Digital credentials are the building blocks of mobile security, leveraging trusted authorities to vouch for identity and encryption to secure private channels across public infrastructures. Your mobile device credentials give you seamless access to secured Wi-Fi, VPN, email, and websites. Conversely, a website that handles sensitive personal information provides their credentials to your device to prove that you can trust them to keep your data private.
Credentials include the certificates that provide identity and the private keys that are used to decrypt sensitive data. You must store these in a safe place to prevent malicious parties from assuming your identity or hijacking your private data. On a mobile device, you can store credentials on:
- embedded eSE on an NFC chip or the ARM TrustZone on a SoC
- removable hardware like smart cards
Which storage options you choose can evolve with new apps, emerging security standards, and improved technologies. For example, a mobile device that will be used in a regulated industry might need to get personal credentials from a physical smart card. Later, it might need to switch from physical smart cards to virtual ones on an NFC chip. The problem here is fragmentation: Each storage provider has its own proprietary APIs so adding or switching to new storage hardware introduces new cycles of coding, testing, and app re-distribution.
Samsung’s Universal Credential Management (UCM) SDK provides a future-proof plug-and-play framework to ease the management of credentials across a variety of different possible storage media. The SDK uses a common set of APIs to manage credentials on many possible current and future storage options, hiding the implementation details of individual storage providers so that mobile app developers can write code once and not worry about continual app updates.
- SEAP Partner account: If you are not yet a partner, click the button below to enroll as a partner.
- Samsung Approval: If you are already a partner, click the button below to contact us about SDK access.
Use the UCM SDK as follows:
- ISV / MDM App — Both Independent Software Vendors as well as Mobile Device Management providers can use the credential manager to do the following:
- enable and configure credential storage hardware
- store credentials on the hardware
- whitelist or blacklist the apps that can use each type of credential storage hardware
- UCM Framework — The UCM framework enables storage requests to go to the specified hardware.
- Storage Provider App — Providers of storage hardware use the UCM SDK to create an app that plugs into the UCM framework, by handling requests to store credentials on their hardware. Currently, the UCM framework supports this hardware:
- Samsung eSE — This embedded Secure Element uses the ARM TrustZone to securely store credentials. It can be used to store personal credentials on the mobile device, so that the device can serve as a virtual smart card for NFC smart card readers. The plugin app for this hardware is pre-installed with devices running Knox v2.7. To manage credentials on this premium feature, an app must activate a Knox (KLM) license key.
- baiMobile Smart Card Reader — This external reader provides the mobile device with access to credential storage on a physical smart card. To manage credentials on this reader, a device needs the baiMobile plugin app for the UCM framework.
For app developers, this UCM SDK offers these features and benefits:
- Flexible storage options — Samsung supports the latest options available in credential storage.
- Strong security — Credentials are stored on the most reliable hardware from Samsung partners.
- Re-usable code — You don’t need to learn the proprietary APIs needed to manage credentials on vendor-specific storage hardware. You simply use the same set of APIs offered through this UCM framework, which abstracts away the underlying implementation detail.
- Easier updates — Storing credentials on another hardware type no longer involves re-coding, then testing and bug fixing on a wide range of devices. Code re-use saves time and money.
For storage providers, this UCM SDK offers these key features and benefits:
- New revenue channel — By providing a plugin for this UCM framework, you can take advantage of new customers using your hardware with Samsung devices sold by our resellers and solution partners.
- Uniform use model — You can offer customers a standardized way to access your hardware through the UCM framework.
Next steps ...
- Contact us to apply for access to this SDK.
- Browse the API Reference. This describes the API classes and syntax of methods in the UCM SDK.
- Read the Developer Guide. This provides detail about the UCM SDK and how to use its API methods.
- Read the FAQs. These provide answers to additional questions you might have.
- Get the UCM Plugin. If you are a developer using the UCM SDK to manage credentials on a:
- Samsung eSE — The plugin is already pre-installed on devices with Knox v2.7. You can check for it by looking at Settings > Applications > Application Manager > eSE UCS Plugin.
- baiMobile Smart Card Reader — You must download the APK from the Knox portal > Tools (after signing into the Knox portal) and install it on your test device.