As easy as Pie: Google’s Android implementation of OMAPI
Jeremy O’Donoghue, Chair of the Trusted Platform Services (TPS) Committee, GlobalPlatform
It may not be one of the most high-profile new features of the latest Android 9 Pie release. It certainly won’t be covered by the consumer tech reviews. Yet Google’s implementation of GlobalPlatform’s Open Mobile Application Programming Interface (OMAPI) is one of the updates to Android Pie most welcomed by secure digital service and device experts globally.
In one single move, Google has made it easier for Android developers to write applications which behave consistently when using a hardware-based security environment (the Secure Element, or SE) which already exists in most smartphones. Additionally, a single Android implementation of OMAPI will make it simpler for mobile apps to communicate with different types of SEs, and consequently, a broader range of devices (since different device types may contain varying SEs).
As a result, this latest announcement by Google has the potential to trigger growth and diversification across both the secure application market and the secure element ecosystem. In context of GlobalPlatform’s work to standardize and enable further deployment of secure digital services and devices, this represents a very important milestone….
What is OMAPI?
OMAPI is the mechanism which enables an authorized mobile app to communicate with applets within a SE in a device. This allows the app to benefit from enhanced SE-based security services.
To understand the value of OMAPI, it’s important to know that SEs are tamper-resistant secure components which exist in many forms factors, including embedded and integrated SEs (eSE/iSE), SIM/UICCs and smart microSD. They are capable of securely hosting applications and their confidential and cryptographic data, such as key management, in accordance with rules and security requirements set by identified trusted authorities. As such, the services they provide can greatly enhance the security of mobile apps.
This is why OMAPI is so important in the context of secure mobile transactions and services.
What are the benefits of a single OMAPI implementation?
The simple answer to this question is consistent implementation and app behavior through standardization. By fully integrating OMAPI into the Android Open Source Project, Google will from now on specify how device manufacturers implement OMAPI within handsets. This resolves a fragmentation issue previously faced by the mobile ecosystem. Until now, and in response to a mandatory requirement by GSMA for OMAPI in all NFC handsets (which is why most handsets today already implement OMAPI), device manufacturers have been individually responsible for developing their own implementations. While these have mostly been derived from the same open source project, the lack of a common implementation has resulted in inconsistent behavior in certain situations (for example when a mobile network operator makes changes to their SIM card or deploys more complex access control rules). In any deployment of software across a range of devices and apps, consistent behavior must be pursued since it is critical to the effective delivery and security of services.
One single Android implementation of OMAPI does more than simply resolve the fragmentation challenge however. It also supports Google’s goal of optimizing security in Android, by reducing variances in implementation and promoting stability and consistency across the Android ecosystem.
With the growth in different types of SE form factors, including embedded and integrated, and the increasing availability of multiple SEs within a single device, a further benefit of a common and consistent OMAPI implementation will be the standardization it brings as new technologies emerge, SE product types diversify and the range of available devices continues to grow. Android’s support for an open standardized SE ecosystem will be critical to the expansion and facilitated deployment of secure applications within an increasingly divergent future market.
What does this mean for GlobalPlatform?
While Google’s implementation of the GlobalPlatform OMAPI into Android Pie is a significant achievement for the organization, excitement will truly start to build as Android Pie is rolled out beyond Pixel devices. When a critical mass of handsets supporting Android Pie exists, the mobile and SE ecosystem will truly begin to benefit from OMAPI standardization.
While this is only the start of the Android OMAPI journey, Google’s announcement represents the pinnacle of a long-term collaborative GlobalPlatform work effort. Since SIMalliance transferred ownership of the OMAPI Specification to the organization in 2016, many GlobalPlatform members active within the SE, Android and System-on-Chip ecosystems have contributed to its enhancement. Cooperation within GlobalPlatform has been approached with the goal of addressing the needs of all OMAPI stakeholders in addition to Google’s. Ultimately, as we have seen, this approach has been hugely successful.
The association’s work to create a collaborative and standardized ecosystem of secure digital services and devices does not stop here, of course. GlobalPlatform followed Google’s announcement with the publication of Android Binding for OMAPI v1.0 – a Java Language API binding for the GlobalPlatform OMAPI Transport Layer that specifically targets the Android Platform from Android P onwards.
Thanks to GlobalPlatform’s open and diverse membership base, its close liaison with other technical and standards bodies (e.g. GSMA, PTCRB and the Global Certification Forum or GCF), and the desire to evolve its OMAPI technology for the greater good of the industry, the organization has been able to bring the relevant ecosystem players together to make this significant development happen. Importantly, this approach has led to full ecosystem buy-in of Google’s move to integrate OMAPI into the Android Open Source Project and, as a result, that ecosystem is now standing to benefit from the move to a fully standardized OMAPI.