White-box Cryptography is a type of encryption that can be used for advanced application protection. It is often implemented to protect private keys that are swimming in the rich operating system, rather than secured by hardware components, such as hardware security modules (HSMs), trusted platform modules (TPM), Secure Enclaves (SE), and trusted execution environments (TEE).
White-box cryptography prevents the exposure of valuable information by obfuscating the data but also storing it in random data and within the code itself. This makes it difficult to achieve malicious attacks even if the device itself has been compromised from malware, rooting, or jailbreaking. Leveraging white-box cryptography for both secure storage and execution of cryptographic functions (e.g. signing), white-box cryptography — as part of a larger offering — can ensure authentication channels and private keys are kept safe from attacks.
In instances where an application does not store authentication keys in the TPM, the keys would be more vulnerable to specific attacks where the devices are overtaken and its contents analyzed. White-box cryptography is software but it mimics the protection of hardware-backed key security.
Keys secured by hardware components are considered black-box models. By contrast, white-box cryptography assumes a worst case scenario, where a malicious actor has control over the execution environment and the internal workings of an algorithm are visible and modifiable. White-box cryptography is a complex layer of obfuscation, encryption, and mathematical transformation that keeps cryptographic keys safe in such an untrusted environment, driving up the costs and effort of an attack such that it becomes infeasible.
“White-box cryptography, when added to a mobile security solution, helps prevent a lost, stolen, or malware-compromised device from being reverse engineered to extract sensitive information such as authentication keys.”