Apple and Google are gradually expanding their use of hardware-based attestation.
-
Google's Play Integrity API permits devices with no security patches for 10 years. The device integrity level can be bypassed via spoofing but they can detect it quite well and block it once it starts being done at scale. The strong integrity level requires leaked keys from TEEs/SEs to bypass it.
Play Integrity API is highly insecure and it isn't particularly hard to temporarily bypass it. There are frameworks for spoofing the software checks and leaked keys for bypassing hardware attestation can be purchased. However, bypasses are getting harder and are becoming increasingly short lived.
-
Apple and Google are gradually expanding their use of hardware-based attestation. They're convincing a growing number of services to adopt it. Google's Play Integrity API and Apple's App Attest API are very similar. Apple brought it to the web via Privacy Pass, which Google intends on doing too.
@GrapheneOS This is such a messed up shitshow. I fear that technical workarounds won't cut it. This is going to need political pressure, which seems unlikely to happen
-
Play Integrity API is highly insecure and it isn't particularly hard to temporarily bypass it. There are frameworks for spoofing the software checks and leaked keys for bypassing hardware attestation can be purchased. However, bypasses are getting harder and are becoming increasingly short lived.
It doesn't provide a useful security feature, but it does lock out competition very well. Services requiring Apple App Attest or Google Play Integrity are primarily helping to lock in Apple and Google having a duopoly for mobile devices. Play Integrity is more relevant due to AOSP being open source.
-
Control over reCAPTCHA puts Google in a position where they can require having either iOS or a certified Android device to use an enormous amount of the web. Google defines certification requirements for Android which includes forcing bundling Google Chrome, etc. It's enormously anti-competitive.
@GrapheneOS At this time the NHS app in the UK has a 'use Chrome (yes/no)' prompt that pops up each time i'm logging in. I've written to the developers to point out how egregious this is.
-
Google's Play Integrity API permits devices with no security patches for 10 years. The device integrity level can be bypassed via spoofing but they can detect it quite well and block it once it starts being done at scale. The strong integrity level requires leaked keys from TEEs/SEs to bypass it.
True. Some banking apps work on my oldest Pixel 2 with latest OS patch over 10 years old but not on the latest secure GOS. That's fkin hilarious
-
It doesn't provide a useful security feature, but it does lock out competition very well. Services requiring Apple App Attest or Google Play Integrity are primarily helping to lock in Apple and Google having a duopoly for mobile devices. Play Integrity is more relevant due to AOSP being open source.
Governments are increasingly mandating using Apple's App Attest and Google's Play Integrity for not only their own services but also commercial services. The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them.
-
@GrapheneOS At this time the NHS app in the UK has a 'use Chrome (yes/no)' prompt that pops up each time i'm logging in. I've written to the developers to point out how egregious this is.
@Ra @GrapheneOS I can't use the online services of my healthcare provider on my desktop (cant login on their website) without having their app on an android or apple device. I'am effectively being locked out of all of their online services (except contacting them via email).
germany here
-
Governments are increasingly mandating using Apple's App Attest and Google's Play Integrity for not only their own services but also commercial services. The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them.
Instead of governments stopping Apple and Google from engaging in egregiously anti-competitive behavior, they're directly participating in locking out competition via their own services. Requiring people to have an Apple device or Google-certified Android device is anti-competition, not security.
-
Apple and Google are gradually expanding their use of hardware-based attestation. They're convincing a growing number of services to adopt it. Google's Play Integrity API and Apple's App Attest API are very similar. Apple brought it to the web via Privacy Pass, which Google intends on doing too.
@EUCommission is that the digital independece we want for the #EU ?
(read the whole thread)Edit: @EC_DIGIT_director_general i guess it's interesting for you and your department as well.
-
Current media coverage for reCAPTCHA Mobile Verification misunderstands it and the impact of it. They're bringing a hardware attestation requirement to Windows, desktop Linux, OpenBSD, etc. by requiring a QR scan from a certified smartphone to pass reCAPTCHA in some cases. They could expand it more.
@GrapheneOS So let me get this straight... we're going to need to scan a special mark... to buy and sell and participate in civil society... and require an expensive American piece of hardware that surveills you or we're shut out... this sounds vaguely familiar.
-
Instead of governments stopping Apple and Google from engaging in egregiously anti-competitive behavior, they're directly participating in locking out competition via their own services. Requiring people to have an Apple device or Google-certified Android device is anti-competition, not security.
reCAPTCHA Mobile Verification will currently work with sandboxed Google Play on GrapheneOS but it clearly exists to provide a way for them to start using hardware attestation on systems without it. People without an iOS or Android device will be locked out when this is required even without that.
-
Instead of governments stopping Apple and Google from engaging in egregiously anti-competitive behavior, they're directly participating in locking out competition via their own services. Requiring people to have an Apple device or Google-certified Android device is anti-competition, not security.
@GrapheneOS care to comment @EUCommission @hpod16
i increasily grew annoyed with the EU a** licking of Google and Apple...
-
reCAPTCHA Mobile Verification will currently work with sandboxed Google Play on GrapheneOS but it clearly exists to provide a way for them to start using hardware attestation on systems without it. People without an iOS or Android device will be locked out when this is required even without that.
This isn't about security or any missing functionality. GrapheneOS can be verified via hardware attestation. Google bans using GrapheneOS for Play Integrity because we don't license Google Mobile Services and conform to anti-competitive rules already found to be illegal in South Korea and elsewhere.
-
Instead of governments stopping Apple and Google from engaging in egregiously anti-competitive behavior, they're directly participating in locking out competition via their own services. Requiring people to have an Apple device or Google-certified Android device is anti-competition, not security.
@GrapheneOS do not know almost anyone else who is making this exact point that "security" is a euphemism for "national security" and is actively opposed to privacy or auditability. certainly not user security. @dwaynemonroe has identified the extreme closeness of monopolistic and fascistic hierarchical unaccountable and potentially even illegal control
-
This isn't about security or any missing functionality. GrapheneOS can be verified via hardware attestation. Google bans using GrapheneOS for Play Integrity because we don't license Google Mobile Services and conform to anti-competitive rules already found to be illegal in South Korea and elsewhere.
Services shouldn't ban people from using arbitrary hardware and operating systems in the first place. Google's security excuse is clearly bogus when they permit devices with no patches for 10 years but not a much more secure OS. It's for enforcing their monopolies via GMS licensing, that's all.
-
@GrapheneOS do not know almost anyone else who is making this exact point that "security" is a euphemism for "national security" and is actively opposed to privacy or auditability. certainly not user security. @dwaynemonroe has identified the extreme closeness of monopolistic and fascistic hierarchical unaccountable and potentially even illegal control
@GrapheneOS @dwaynemonroe pypi disabled pgp signing (certified donald stufft and william woodruff tag team production. woodruff whined about how he couldn't surveil some keypairs and claimed this made them "useless")
anyway if you want the cryptographic checkmark from pypi they need you to give microsoft or google a few minutes alone with your code before any user can see it. not "reproducible" but reprobuilds only bullies open source code not corps. would love the evangelism strike force to fight corporate DRM and not module signing in the kernel
it is very possible to reproducibly diff a build process with module signing, diffoscope just completely sucks
[yes i'm likely gonna fork it]
thanks for listening!
-
Services shouldn't ban people from using arbitrary hardware and operating systems in the first place. Google's security excuse is clearly bogus when they permit devices with no patches for 10 years but not a much more secure OS. It's for enforcing their monopolies via GMS licensing, that's all.
It's the goal.
For example, all those new laws for age verification are to prevent you from using an operating system or ROM that cannot be minored or controlled. Blocking reCAPTCHA on a non-approved, non-certified government and corporate sanctioned devices is just 1 piece of the big picture.
For example, the USA has made any new router not made in the USA illegal to import or sell. They can apply for an exception if they agree to include their new control chip or firmware.
-
Control over reCAPTCHA puts Google in a position where they can require having either iOS or a certified Android device to use an enormous amount of the web. Google defines certification requirements for Android which includes forcing bundling Google Chrome, etc. It's enormously anti-competitive.
@GrapheneOS Word! I hate #reCAPTCHA with a deep passion. It’s not just annoying but also yet another proprietary software forced on us.
It was bad before Google attempted to expand it further, and will continue to be bad.
The need to kick spambots/etc. out is understandable, but depending on proprietary software to do it is a BAD idea. There are other ways.
-
It's the goal.
For example, all those new laws for age verification are to prevent you from using an operating system or ROM that cannot be minored or controlled. Blocking reCAPTCHA on a non-approved, non-certified government and corporate sanctioned devices is just 1 piece of the big picture.
For example, the USA has made any new router not made in the USA illegal to import or sell. They can apply for an exception if they agree to include their new control chip or firmware.
Motorola has a security contract with the USA.
They will, depending on need, release a device with GrapheneOS — or delay it — and work closely with you to identify the methods and vulnerabilities you discover, as well as how you implement features to overcome the planned “new normal,” so that, behind the scenes, they can undermine and circumvent your work in the future. The investment — which includes you — is intended to strengthen relations and acquire additional contracts.
-
The purpose of these systems is disallowing people from using hardware and software not approved by Apple or Google. This is wrongly presented as being a security feature. Banks and government services are the main ones adopting it but Apple and Google are encouraging every service to use it.
@GrapheneOS The European Union is developing a digital identity system that incorporates FIDO2 standards for secure authentication. Some governments (like the Austrian) already support FIDO2 for authentication and identification. Banks should just do that, too.
