You might want to look at the "SafetyNet Attestation API" for signals on compromised devices:
https://developer.android.com/training/safetynet/attestation obviously nothing is perfect once the platform is compromised. -bri On Tue, Oct 2, 2018 at 5:38 PM Ashish Bhatia <ashishbhatia...@gmail.com> wrote: > > > Ashish > Consider this scenario > > 1. Android platform on the phone is trustworthy > 2. Secure Element is available to store the key in the hardware > 3. App A puts the key in the hardware with the fingerprint > authentication requirement > > <https://developer.android.com/training/articles/keystore#UserAuthentication> > 4. Android platform gets compromised > 5. An attacker cannot extract the key from the Secure Element > > In this case, can an attacker make the key in Secure Element sign anything > without user interaction? Or, in other words, where is the fingerprint > authentication constraint being verified? Does that happen in the > compromised Android platform image? > > Regards, > Ashish > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to android-security-discuss+unsubscr...@googlegroups.com. > Visit this group at > https://groups.google.com/group/android-security-discuss. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+unsubscr...@googlegroups.com. Visit this group at https://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
