Starting March 27, 2025, we recommend using android-latest-release instead of aosp-main to build and contribute to AOSP. For more information, see Changes to AOSP.
Protected Confirmation
Stay organized with collections
Save and categorize content based on your preferences.
This page describes the implementation of ConfirmationUI and the confirmation statements
to KeyMint.
Android Protected Confirmation leverages a hardware-protected user interface
called Trusted UI to facilitate high assurance to critical
transactions. Android Protected Confirmation is available to supported devices
running Android 9 (API level 28) or higher.
When an app invokes Protected Confirmation, Trusted UI queries the user for
confirmation. The Trusted UI asserts the user’s approval of the prompted message
with a high degree of confidence even if Android or its kernel (Linux) have been
compromised. Together with KeyMint (previously Keymaster), this assertion is then conveyed to a
remote party.
Developers can view the Android Protected Confirmation developer
documentation at developer.android.com.
Scope
The implementation of Android Protected Confirmation can be split into two
parts, both residing in the Trusted Execution Environment (TEE). One part is an
extension to KeyMint. It allows
the generation of keys with the usage requirement Tag::TRUSTED_CONFIRMATION_REQUIRED.
The second part is an app called ConfirmationUI, which
generates confirmation tokens. These tokens are cryptographic statements and
convey to KeyMint when the user confirms a given message.
Content and code samples on this page are subject to the licenses described in the Content License. Java and OpenJDK are trademarks or registered trademarks of Oracle and/or its affiliates.
Last updated 2025-08-29 UTC.
[null,null,["Last updated 2025-08-29 UTC."],[],[],null,["# Protected Confirmation\n\nThis page describes the implementation of ConfirmationUI and the confirmation statements\nto KeyMint.\n\nAndroid Protected Confirmation leverages a hardware-protected user interface\ncalled **Trusted UI** to facilitate high assurance to critical\ntransactions. Android Protected Confirmation is available to supported devices\nrunning Android 9 (API level 28) or higher.\n\nWhen an app invokes Protected Confirmation, Trusted UI queries the user for\nconfirmation. The Trusted UI asserts the user's approval of the prompted message\nwith a high degree of confidence even if Android or its kernel (Linux) have been\ncompromised. Together with KeyMint (previously Keymaster), this assertion is then conveyed to a\nremote party.\n\nDevelopers can view the Android Protected Confirmation developer\ndocumentation at [developer.android.com](https://developer.android.com/training/articles/security-android-protected-confirmation).\n\nScope\n-----\n\nThe implementation of Android Protected Confirmation can be split into two\nparts, both residing in the Trusted Execution Environment (TEE). One part is an\nextension to [KeyMint](/security/keystore). It allows\nthe generation of keys with the usage requirement `Tag::TRUSTED_CONFIRMATION_REQUIRED`.\nThe second part is an app called **ConfirmationUI**, which\ngenerates confirmation tokens. These tokens are cryptographic statements and\nconvey to KeyMint when the user confirms a given message."]]
