Universal Credential Management (UCM)
Last updated February 20th, 2024
Digital credentials are critical mobile security building blocks, leveraging trusted authorities to validate identity and secure private channels across public deployments. Your mobile device credentials provide seamless access to secured Wi-Fi, VPN, email, and websites. Credentials include certificates providing identity and private keys to decrypt sensitive data. These credentials must be securely stored to prevent malicious parties from exploiting your identity and accessing confidential data.
Universal Credential Management works only on Qualcomm and Exynos chip devices.
Secure elements
While Android apps are able to store digital credentials securely on Samsung Android devices using the hardware-backed Keystore, some use cases require the user credentials and secrets stored in a secure element, which can come in form factors such as the following:
- Embedded Secure Element (eSE) — Supports the storing and accessing of credentials, allowing secure storage on the device without additional hardware.
- Micro SD card
- Universal Integrated Circuit Card (UICC)
- Smart card — Smart cards’ resiliency makes them ideal for storing credentials if the threat model calls for trust to be shifted outside the device.
The Samsung eSE is not available with the following countries and carriers: USA-Verizon, Korea-All, Japan-All, Canada-Telus.
Certain customers, especially in government and related industries, have internal regulations requiring the use of approved secure elements for storing credentials and secrets. The secure element is provisioned with an applet that provides certain cryptographic functions.
Use cases
The UCM framework implements a service layer that allows vendors to make their solution available to specialized apps on the device including:
- Device lock (keyguard) — The user inserts a PIN to authenticate themselves to the applet running in the secure element. If the PIN authentication is successful, the UCM framework retrieves a password from credential storage, which is used as the device password to unlock the device.
- Data at Rest (DAR) encryption — The applet provides another layer of protection for the device encryption keys. UCM allows for the device encryption key to be wrapped by the applet. The wrapped device encryption is unwrapped when the user provides the correct PIN on device boot.
UCM framework
The Universal Credential Management (UCM) framework enables Android apps to access all credential storage devices through the same standard programming interface — the Java Cryptography Extensions (JCE) API via either:
- a specific provider to carry out supported crypto operations
- the Android Keychain API for key and certificate operations
The vendor providing the secure element solution (including the applet) implements a UCM plugin, which registers their solution as a Keystore provider. Apps can simply refer to the vendor’s provider when calling Keystore API.
A significant benefit of the UCM framework is that it uniquely enables storage vendors to develop a plugin that provides access to their storage space and cryptographic operations, without forcing app developers to change their code or forcing IT admins or end users to update their apps. The plugin essentially acts as the link between the UCM framework and a specific storage device.
The UCM framework consolidates and standardizes credential services to provide a streamlined interface for:
- EMM or ISV apps — These apps configure, provision, and consume credentials, managing credential storage access permissions, and activating advanced UCM permissions. The apps can enforce the installation, removal, or per-app access control of a credential.
- Storage provider plugin — These apps are provided by storage vendors to link the UCM framework to their storage solution, to manage stored credentials.
- Secure storage — This feature currently includes the Samsung eSE and Smart Card readers described in Secure elements section. You can easily support other storage options through additional vendor plugins.
The Knox SDK provides credential storage vendors a set of UCM APIs to make current and future storage options available on Samsung devices, hiding the implementation details of their solution so that mobile app developers can transparently access stored credentials through standard APIs, such as the Android Keychain. Similarly, developers can use the Java Cryptography Extension APIs to offload cryptographic operations to a capable Smart Card. This abstraction, made possible by the UCM framework, eliminates the need for complex vendor-specific code within mobile apps, meaning enterprise customers have a wide range of existing apps available to them and can easily develop in-house apps without worrying about the underlying storage implementation.
UCM allowlist
The UCM framework uses two types of allowlists, which uniquely manage access controls for credential storage and offer fully customizable access permissions:
- App allowlist — Enforces which apps can access each secure storage type. Every secure storage device maps to its respective UCM plugin, that a secure storage solution provider creates and maintains.
- Credential allowlist — Enforces each app’s access to credentials, providing app-specific access permissions. By enforcing access control, admins can prevent credential usage by malicious or untrusted apps.
On this page
Is this page helpful?