A recent post on Google's blog breaks down how the new features of Android Keystore keep your Pie Pie safer.
Some of these links are in the Google's security chip, Titan M, installed on Pixel 3 devices, but other Keystora OS-level parts. In other words, some of the new Keystore features help everyone using Android 9.0 Pie.
Keystore gives application developers a set of cryptographic tools designed to protect user data. One advantage of Keystore is to move the tools available in Android OS to the hardware's secure hardware on the device. This adds additional security, as applications can use these cryptographic keys only in secure hardware and protect them against various attacks.
One of the new Keystore capabilities introduced with Android Pie is a keypad-based keyboard.
Mobile applications often receive data but do not need direct access to it. This information must remain secure until it is needed by the user. This is where Keyguard keys come in.
Apps can not use these keys to decrypt or sign when the screen is locked. However, when a user rejects the device, the lock keys are available for use.
Although this keyboard lock function works similarly to another security tool, the connection to authentication is an important difference. The lock connection is directly linked to the screen lock state, while the authentication connection is constant.
It is also worth noting that the keyboard connection occurs at the OS level, since secure chips do not know when the screen is locked. However, using a Keyguard binding with a hardware-based authentication link creates a safer environment for storing important cryptographic data. In addition, each Android Pie device has access to the Keyguard connection as its OS level feature.
Safe key import
The second new feature allows for secure import of keys. The most important starting point, such as a remote server, data center or other cloud storage system, can use the public key for wrapping to encrypt the security keys. This public wrapper comes from a user's device and this device is the only one that can decrypt it.
Furthermore, the wrapping key keeps its contents hidden between the gateway and the OS, which means that only the protected hardware can see the key contained in the wrapper.
An example of the application that uses it is Google Pay, which sets some keys to Pixel 3 to prevent interception.
In general, these security features add a number of additional protection layers to valuable data that have been sent and received with the phone. Google has done a lot with Pixel 3 and Titan M to improve security.