Android's Trust API: a short history, and why it's a game changer

Passwords and pin numbers are so annoying that most people don’t use them on their mobile devices. Passwords for online accounts are often weak, forgotten, and/or reused. It’s an environment where users want and expect security, but the cost is too high. Google is trying to change that picture within their Android ecosystem.

Android often gets a bad rap in the security community, primarily because the platform relies on vendors to push out updates, leaving many many people with insecure phones. Malware and junk apps are more prevalent on Android vs. other smartphones, in part due to the lack of rigorous checks when apps are submitted to Google Play. But at Google I/O this year and last, Android has proved they’re taking some massive steps forward in the authentication space, and it’s pretty exciting.

70% of users forget their password once a month, and on average try 2.4 passwords before they get the right login
Regina Dugan – Google SVP

In this post, we’re going to take a quick look at what Google has been doing in this space, and, in particular, their new Trust API which enables continuous authentication. Continuous authentication means that the application, device, or website, is always looking at the level of trust it has in you. Are you still the legitimate user, or is your phone being used by a thief? It can then continuously adapt to the risk you present.

Caveat: I haven’t owned an Android device for a few years now, so haven’t been able to play with these new features. But they’re cool enough that I want to write about them anyway!.

Smart Lock

Smart Lock is Google’s most widely known initiative in removing the need for passwords. Many smartphones today have enough sensors to enable a phone to just know who is using it, but lack the software and brains to figure it out. That’s where Smart Lock comes in. If the phone thinks it’s you, it’ll automatically unlock. Otherwise, it will prompt for a fingerprint, password, or pin to unlock your device. It has reduced on-screen prompts by 50% for devices which have turned it on, and have the right hardware. SmartLock consists of five different detection strategies:

  • On-body detection – uses an accelerometer to detect when you’re holding it in your hand, to stay unlocked. If a thief does a snatch and grab, the sudden acceleration will lock the phone. It also learns how you walk (gait analysis), so that it can detect if someone else is walking around with your phone. The downside is if you gently hand your unlocked device to someone, and they’re not moving around, it’ll probably stay unlocked.
  • Trusted places – allows you to manually configure a whitelist of locations in which your phone will automatically unlock. It requires battery-intensive location checking, through a combination of GPS and WiFi network detection
  • Trusted devices – lets you choose some devices which, when nearby, are a sign of trust. Bluetooth watches, fitness trackers, or car speaker systems are recommended candidates.
  • Trusted face – uses facial recognition to unlock your device
  • Trusted voice – uses voice recognition to unlock your device

The only one that sounds like an OK idea to me is the “trusted place” in-car unlock, otherwise, the locations are too broad and easy for an attacker to get into. I’d also love to have phone-snatch detection which locks the phone, without having the flipside of an automatically unlocking phone when it thinks it’s held in my hand.

Any of these by themselves aren’t going to provide great security, and Google knows that too. So they kept working on the problem.

Android's Trust API: a short history, and why it's a game changer

Project Abacus

Project Abacus was unveiled at Google I/O 2015, which took the ideas and sensors above, and combined them to create high-entropy source of authentication. Authentication by not what you remember, but by how you behave. It would provide a score which indicates how likely it is that the person using the device is the legitimate user, based on their behavior. The risk score could be applied to adaptively decide what apps you’re allowed to access. Low risk, you can use all the apps. High risk, you can only use Chrome. It’s adaptive and behavioral authentication.

Google gathered some boffins from 16 universities, and handed them a dataset of 2.8 million sessions across 1500 users. Their proof of concept resulted in a method of authentication that was 10 times more accurate than a fingerprint alone.

An authentication method that accepts you, and rejects impostors, right on your device

Android's Trust API: a short history, and why it's a game changer

Trust API

At I/O 2016, we got an update on Project Abacus from Dan Kaufman, now head of Advanced Technology and Projects at Google. After a further year of work it has been rebranded as the “Trust API”, and as of June has been in private beta with “several large financial institutions”. The aim is to have it available to Android developers worldwide by the end of the year.

We have a phone with all these sensors. Why can’t it just know who I am?
Deepak Chandra – Google

Android's Trust API: a short history, and why it's a game changer

Once it’s been released developers will be able to use it in their apps. A banking app could let users transfer small amounts of money when the trust score is medium, let them transfer a bit more if trust is high, or block them altogether if the trust is low. Maybe if the trust is way too low, the app locks down completely and you have to ring your bank!
A mail app could let you browse your emails, but as soon as you start acting odd (i.e. your nosey coworker just picked up your phone) it’ll prompt for a fingerprint. There are so many interesting possibilities out there!

Where to now?

Now we get to wait and see! Learning a user’s behavior to make authentication easier has been a really interesting area of research, and it’s exciting to see it now going mainstream. Google is leading the charge with device & sensor based behavioral authentication. Passwords aren’t good enough, so the more we can do for our users, the better. Adding a frictionless and unobtrusive, but highly accurate, security layer like behavioral analysis is a real game changer.

Cover image adapted from “Android Lineup” by Rob Bulmahn