security works – and in turn how the most secure of the methods above is done.
When can I put my ID on my phone?
Likely a year away from now, or more. This isn’t the sort of thing that just appears online one day and is out in the wild, on Android, the next. Much like the folks at XDA said earlier today – I wouldn’t be surprised to find this secure ID business in Android R, previewed later this year in a very, very early iteration at Google I/O 2019.