Apple and Google are gradually expanding their use of hardware-based attestation.
-
Instead of governments stopping Apple and Google from engaging in egregiously anti-competitive behavior, they're directly participating in locking out competition via their own services. Requiring people to have an Apple device or Google-certified Android device is anti-competition, not security.
@GrapheneOS The Brazilian government app "gov.br" requires Play Integrity too. There's no fallback, no alternative verification method.
I've sent complaints to the Brazilian entities suggested in the "Keep Android Open" website, but they either reply with a template message or completely ignore it.
Google is pretty much our Evil Corp, but where is fsociety?
-
@GrapheneOS The Brazilian government app "gov.br" requires Play Integrity too. There's no fallback, no alternative verification method.
I've sent complaints to the Brazilian entities suggested in the "Keep Android Open" website, but they either reply with a template message or completely ignore it.
Google is pretty much our Evil Corp, but where is fsociety?
@GrapheneOS I've used Magisk and Play Integrity Fix/Fork before. While it works, it requires a rooted device. The PIF module has to update very often to keep working, and it would have root privileges to your phone...
-
Android's hardware attestation shouldn't be used to lock out users not using specific hardware or OSes. However, the fact that it permits arbitrary roots of trust and OSes at least allows services to permit more. Google could use it to permit GrapheneOS for Play Integrity if that was about security.
@GrapheneOS You're just doing it wrong. Using current mobile hardware and android as base is just wrong approach. Happy to talk about this f2f.
-
Apple and Google are gradually expanding their use of hardware-based attestation. They're convincing a growing number of services to adopt it. Google's Play Integrity API and Apple's App Attest API are very similar. Apple brought it to the web via Privacy Pass, which Google intends on doing too.
@GrapheneOS we need more Linux or BSD FOSS phones. Can that mitigate or at least stop these practices?
-
Apple and Google are gradually expanding their use of hardware-based attestation. They're convincing a growing number of services to adopt it. Google's Play Integrity API and Apple's App Attest API are very similar. Apple brought it to the web via Privacy Pass, which Google intends on doing too.
@GrapheneOS Worst case, this is gonna kill desktops altogether, and AluminumOS simply existing is a huge step in that direction. -
@GrapheneOS Is this illegal under antitrust or pro-competition laws? If so, is legal action against it planned?
@GrapheneOS @alwayscurious Anti-trust is dead in the Fourth Reich. -
@garrett We provide documentation at https://grapheneos.org/articles/attestation-compatibility-guide on how apps can use the Android hardware attestation to permit GrapheneOS and other hardware / operating systems which aren't certified by Google. This API supports permitting alternate roots of trust and non-stock operating systems. We use new signing keys for each new device model so new devices won't be listed without them updating it and their list won't include alternate builds of GrapheneOS. Apps should not be doing this at all.
Hardware Attestation should only be used in situation when device is supposed to not be owned by the user. Like an internal service of a company making sure only company-provided devices are accessing it.
-
The purpose of these systems is disallowing people from using hardware and software not approved by Apple or Google. This is wrongly presented as being a security feature. Banks and government services are the main ones adopting it but Apple and Google are encouraging every service to use it.
@GrapheneOS I’ve been reflecting on this. For the UK, wondering if we might consider a government petition that explicitly requests that all public (or publicly funded) services can be accessed and used without being forced to use any (especially any foreign) third party service?
-
Android's hardware attestation shouldn't be used to lock out users not using specific hardware or OSes. However, the fact that it permits arbitrary roots of trust and OSes at least allows services to permit more. Google could use it to permit GrapheneOS for Play Integrity if that was about security.
@GrapheneOS We really need to start using containers for running the OS itself instead of flashing the OS. Shameless plug but LosOS (https://gitlab.com/losos-linux) does that.
-
Control over reCAPTCHA puts Google in a position where they can require having either iOS or a certified Android device to use an enormous amount of the web. Google defines certification requirements for Android which includes forcing bundling Google Chrome, etc. It's enormously anti-competitive.
@GrapheneOS Ejem... There is Altcha. Open source, GDPR compliant, and you can use your backend.
-
J jwcph@helvede.net shared this topic
