We strongly oppose the Unified Attestation initiative and call for app developers supporting privacy, security and freedom on mobile to avoid it.
-
@GrapheneOS the system is open source, what stop you to implement it and even better contributing to it to improve security?
Because this system is a very good idea to reinsure the banking company and European Union and it create a viable alternative to the Play Integrity.
Your approach to just say the security rely on the user didn't convince any big firm as they are legally still responsible in case of issue and the law on that is still protecting consumers.
The responsibility will remains on the apps for consumer protection so we need an alternative to make it that way and Graphene OS is not providing anything for that.@DanielDNK This system isn't open. It's a proprietary centralized service built on top of standard Android hardware attestation. The entire purpose of Unified Attestation is centralizing control of which operating systems are allowed with the companies running it. It's absolutely unacceptable to have these companies control over whether apps adopting it can run on GrapheneOS. Participating would help to legitimize this anti-competitive power grab and would give them veto power over app compat.
-
@DanielDNK This system isn't open. It's a proprietary centralized service built on top of standard Android hardware attestation. The entire purpose of Unified Attestation is centralizing control of which operating systems are allowed with the companies running it. It's absolutely unacceptable to have these companies control over whether apps adopting it can run on GrapheneOS. Participating would help to legitimize this anti-competitive power grab and would give them veto power over app compat.
@DanielDNK It would give these companies the power to sabotage GrapheneOS through breaking app compatibility at any point they choose. It would give them leverage to make arbitrary harmful demands of GrapheneOS. The system is fundamentally anti-competitive and breaks competition laws.
As soon as this system is adopted by app which begins permitting these operating systems but not GrapheneOS, we intend to file a lawsuit against these companies and will also raise their existing attacks too.
-
@DanielDNK It would give these companies the power to sabotage GrapheneOS through breaking app compatibility at any point they choose. It would give them leverage to make arbitrary harmful demands of GrapheneOS. The system is fundamentally anti-competitive and breaks competition laws.
As soon as this system is adopted by app which begins permitting these operating systems but not GrapheneOS, we intend to file a lawsuit against these companies and will also raise their existing attacks too.
> Your approach to just say the security rely on the user didn't convince any big firm as they are legally still responsible in case of issue and the law on that is still protecting consumers.
Absolutely not true. We convinced at least a dozen apps to stop using the Play Integrity API. We convinced several apps to begin permitting specific alternate operating systems which were unwilling to stop using it. You should read what we wrote in the thread about a proper approach to this.
-
@TycoonTom @GrapheneOS you will not be, the standard is open for everyone
@DanielDNK @TycoonTom The standard is not open to everyone. It's run by a group of companies hostile to GrapheneOS which will be permitting their own products but not GrapheneOS.
Unified Attestation is a centralized system built on top of the Android hardware attestation API for the sole purpose of a power grab where these companies can control which devices and operating systems are allowed. They haven't made their own attestation system. They've made a system to control use of a standard API.
-
@DanielDNK It would give these companies the power to sabotage GrapheneOS through breaking app compatibility at any point they choose. It would give them leverage to make arbitrary harmful demands of GrapheneOS. The system is fundamentally anti-competitive and breaks competition laws.
As soon as this system is adopted by app which begins permitting these operating systems but not GrapheneOS, we intend to file a lawsuit against these companies and will also raise their existing attacks too.
@GrapheneOS you should not, Canada is not Europe, you will just lose a lot of money on it and probably lose as the justice doesn't like GrapheneOS anyway as they know the name as its appear in some drug trial and antitrust is not in the same window in Canada and in Europe. Why should Europe protect a Canadian company for antitrust?
-
@DanielDNK It would give these companies the power to sabotage GrapheneOS through breaking app compatibility at any point they choose. It would give them leverage to make arbitrary harmful demands of GrapheneOS. The system is fundamentally anti-competitive and breaks competition laws.
As soon as this system is adopted by app which begins permitting these operating systems but not GrapheneOS, we intend to file a lawsuit against these companies and will also raise their existing attacks too.
@GrapheneOS and why do you say it's not open source, the code seems available, which part do you see hidden and proprietary?
-
@GrapheneOS and why do you say it's not open source, the code seems available, which part do you see hidden and proprietary?
@DanielDNK Unified Attestation is a thin wrapper around Android hardware attestation which solely exists to make themselves into a centralized authority for controlling which devices and operating systems will be allowed through it. They haven't turned the overall Android hardware attestation feature into an open source one by layering this on top of it. The only part of Android hardware attestation that's open source is the OS. The overall system doesn't have an open source implementation yet.
-
@DanielDNK Unified Attestation is a thin wrapper around Android hardware attestation which solely exists to make themselves into a centralized authority for controlling which devices and operating systems will be allowed through it. They haven't turned the overall Android hardware attestation feature into an open source one by layering this on top of it. The only part of Android hardware attestation that's open source is the OS. The overall system doesn't have an open source implementation yet.
@DanielDNK A centralized service which permits only specific devices and operating systems without it being possible to host it elsewhere is not open.
-
@GrapheneOS the system is open source, what stop you to implement it and even better contributing to it to improve security?
Because this system is a very good idea to reinsure the banking company and European Union and it create a viable alternative to the Play Integrity.
Your approach to just say the security rely on the user didn't convince any big firm as they are legally still responsible in case of issue and the law on that is still protecting consumers.
The responsibility will remains on the apps for consumer protection so we need an alternative to make it that way and Graphene OS is not providing anything for that.The source model doesnt make the approach of the system sensible. Its approach is already a nonstarter and forking it just means convincing app devs to employ a *second* play integrity clone. The proper approach is for there to be no middleman between services and users, by using the generic attestation API. Play integrity is anti competitive and anything mimicking its approach is similarly anti competitive.
GOSs approach to whitelist OSs with the generic attestation API (that GOS fully supports) has worked and will likely keep working as more pressure is applied. A middleman is just harmful to the user and to the service.
-
@TycoonTom @GrapheneOS you will not be, the standard is open for everyone
@DanielDNK @TycoonTom @GrapheneOS Attestation as a process is open. The approved OSs would be controlled by the owners of unified attestation. The approach of just making more play integrity clones makes no sense when the service can just pick the OSs themselves.
-
@DanielDNK @TycoonTom The standard is not open to everyone. It's run by a group of companies hostile to GrapheneOS which will be permitting their own products but not GrapheneOS.
Unified Attestation is a centralized system built on top of the Android hardware attestation API for the sole purpose of a power grab where these companies can control which devices and operating systems are allowed. They haven't made their own attestation system. They've made a system to control use of a standard API.
@GrapheneOS @DanielDNK Totally correct "control "
see pic
-
If banks and governments insist on checking devices for security they should define actual standards. It should be possible for any tiny project to be certified at no cost and the standards should be fairly enforced so a mainstream device without current patches is disallowed.
@GrapheneOS I don't think "security" is ever the real concern here for the government. It's always about control with their limited understanding of cyber security.
-
@GrapheneOS @DanielDNK Totally correct "control "
see pic@TycoonTom @GrapheneOS and if you install it in another profile, alone without Bitwarden in the same profile?
-
J jeppe@uddannelse.social shared this topic
