Apple and Google are gradually expanding their use of hardware-based attestation.
-
Services shouldn't ban people from using arbitrary hardware and operating systems in the first place. Google's security excuse is clearly bogus when they permit devices with no patches for 10 years but not a much more secure OS. It's for enforcing their monopolies via GMS licensing, that's all.
@GrapheneOS i complained on many official service they ignore it, the ombudsman was called and they seem to ignore it too.
they all aswer the bullshit that you are labelled insecure by official tool, because google tool automatically mark non licensed OS as insecure regardless of their actual security.
-
Services shouldn't ban people from using arbitrary hardware and operating systems in the first place. Google's security excuse is clearly bogus when they permit devices with no patches for 10 years but not a much more secure OS. It's for enforcing their monopolies via GMS licensing, that's all.
@GrapheneOS Google has the entirety of its commercial success thanks to the openness and interoperability of the #WWW. To try an captcha it to build a walled garden is, frankly speaking, an act of disrespect for @timbl and the entire web community.
Microsoft has tried it. Apple has tried it as well. Both have finally had the insight that working with the community is much more rewarding and profitable than working against it.
Let's work toward Google having that same revelation as well.
(Sorry for the pun, couldn't resist)
-
Services shouldn't ban people from using arbitrary hardware and operating systems in the first place. Google's security excuse is clearly bogus when they permit devices with no patches for 10 years but not a much more secure OS. It's for enforcing their monopolies via GMS licensing, that's all.
Unified Attestation is another anti-competitive system being pushed by multiple European companies. It will similarly lock people out from using arbitrary hardware and software. That's not a solution and is far worse than Android's much more open hardware attestation API.
-
Governments are increasingly mandating using Apple's App Attest and Google's Play Integrity for not only their own services but also commercial services. The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them.
@GrapheneOS yes, it is hugely problematic.
-
Unified Attestation is another anti-competitive system being pushed by multiple European companies. It will similarly lock people out from using arbitrary hardware and software. That's not a solution and is far worse than Android's much more open hardware attestation API.
Android's hardware attestation shouldn't be used to lock out users not using specific hardware or OSes. However, the fact that it permits arbitrary roots of trust and OSes at least allows services to permit more. Google could use it to permit GrapheneOS for Play Integrity if that was about security.
-
Instead of governments stopping Apple and Google from engaging in egregiously anti-competitive behavior, they're directly participating in locking out competition via their own services. Requiring people to have an Apple device or Google-certified Android device is anti-competition, not security.
@GrapheneOS the irony that it's fine to use a desktop for the same task as long as you use SMS 2FA is also scorching
-
@7cd4a72311bad46117e0f692dddc5f31a543b47ff4265b028f8d820ac808ab3c @MAlBarram We have a partnership with Motorola Mobility (Lenovo) and are working with them towards their 2027 devices providing all of our requirements and providing official GrapheneOS support. We're actively working with them on getting the requirements implemented and GrapheneOS ported to their devices. It has nothing to do with the thread we posted though since it's not going to help with any of this.
-
reCAPTCHA Mobile Verification will currently work with sandboxed Google Play on GrapheneOS but it clearly exists to provide a way for them to start using hardware attestation on systems without it. People without an iOS or Android device will be locked out when this is required even without that.
@GrapheneOS does this mean that we gonna have to install sandboxed google play
-
Android's hardware attestation shouldn't be used to lock out users not using specific hardware or OSes. However, the fact that it permits arbitrary roots of trust and OSes at least allows services to permit more. Google could use it to permit GrapheneOS for Play Integrity if that was about security.
@GrapheneOS if it was about security this system would be more close to Https certificate (not identique of course for obvious techical reason) than what google make now (with themselve as sole capable certificate controler).
-
Governments are increasingly mandating using Apple's App Attest and Google's Play Integrity for not only their own services but also commercial services. The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them.
@GrapheneOS I side loaded the EU's sample age verification app - which seems to work on my GrapheneOS phone. Is there a way to know if it is only working because I also have the PlayStore installed?
-
Google's Play Integrity API bans using GrapheneOS despite it being far more secure than anything they permit. It also bans using any other alternative. This isn't somehow specific to an AOSP-based OS. You can't avoid this by using a mobile OS based on FreeBSD instead. You'll just be more locked out.
@GrapheneOS it seems we can't even avoid it by avoiding smartphones altogether. I'm really concerned that for people who eg only have access to the internet through a library/school/borrowed computer, they'll be banned from most of the web for the crime of not being able to afford a smartphone
-
Governments are increasingly mandating using Apple's App Attest and Google's Play Integrity for not only their own services but also commercial services. The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them.
@GrapheneOS Sovereignty
-
@GrapheneOS do not know almost anyone else who is making this exact point that "security" is a euphemism for "national security" and is actively opposed to privacy or auditability. certainly not user security. @dwaynemonroe has identified the extreme closeness of monopolistic and fascistic hierarchical unaccountable and potentially even illegal control
And "national security" is in turn a euphemism for "rulers' security".
-
@thomas Using attestation doesn't imply allowing only a specific set of hardware and operating systems. That's not at all implied and isn't even possible for an implementation only providing pinning-based verification rather than root-based verification.
@GrapheneOS @thomas I’m going back to bed
-
Motorola has a security contract with the USA.
They will, depending on need, release a device with GrapheneOS — or delay it — and work closely with you to identify the methods and vulnerabilities you discover, as well as how you implement features to overcome the planned “new normal,” so that, behind the scenes, they can undermine and circumvent your work in the future. The investment — which includes you — is intended to strengthen relations and acquire additional contracts.
@Linux @GrapheneOS Do you have a reference for that? You might be mixing up Motorola Mobility with Motorola Solutions, which are two separate companies.
-
Apple and Google are gradually expanding their use of hardware-based attestation. They're convincing a growing number of services to adopt it. Google's Play Integrity API and Apple's App Attest API are very similar. Apple brought it to the web via Privacy Pass, which Google intends on doing too.
@GrapheneOS -- I am not surprised that they are going for hardware certificates since the CPU chiphering / randomness tampering is going to fade away soon:
...and yes, I am again me: the one behind the Sailfish OS refactoring attempt then presented as RedFish OS at SFSCONF 2023.
***
-
Motorola has a security contract with the USA.
They will, depending on need, release a device with GrapheneOS — or delay it — and work closely with you to identify the methods and vulnerabilities you discover, as well as how you implement features to overcome the planned “new normal,” so that, behind the scenes, they can undermine and circumvent your work in the future. The investment — which includes you — is intended to strengthen relations and acquire additional contracts.
@Linux Motorola Mobility is a subsidiary of Lenovo and definitely doesn't have the relationship you're describing with the US government. Motorola was split up in 2011 and Motorola Mobility was acquired by Lneovo in 2014. You're confusing entirely different companies together, not that it would make sense regardless since GrapheneOS is open source. They don't need to do anything special to see what we're doing.
-
Android's hardware attestation shouldn't be used to lock out users not using specific hardware or OSes. However, the fact that it permits arbitrary roots of trust and OSes at least allows services to permit more. Google could use it to permit GrapheneOS for Play Integrity if that was about security.
@GrapheneOS It is not. Nothing is about security, everything is about device lockdown so surveillance becomes unescapable. This is the ultimate goal of the system. It is quite evident on all fronts. Mobile, desktop, consumer electronics, vehicles etc. Only servers seem to get a lighter treatment because they are used by corporations.
-
@Linux @GrapheneOS Do you have a reference for that? You might be mixing up Motorola Mobility with Motorola Solutions, which are two separate companies.
I am the source.
Both Motorola Mobility with Motorola Solutions CAGE Code: 01113, 6H7Z2, 78205, and 7H229 (NCAGE).
If you’re looking for an actual document that says, “Yes, we’re trying to screw over the American people,” a written confession in a convenient PDF file, you won’t find one. Ever.
-
I am the source.
Both Motorola Mobility with Motorola Solutions CAGE Code: 01113, 6H7Z2, 78205, and 7H229 (NCAGE).
If you’re looking for an actual document that says, “Yes, we’re trying to screw over the American people,” a written confession in a convenient PDF file, you won’t find one. Ever.
