Google is really pushing security with its new Pixel devices. At the Pixel 3 launch, the company made security its central focus.
The most significant part of that is the Titan M security chip custom built for the Pixel 3. Google says it took the best features from its Titan chip used in its cloud data centres and tailored it for mobile.
Furthermore, the company released a blog post breaking down how Titan M protects users.
First up, Titan M improves the security of the bootloader. The bootloader refers to the software that validates and loads Android when you turn on your phone.
Titan M checks to make sure the bootloader is running the right version of Android. It does this by storing the last known safe version of Android to prevent ‘bad actors’ from moving your device back to a previous, vulnerable version of Android. Titan M will also prevent bad actors from attempting to unlock the bootloader.
Google says that Titan M also brings lock screen protection and disk encryption on-device. It verifies your lock screen passcode and limits login attempts so that attackers can’t brute force access. Additionally, Titan M will decrypt the phone only after it has successfully verified your password.
Through its independent computation, Titan M makes it harder for attackers to tamper with the process and gain access to your decrypted data. Additionally, Google designed Titan M never to update its firmware without your passcode. This means malicious actors can’t try to flash fake firmware to Titan M to bypass its security.
Finally, Titan M provides security options to third-party apps as well. Thanks to new Android 9 APIs, apps can now take advantage of hardware security modules to generate and store their private security keys.
Additionally, apps can use another API called Protected Confirmation to perform security-critical operations using Titan M. Google suggests applications like e-voting and P2P money transfers could utilize this API.
Overall, it’s a significant investment in security for Google. While the company has pushed its software security efforts in the past, this is the first considerable dive into hardware security — at least on mobile.
Additionally, Google says that it will make its open-source Titan firmware available for the security community to audit in the coming months.