Google has announced a major milestone in open-source security, with the Protected KVM (pKVM) hypervisor—integral to the Android Virtualization Framework—becoming the first software system globally to earn SESIP Level 5 certification. This achievement sets a new benchmark for large-scale consumer electronics security.

Powering the Next Generation of Secure Android Features

With this certification, Android is now equipped to support highly critical, isolated workloads with maximum security guarantees. This includes advanced capabilities like on-device AI processing of ultra-personalized data, ensuring top-tier privacy and integrity.

The certification process involved rigorous evaluation by Dekra, a world-renowned cybersecurity lab, under the TrustCB SESIP framework in compliance with EN-17927. Reaching Level 5 means meeting AVA_VAN.5—the highest standard of vulnerability assessment and penetration testing within the ISO 15408 (Common Criteria) guidelines. Systems at this level are proven resistant to even the most skilled, well-funded attackers with insider-level access.

This milestone strengthens Android’s multi-layered security strategy. In contrast, many industry Trusted Execution Environments (TEEs) remain uncertified or meet only lower assurance levels—posing challenges for developers building high-security applications. pKVM changes this by offering an open-source, high-quality, and verifiably secure foundation for all device manufacturers.

Looking forward, Android device makers will be required to implement isolation technologies meeting this same security threshold for various core operations, ensuring users benefit from a consistent, transparent, and trustworthy platform.

A Global Collaboration

This success reflects years of collaboration between the Linux and KVM open-source communities and multiple Google engineering teams focused on pKVM and the Android Virtualization Framework. Together, they have laid the groundwork for the next era of high-assurance mobile security.

Source: https://security.googleblog.com/2025/08/Android-pKVM-Certified-SESIP-Level-5.html