Apple and Google are gradually expanding their use of hardware-based attestation.
-
Apple and Google are gradually expanding their use of hardware-based attestation. They're convincing a growing number of services to adopt it. Google's Play Integrity API and Apple's App Attest API are very similar. Apple brought it to the web via Privacy Pass, which Google intends on doing too.
@GrapheneOS -- I am not surprised that they are going for hardware certificates since the CPU chiphering / randomness tampering is going to fade away soon:
...and yes, I am again me: the one behind the Sailfish OS refactoring attempt then presented as RedFish OS at SFSCONF 2023.
***
-
Motorola has a security contract with the USA.
They will, depending on need, release a device with GrapheneOS — or delay it — and work closely with you to identify the methods and vulnerabilities you discover, as well as how you implement features to overcome the planned “new normal,” so that, behind the scenes, they can undermine and circumvent your work in the future. The investment — which includes you — is intended to strengthen relations and acquire additional contracts.
@Linux Motorola Mobility is a subsidiary of Lenovo and definitely doesn't have the relationship you're describing with the US government. Motorola was split up in 2011 and Motorola Mobility was acquired by Lneovo in 2014. You're confusing entirely different companies together, not that it would make sense regardless since GrapheneOS is open source. They don't need to do anything special to see what we're doing.
-
Android's hardware attestation shouldn't be used to lock out users not using specific hardware or OSes. However, the fact that it permits arbitrary roots of trust and OSes at least allows services to permit more. Google could use it to permit GrapheneOS for Play Integrity if that was about security.
@GrapheneOS It is not. Nothing is about security, everything is about device lockdown so surveillance becomes unescapable. This is the ultimate goal of the system. It is quite evident on all fronts. Mobile, desktop, consumer electronics, vehicles etc. Only servers seem to get a lighter treatment because they are used by corporations.
-
@Linux @GrapheneOS Do you have a reference for that? You might be mixing up Motorola Mobility with Motorola Solutions, which are two separate companies.
I am the source.
Both Motorola Mobility with Motorola Solutions CAGE Code: 01113, 6H7Z2, 78205, and 7H229 (NCAGE).
If you’re looking for an actual document that says, “Yes, we’re trying to screw over the American people,” a written confession in a convenient PDF file, you won’t find one. Ever.
-
I am the source.
Both Motorola Mobility with Motorola Solutions CAGE Code: 01113, 6H7Z2, 78205, and 7H229 (NCAGE).
If you’re looking for an actual document that says, “Yes, we’re trying to screw over the American people,” a written confession in a convenient PDF file, you won’t find one. Ever.
-
Yes, and money goes both ways.
-
@7cd4a72311bad46117e0f692dddc5f31a543b47ff4265b028f8d820ac808ab3c @MAlBarram Pixels aren't somehow dead and none of what we posted is in any way specific to Pixels, Android devices or operating systems based on the Android Open Source Project.
You should read the thread we posted which is about them bringing the Play Integrity API to the web including for desktops by requiring having a phone certified by it or an iOS device in order to pass checks on the web and desktops too.
-
@7cd4a72311bad46117e0f692dddc5f31a543b47ff4265b028f8d820ac808ab3c @MAlBarram Pixels aren't somehow dead and none of what we posted is in any way specific to Pixels, Android devices or operating systems based on the Android Open Source Project.
You should read the thread we posted which is about them bringing the Play Integrity API to the web including for desktops by requiring having a phone certified by it or an iOS device in order to pass checks on the web and desktops too.
@7cd4a72311bad46117e0f692dddc5f31a543b47ff4265b028f8d820ac808ab3c @MAlBarram This doesn't impact GrapheneOS more than it impacts Windows, desktop Linux, FreeBSD, etc. You should read what we wrote in the thread. Whether you use a FreeBSD device or a GrapheneOS device, needing to have an unmodified iOS or Google Mobile Services Android device to pass checks for accessing banking and government services or now to pass certain reCAPTCHA checks is still going to be an issue.
-
Instead of governments stopping Apple and Google from engaging in egregiously anti-competitive behavior, they're directly participating in locking out competition via their own services. Requiring people to have an Apple device or Google-certified Android device is anti-competition, not security.
@GrapheneOS This is a major issue. Even to make appointments in DE at local Government Offices one has to jump through ID processes that in my case only work via my wife's iPhone.... it should be constitutionally illegal. It is a denial of right.
-
Android's hardware attestation shouldn't be used to lock out users not using specific hardware or OSes. However, the fact that it permits arbitrary roots of trust and OSes at least allows services to permit more. Google could use it to permit GrapheneOS for Play Integrity if that was about security.
It is a proof that governments, banks and companies are one and the same.
-
The purpose of these systems is disallowing people from using hardware and software not approved by Apple or Google. This is wrongly presented as being a security feature. Banks and government services are the main ones adopting it but Apple and Google are encouraging every service to use it.
@GrapheneOS Het lijkt me dat @kimvsparrentak hier ook wel een mening over zal hebben? Het kan toch niet zo zijn dat login in Europa straks wordt gegatekeeperd door twee Amerikaanse bedrijven?
-
Current media coverage for reCAPTCHA Mobile Verification misunderstands it and the impact of it. They're bringing a hardware attestation requirement to Windows, desktop Linux, OpenBSD, etc. by requiring a QR scan from a certified smartphone to pass reCAPTCHA in some cases. They could expand it more.
@GrapheneOS How would this be accessible, eg would blind people be able to scan a QR code on a screen?
-
Apple and Google are gradually expanding their use of hardware-based attestation. They're convincing a growing number of services to adopt it. Google's Play Integrity API and Apple's App Attest API are very similar. Apple brought it to the web via Privacy Pass, which Google intends on doing too.
@GrapheneOS Is this illegal under antitrust or pro-competition laws? If so, is legal action against it planned?
-
@GrapheneOS Het lijkt me dat @kimvsparrentak hier ook wel een mening over zal hebben? Het kan toch niet zo zijn dat login in Europa straks wordt gegatekeeperd door twee Amerikaanse bedrijven?
@ArtHarg wat bedoel je met ‘login in Europa’?
-
@GrapheneOS @dwaynemonroe pypi disabled pgp signing (certified donald stufft and william woodruff tag team production. woodruff whined about how he couldn't surveil some keypairs and claimed this made them "useless")
anyway if you want the cryptographic checkmark from pypi they need you to give microsoft or google a few minutes alone with your code before any user can see it. not "reproducible" but reprobuilds only bullies open source code not corps. would love the evangelism strike force to fight corporate DRM and not module signing in the kernel
it is very possible to reproducibly diff a build process with module signing, diffoscope just completely sucks
[yes i'm likely gonna fork it]
thanks for listening!
@hipsterelectron @GrapheneOS @dwaynemonroe The book to throw at people who can't grasp the significance is Edwin Black „IBM and the Holocaust” and for what the target will be in the USA, to which I'll hopefully never be repatriated, witness e.g. Marsha Blackburn declaring that the purpose of KOSA is to „eradicate the transgender.” I figured out that no one was going to deal with the issue in good faith and fled the country before the inauguration, and was already vindicated at the inauguration itself.
-
Instead of governments stopping Apple and Google from engaging in egregiously anti-competitive behavior, they're directly participating in locking out competition via their own services. Requiring people to have an Apple device or Google-certified Android device is anti-competition, not security.
@GrapheneOS The Brazilian government app "gov.br" requires Play Integrity too. There's no fallback, no alternative verification method.
I've sent complaints to the Brazilian entities suggested in the "Keep Android Open" website, but they either reply with a template message or completely ignore it.
Google is pretty much our Evil Corp, but where is fsociety?
-
@GrapheneOS The Brazilian government app "gov.br" requires Play Integrity too. There's no fallback, no alternative verification method.
I've sent complaints to the Brazilian entities suggested in the "Keep Android Open" website, but they either reply with a template message or completely ignore it.
Google is pretty much our Evil Corp, but where is fsociety?
@GrapheneOS I've used Magisk and Play Integrity Fix/Fork before. While it works, it requires a rooted device. The PIF module has to update very often to keep working, and it would have root privileges to your phone...
-
Android's hardware attestation shouldn't be used to lock out users not using specific hardware or OSes. However, the fact that it permits arbitrary roots of trust and OSes at least allows services to permit more. Google could use it to permit GrapheneOS for Play Integrity if that was about security.
@GrapheneOS You're just doing it wrong. Using current mobile hardware and android as base is just wrong approach. Happy to talk about this f2f.
-
Apple and Google are gradually expanding their use of hardware-based attestation. They're convincing a growing number of services to adopt it. Google's Play Integrity API and Apple's App Attest API are very similar. Apple brought it to the web via Privacy Pass, which Google intends on doing too.
@GrapheneOS we need more Linux or BSD FOSS phones. Can that mitigate or at least stop these practices?
-
Apple and Google are gradually expanding their use of hardware-based attestation. They're convincing a growing number of services to adopt it. Google's Play Integrity API and Apple's App Attest API are very similar. Apple brought it to the web via Privacy Pass, which Google intends on doing too.
@GrapheneOS Worst case, this is gonna kill desktops altogether, and AluminumOS simply existing is a huge step in that direction.
