Android apps are able to store digital credentials securely on Samsung Android devices using a hardware-backed keystore. Some use cases require external storage, such as a smartcard or micro SD card to store credentials. Unfortunately, each type of credential storage comes with its own proprietary APIs. Using these APIs as a direct interface complicates app development, debugging, and maintenance because the app must be customized for each vendor’s interface. This means that when a deployed app needs to access a new type of storage, or even the same type of storage but from a different vendor, the app needs a patch to call the new APIs.
The Universal Credential Management (UCM) framework reduces this complexity by enabling apps to access all credential storage devices through the same set of interfaces, regardless of the underlying storage type. The following sections explains the UCM framework, how apps use the UCM APIs to access credentials, and how storage providers can integrate their solutions with theUCM framework.
Samsung’s Knox SDK provides a future-proof plug-and-play framework to ease the management of credentials across a variety of different possible storage media. The SDK uses a common set of APIs to manage credentials on many possible current and future storage options, hiding the implementation details of individual storage providers so that mobile app developers can write code once and not worry about continual app updates. In the simplest sense, the UCM framework provides the following piece to the puzzle of apps, interfaces, and storage types:
In a more complete sense, the Knox UCM framework presents a single interface to the independent parties who are sharing the mobile device environment and resources as shown below:
The UCM framework provides APIs for accessing the Smartcard facility, and supports calls with the Java Cryptography Extension(JCE) API to access each Smartcard. Ultimately, the streamlined interface of UCM helps independent parties accomplish their tasks while bypassing the complexity of custom APIs.
An app can access the UCM features through the UCM plugin and can add it using standard JCE APIs. The app can then obtain instances of the JCE classes (KeyStore, SecureRandom, KeyPairGenerator, and Cipher) to perform cryptographic operation based on a Smartcard. The UCM framework routes JCE calls to the correct UCM provider and credential storage of the plugin. The UCM framework is also integrated into the Android KeyChain, so the app can view and choose the certificate stored on the Smartcard.
Android keyguard authenticates users based on their pattern, PIN, and password. The UCM framework is integrated into Keyguard, so users can use smartcard as an option for authentication. UCM keyguard is based on PIN authentication. If PIN authentication is successful, the UCM framework will retrieve the password that is generated inside smartcard, and use it as the device password.
With Knox 3.3, Knox UCM Keyguard policy enhancements now include:
Note that upon removing the UCM Keyguard policy from a profile, users will be able to access disabled options and will be able to change the lock type from their device.
When ODE is enabled, the entire data partition is encrypted using the DEK (Device Encryption Key), which is generated on the device. Using UCM ODE, devices can be encrypted with a Smartcard-generated DEK as well.