Starting March 27, 2025, we recommend using android-latest-release instead of aosp-main to build and contribute to AOSP. For more information, see Changes to AOSP.
Protected Confirmation
Stay organized with collections
Save and categorize content based on your preferences.
This page describes the implementation of ConfirmationUI and the confirmation statements to KeyMint.
Android Protected Confirmation leverages a hardware-protected user interface called Trusted UI to facilitate high assurance to critical transactions. Android Protected Confirmation is available to supported devices running Android 9 (API level 28) or higher.
When an app invokes Protected Confirmation, Trusted UI queries the user for confirmation. The Trusted UI asserts the user’s approval of the prompted message with a high degree of confidence even if Android or its kernel (Linux) have been compromised. Together with KeyMint (previously Keymaster), this assertion is then conveyed to a remote party.
Developers can view the Android Protected Confirmation developer documentation at developer.android.com.
Scope
The implementation of Android Protected Confirmation can be split into two
parts, both residing in the Trusted Execution Environment (TEE). One part is an
extension to KeyMint. It allows
the generation of keys with the usage requirement Tag::TRUSTED_CONFIRMATION_REQUIRED.
The second part is an app called ConfirmationUI, which
generates confirmation tokens. These tokens are cryptographic statements and
convey to KeyMint when the user confirms a given message.