Skip to content Skip to footer
Android 15’s Contact Keys is a step towards Apple-like protection from cyber attacks (APK teardown)

Android 15’s Contact Keys is a step towards Apple-like protection from cyber attacks (APK teardown)

Credit: Robert Triggs / Android Authority

Android 15 introduced a new API to facilitate end-to-end encryption in apps. The Contact Keys Manager API gives users a centralized way to manage and verify their contacts’ public keys.
The latest Google Play Services beta update contains hints that showcase how this Contact Keys feature will work.
Apple introduced a similar feature called Contact Key Verification with iOS 17.2, which also features automatic notifications and other extras.

Android 15‘s first beta introduced a new E2eeContactKeysManager API, which is said to facilitate end-to-end encryption (E2EE) in Android apps by providing an “OS-level API for the storage of cryptographic public keys.” Google notes that the API is designed to integrate with the “platform contacts app” to give users a “centralized way to manage and verify their contact’s public keys.” We now have some more info on how the user-facing elements will work for Contact Keys, potentially building up Android as a better competitor against Apple for sophisticated cyberattacks.

While Android 15 introduced the API, Google Play Services will handle the functionality related to Contact Keys. We’ve spotted new activities and strings in the latest Google Play Services beta that give us a clue about how the feature will work.

Starting off with the activities, we’ve spotted three of them within Play Services: one for onboarding, one for showing the QR code, and one for scanning the QR code.

Next, we found plenty of strings, which help us piece together how the feature could work:

<string name=”contactkeys_scan_qr_btn_scan”>Scan code</string>
<string name=”contactkeys_scan_qr_btn_show”>Show code</string>
<string name=”contactkeys_scan_qr_text_view_desc”>Scan the QR code on this contact’s phone. This will confirm encryption between your phones for all end-to-end encrypted apps. To do this, they’ll need to open the Google Contacts app > Contacts settings > Your info.</string>
<string name=”contactkeys_scan_qr_text_view_title”>Confirm end-to-end encryption</string>
<string name=”contactkeys_show_qr_code_no_selfkeys”>No keys to verify.</string>
<string name=”contactkeys_show_qr_text_view_show_numbers”>Show numbers</string>
<string name=”contactkeys_show_qr_text_view_desc”>Ask this contact to scan your code here, which you can also access from Contacts Settings > Your Info. You can also compare the app specific numbers instead.</string>
<string name=”contactkeys_lookupkey_required”>Error starting key verification, no contact specified</string>

As we can learn from the strings, the Contact Keys feature will rely heavily on the Google Contacts app for its UX. Users who want to confirm that all their E2E apps are actually encrypted can scan the QR code present on the other person’s Google Contacts app. Alternatively, the strings hint that you could also compare the app-specific numbers instead to reassure yourself about the encryption status.

Apple has a similar feature on iOS called Contact Key Verification, which was added in iOS 17.2. Contact Key Verification lets you receive automatic alerts that help verify that you are communicating only with the people you intend to communicate with. By verifying the encryption status, you can reassure yourself that you are not being targeted by any sophisticated cyber attack.

Contact Key Verification on iOS 17.2
Credit: Apple

If you want to learn more, Apple’s security blog post goes into more detail about Contact Key Verification.

We expect Google’s Contact Keys to be on similar lines, albeit at an earlier stage of progress. The strings don’t indicate any automatic messages being sent out like you can with iMessage Contact Key Verification. This can change for the better in the future, but it’s still a good step forward in its current form.

Leave a comment

0.0/5