Security has always been a top priority for Pixel, spanning both the hardware and software of our devices. This includes monthly security updates and yearly OS updates, so Pixel always has the most secure version of Android, as well as Google Play Protect to help safeguard your phone from malware. Last year on Pixel 2, we also included a dedicated tamper-resistant hardware security module to protect your lock screen and strengthen disk encryption.
This year, with Pixel 3, we’re advancing our investment in secure hardware with Titan M, an enterprise-grade security chip custom built for Pixel 3 to secure your most sensitive on-device data and operating system. With Titan M, we took the best features from the Titan chip used in Google Cloud data centers and tailored it for mobile.
Here are a few ways Titan M protects your phone.
Security in the Bootloader
First, to protect Android from outside tampering, we’ve integrated Titan M into Verified Boot, our secure boot process.
Titan M helps the bootloader—the program that validates and loads Android when the phone turns on—make sure that you’re running the right version of Android. Specifically, Titan M stores the last known safe Android version and prevents “bad actors” from moving your device back to run on an older, potentially vulnerable, version of Android behind your back. Titan M also prevents attackers running in Android attempting to unlock the bootloader.
Lock Screen Protection & Disk Encryption On-Device
Pixel 3 also uses Titan M to verify your lock screen passcode. It makes the process of guessing multiple password combinations harder by limiting the amount of logon attempts, making it difficult for bad actors to unlock your phone. Only upon successful verification of your passcode will Titan M allow for decryption.
In addition, the secure flash and fully independent computation of Titan M makes it harder for an attacker to tamper with this process to gain the secrets to decrypt your data.
Secure Transactions in Third-Party Apps
Third, Titan M is used not only to protect Android and its functionality, but also to protect third-party apps and secure sensitive transactions. With Android 9, apps can now take advantage of StrongBox KeyStore APIs to generate and store their private keys in Titan M. The Google Pay team is actively testing out these new APIs to secure transactions.
For apps that rely on user interaction to confirm a transaction, Titan M also enables Android 9 Protected Confirmation, an API for protecting the most security-critical operations. As more processes come online and go mobile—like e-voting, and P2P money transfers—these APIs can help to ensure that the user (not malware) has confirmed the transaction. Pixel 3 is the first device to ship with this protection.
Insider Attack Resistance
Last, but not least, to prevent tampering, Titan M is built with insider attack resistance. The firmware on Titan M will never be updated unless you have entered your passcode, meaning bad actors cannot bypass your lock screen to update the firmware to a malicious version.
With the Pixel 3, we’ve increased our investment in security and put industry-leading hardware features into the device, so you can rest assured that your security and privacy are well protected. In the coming months, the security community will be able to audit Titan through its open-source firmware. In the meantime, you can test out Titan M and all of the smarts Pixel 3 brings, when it goes on sale on Thursday, October 18 in the U.S.