Device Health Attestation: Ensuring Mobile App Security

Mobile apps can be compromised if unauthorized actors are able to run them on untrustworthy hardware or firmware. Such unauthorized actors might include malicious users deliberately accessing a device they're not authorized to, for example, while the user is away, or bad actors who manipulate the device or its firmware in transit. These actors can easily gain full control over the device firmware, files, UI, and apps, allowing them to install apps, steal passwords, and hijack identities.

Enterprises with Bring Your Own Device (BYOD) programs are particularly at risk, as employees may potentially use compromised Android devices in the workplace. The risks include the undetected exposure of confidential enterprise assets and wider, more insidious attacks on other enterprise resources and infrastructure.

Omerta Attestation provides a fail-safe way to detect if a device or its firmware is compromised before allowing device users to use it in the workplace.

Reliable detection of compromised devices

Malware can potentially intercept and forge the results of a device health check, making a compromised device seem secure. Omerta Attestation guards against this risk as follows:

    • The Omerta platform leverages its hardware-backed trusted environment to reliably detect and report compromised devices. Omerta Attestation ensures the integrity of devices during deployment, bootup, and operation using the following:
    • Root of Trust: Starts in our factories when devices are manufactured, with device-unique hardware keys providing a foundation of trust.
    • Trusted Boot: Detects unauthorized and out-of-date boot loaders before they compromise devices using bootloader measurements recorded in secure TrustZone memory.
    • Omerta Vault: Stores sensitive data such as the Omerta Attestation Key in tamper-proof storage that resists both hardware and software attacks.

Omerta incorporates a Device-Unique Hardware Key into the device hardware during the initial manufacturing process. This key binds the device health attestation data to a particular device and is accessible only by a hardware cryptography module, ensuring it is not directly exposed to any device software.

Omerta Attestation signs device health data to prove that it originated from the TrustZone Secure World on an Omerta device. Each device uses an Omerta Attestation Key. When the device is manufactured, a unique RSA private/public key pair is generated. The public key is also signed by a special Omerta Root Key to generate an X.509 certificate. Both the Omerta Attestation Key and its certificate are secured in the device's TrustZone.

In case a device is already compromised when a health check is performed, the final test on device health is performed by an Omerta attestation server. To protect data in transit, Omerta Attestation uses TLS encryption.

To validate device health data, the Omerta attestation server verifies the Omerta Attestation Key certificate, Attestation Key certificate, and signatures to ensure the integrity of the attestation result.

To protect against man-in-the-middle replay attacks, which replay the attestation result collected on a healthy device or the same device before it was compromised, the server verifies the random nonce value generated for each requested health check.

Highly secure or firewalled operations that don't want to access the web-based Omerta Attestation server can install an Attestation Validator tool onto a local server to parse the Attestation Result and keep device verdicts within the firewall.

How Omerta Attestation works

Partners such as EMM vendors or ISVs use our Omerta APIs to deploy attestation checks. They can enable device checks manually by an admin using a web console or automatically by a regularly scheduled process.

The web server that initiates the check performs the following steps:

  • Requests a nonce from the Omerta Attestation server. A nonce is a random number used in cryptographic communication to time-bound and identify each attestation result.
  • Instructs the device to begin a check, passing the nonce as a check identifier.

The Keymaster Trusted Application (TA) in the Secure World gathers the following data:

  • The requesting app's package name, version code, and developer key.
  • Signed information about the device's current state and expected environment.
  • Hardware fuse readings indicating if untrusted firmware was ever loaded onto the device.

The TA compiles this information into an Attestation Result and signs it with a key that can be verified using the Omerta Root Certificate.

The device communicates with the Omerta Attestation Server using TLS encryption to protect data in transit.

The Omerta Attestation Server validates the Attestation Result's signature to ensure that it was generated on Omerta hardware and by Omerta's TA.

The Omerta Attestation Server analyzes the Attestation Result to determine if the returned nonce matches the one sent out and whether the data within it can be trusted.

    Managing compromised devices

    On detecting a compromised device, the Omerta platform fuses a one-time programmable Warranty bit that signifies whether or not the device has ever booted into an unapproved state. Once this bit is fused, the work profile no longer operates, preventing access to secured enterprise apps and data.

    The original requestor of the device check can take further action, for example:

    • Report the verdict to the device user.
    • Immediately prevent the device from accessing other enterprise systems.
    • Uninstall any enterprise apps or assets already on the device.

    Unique advantages of Omerta Attestation

    Omerta Attestation provides these key differentiators:

    • Prevention of replay attacks: Each health measurement is guaranteed per request through a nonce, a unique number randomly generated by the Omerta Attestation Server.
    • Prevention of device ID falsification: Omerta Attestation forms a chain of trust using the Omerta Root Key, Omerta Attestation Key, and Attestation Key. It signs attestation results using the Attestation Key and appends the Attestation Key certificate and Omerta Attestation Key certificate.
    • Detection of systemless rooting: Rooting methods like Magisk store system file modifications in the boot partition, which can go undetected by tamper detection methods other than Omerta Attestation.
    • Correlation of results per device: Health results that easily map to device identifiers like an IMEI. Unlike other solutions on the market, Omerta Attestation enables IT admins to determine which attestation result correlates with which device without having to painstakingly map IDs manually. With competitor solutions, results are returned for separate devices, but IT admins can't differentiate between devices, and consequently the results are not actionable. Omerta Attestation returns a single device ID and enables IT admins to prevent or contain issues promptly.
    • Historical tamper record: Omerta Attestation guarantees not only the current health of the device, but also a record of whether the device ever ran a non-approved configuration in the past, through the Omerta Warranty Fuse.​

    NOTE: The current release of Omerta Attestation was enhanced with Omerta version 3.4 and higher. Prior to that, Omerta Attestation did not support the enhanced Omerta Attestation Key, detection of device ID falsification, or data-in-transit protection using TLS encryption (SSL encryption was used).