Universal Credential Management (UCM)

The Universal Credential Management (UCM) framework enables Android apps to access all credential storage devices through the same standard programming interface—the Java Cryptography Extensions (JCE) API—via either:

• a specific provider to carry out supported crypto operations,
• the Android Keychain API for key and certificate operations.

The vendor providing the secure element solution (including the applet) implements a UCM plugin, which registers their solution as a Keystore provider. Apps can simply refer to the vendor’s provider when calling the Keystore API.

UCM use case

A significant benefit of the UCM framework is that it uniquely enables storage vendors to develop a plugin that provides access to their storage space and cryptographic operations, without forcing app developers to change their code or forcing IT admins or end users to update their apps. The plugin essentially acts as the link between the UCM framework and a specific storage device. The UCM framework allows vendors to make their solution available to specialized apps on the device including:

• Device lock (keyguard): The user inserts a PIN to authenticate themselves to the applet running in the secure element. If the PIN authentication is successful, the UCM framework retrieves a password from credential storage, which is used as the device password to unlock the device.

• Data at Rest (DAR) encryption: The applet provides another layer of protection for the device encryption keys. UCM allows for the device encryption key to be wrapped by the applet. The wrapped device encryption is unwrapped when the user provides the correct PIN on device boot.

The UCM framework consolidates and standardizes credential services to provide a streamlined interface for:

• EMM or ISV apps: These apps configure, provision, and consume credentials, managing credential storage access permissions, and activating advanced UCM permissions. The apps can enforce the installation, removal, or per-app access control of a credential.

• Storage provider plugin: These apps are provided by storage vendors to link the UCM framework to their storage solution, to manage stored credentials.

• Secure storage: This feature currently includes the Samsung eSE and Smart Card readers described in Secure elements section. You can easily support other storage options through additional vendor plugins.

The Knox SDK provides credential storage vendors a set of UCM APIs to make current and future storage options available on Samsung devices, hiding the implementation details of their solution so that mobile app developers can transparently access stored credentials through standard APIs, such as the Android Keychain.

Similarly, developers can use the Java Cryptography Extension APIs to offload cryptographic operations to a capable Smart Card. This abstraction, made possible by the UCM framework, eliminates the need for complex vendor-specific code within mobile apps, meaning enterprise customers have a wide range of existing apps available to them and can easily develop in-house apps without worrying about the underlying storage implementation.

UCM allowlists

The UCM framework uses two types of allowlists, which uniquely manage access controls for credential storage and offer fully customizable access permissions:

• App allowlist: Enforces which apps can access each secure storage type. Every secure storage device map to its respective UCM plugin, that a secure storage solution provider creates and maintains.

• Credential allowlist: Enforces each app’s access to credentials, providing app-specific access permissions. By enforcing access control, admins can prevent credential usage by malicious or untrusted apps.

Certificates on Secure Elements

While Android apps are able to store digital credentials securely on Samsung Knox devices using the hardware-backed Keystore, some use-cases require credentials and secrets to be stored in a secure element, which can come in the following form factors:

Embedded (non-removable)

• Samsung embedded Secure Element (eSE)
• Universal Integrated Circuit Card (UICC)/eSIM

Embedded (removable)

• Micro SD card
• Universal Integrated Circuit Card (UICC)

External

• Smart cards

Certain customers, especially in government and related industries, have internal regulations requiring the use of approved secure elements for storing credentials and secrets. The secure element is provisioned with an applet that provides certain cryptographic functions.