Delta Android Keysystem May 2026

With Android 15, Google is enforcing stricter DRM module updates via Project Mainline. The MediaProvider and Media modules can now receive delta updates directly from Google Play System Updates (GPSU), bypassing OEMs. This means:

In a traditional TEE, the key never leaves tamper-resistant silicon. In a Delta system, some key material might reside in a Temporal Isolated Environment (e.g., pKVM or a Trusted App). An attacker with kernel access could theoretically extract the "delta component."

Mitigation: Sealed Binding. The Delta module encrypts its key material with a hardware-derived key from the TPM/StrongBox. Without the TEE's master key, the delta blob is useless. delta android keysystem

Google has not publicly committed to the "Delta" nomenclature, but evidence from the AOSP Gerrit (Code Review) shows active development on "Mutable Keymaster" and "Keymaster 5.0" features.

A successful implementation passes the CtsKeystoreTestCases with a twist: The test forces the Delta system to switch from ECDSA P-256 to Ed25519 mid-test without rebooting, then verifies that previously signed data remains verifiable.