Samsung has revealed a new and surprising Galaxy S20 security twist
© 2020 Bloomberg Finance LP
In my cybersecurity world, surprises come way too often for my liking. Not least as they usually have the word “nasty” prefixed. This has been especially true with regards to the smartphone sector, where everything from discovering that cyber-flashing perverts prefer iPhones to reporting on yet another WhatsApp vulnerability fit the bill. It’s not always the case, though, and I’m always happy to be able to write about positive security surprises. Such is the case with the latest revelation from Samsung about the secure internals of the Galaxy S20 smartphone.
Measuring security surprises in the smartphone sector
On the security surprise scale I would put the Samsung announcement somewhere between the “say what?” of Microsoft announcing it wants to secure iPhones, and the jaw-dropping one by scientists claiming to have developed an “absolutely unbreakable” encryption chip prototype. The latest Samsung revelation is still surprisingly good news on the Android smartphone security front, and it also involves a secure chip: the S3K250AF to be precise. Perhaps the biggest surprise, even allowing for the success of Knox in Samsung smartphones, is that it has taken so long for Samsung to implement such a dedicated security chip. Google has the Titan M in its Pixel devices, and Apple has the T2 chip-powered secure enclave in iPhones. We will have to wait and see how it fares against those established secure solutions over time, but let’s explore what is known.
The all-new Samsung “Secure Element” dedicated security chip
The all-new and S3K250AF-based “Secure Element” security solution, which will first feature in the Galaxy S20, brings the concept of standalone and isolated sensitive data storage to Samsung smartphones for the first time. Combining a microcontroller with advanced hardware-level protection, as well as an optimized secure operating system, the new SE system has achieved a Common Criteria Evaluation Assurance Level (CC EAL) of 5+, which is the highest for a mobile component. In plain English, that means owners of the Samsung Galaxy S20 series will get a dedicated security chip in addition to the existing layers of security already provided, such as the Knox mobile security platform. Dongho Shin, senior vice-president of system large scale integration (LSI) marketing at Samsung Electronics, said: “Our new turnkey SE solution for mobile devices will not only keep user data safer on the go but also enable new mobile applications that will broaden and enrich our everyday lives.” What those new applications are, remains to be seen. What we do know is that this new secure element chip will bring what Samsung refers to as a “dedicated tamper-resistant strongbox” for confidential and cryptographic data. So, the likes of pins and passwords, crypto-currency credentials and credit card payment tokens will be stored separately from standard mobile memory, and that’s a good, secure thing. It’s not the only thing that impacts security on a smartphone, though.
Android security requires more than just a chip, and that’s where my unsurprising concern sits
While this is all very good news from the security perspective, I’m sorry to say it doesn’t resolve the biggest security problem faced by owners of Android-powered smartphones: the highly fractured ecosystem. Hands up, I admit it, my name is Davey Winder and, as far as Android phones are concerned, I’m a Samsungoholic. I love Samsung smartphones for a whole heap of reasons, but security updates aren’t one of them. Yes, I admit to being pleasantly surprised when I recently reported how some Samsung smartphone owners had received the January Android security update before owners of Google Pixel devices. However, there was no gloating to be had, as I said at the time, what with my brand-new Galaxy Note 10+ 5G being two months behind the current security update level then.
The February security update dealt with a total of 25 vulnerabilities, rated from moderate to critical; my device received that update during the last week of February, leaving the threat window open way too long for my liking. The trouble is that, as far as Android security updates are concerned, it’s too much of a lottery: what device do you have, what network provider are you with, where do you live? All those things combine to roll the dice as to when you will get updates that are critical to the security of your device and your data.