We strongly oppose the Unified Attestation initiative and call for app developers supporting privacy, security and freedom on mobile to avoid it.
-
We strongly oppose the Unified Attestation initiative and call for app developers supporting privacy, security and freedom on mobile to avoid it. Companies selling phones should not be deciding which operating systems people are allowed to use for apps.
The Nostr based app store called "Zapstore" has already solved this problem. Zapstore empowers developers to sign and release apps over the Nostr protocol without needing to get permission from any app store or from any governnent or any other entity.
The Zapstore already has most of the useful F-Droid apps, and anyone can release more apps.
Zapstore.dev
-
There's no legitimate purpose for either Play Integrity or Unified Attestation to exist. Both will inherently fail to uphold even basic security standards since otherwise their own products wouldn't be allowed. Root-based attestation is also inherently not a secure approach.
Having a European version of the Play Integrity which permits people to use insecure products from specific European companies participating in it while disallowing using arbitrary hardware or software is the opposite of a solution. It's more of the same anti-competitive garbage.
-
@ftm @GrapheneOS it is worth checking Volla's source trees. They use ancient kernels firmware blobs, etc. It's pretty much the same issue as GMS Android, the whole attestation thing becomes security theater if phones with years of known holes get attested.
@ftm @GrapheneOS Another thing I don't really like about Volla is that they seem to do Eurowashing.
Maybe (some part of) the Volla Phone Quintus is assembled in Europe, but the phone seems to be a rebranding of the Daria Bond 5G (stated by multiple sources, including the PostmarketOS wiki) with a markup of ~550 Euro (~160 -> 719 Euro): https://www.amazon.ae/Android-Smartphone-Storage-Octa-Core-Monetization/dp/B0DDYDZC4V?th=1
The Daria Bond 5G is sold by an UAE company that also maintains the Volla Phone Quintus source trees (well, 'maintain' is a big word).
-
@zaire wat
-
Murena and iodé are extremely hostile towards GrapheneOS. They've spent years misleading people about it with inaccurate claims to promote their insecure products. We'll never work with them. Volla, Murena and iodé should have no say in which OS people can use on their devices.
@GrapheneOS ich erlebe das genauso umgekehrt von euch gegenüber den anderen Custom ROMs. Ihr seid denen nicht weniger feindlich eingestellt wie ihr das von ihnen behauptet.
-
We strongly oppose the Unified Attestation initiative and call for app developers supporting privacy, security and freedom on mobile to avoid it. Companies selling phones should not be deciding which operating systems people are allowed to use for apps.
@GrapheneOS So if Im understanding this correctly, what GOS wants is for apps to use an API that will interface with a hardware chip like the titan m2 and will report that the bootloader is locked etc and also report the signing key to apps? Then it would be up to the app to trust that key (which necessitates an allowlist of sorts maintained by apps individually). Is my understanding correct?
-
@GrapheneOS So if Im understanding this correctly, what GOS wants is for apps to use an API that will interface with a hardware chip like the titan m2 and will report that the bootloader is locked etc and also report the signing key to apps? Then it would be up to the app to trust that key (which necessitates an allowlist of sorts maintained by apps individually). Is my understanding correct?
@GrapheneOS If that is the case, then IMO uattest is actually better. A CA like uattest, as bad as it sounds, will probably be more amenable to allowing reasonably secure alternative OS like LineageOS. You only need to persuade one entity. While if each app gets to decide then you have to convince each dev, bank, gov to allow your OS. That doesnt sound very practical. And the uattest proposal can be implemented right now on most devices while most devices dont have a security chip at the moment.
-
@dristor Android Open Source Project and GrapheneOS are Linux distributions. GrapheneOS is fully compatible with Android apps and has support for running the vast majority of apps depending on the Play Integrity API. GrapheneOS can run apps for non-Android operating systems via hardware-based virtualization. Hardware-based virtualization support will continue to be fleshed out both for running non-native apps and running Android apps with stronger isolation than the Linux kernel can provide.
Is it me or grapheneos is only supporters on google pixel models ?
If yes why should we give money to google ? -
We strongly oppose the Unified Attestation initiative and call for app developers supporting privacy, security and freedom on mobile to avoid it. Companies selling phones should not be deciding which operating systems people are allowed to use for apps.
@GrapheneOS The same stuff that you need attestation in a phone for usually can be done using just a computer with a web browser. No attestation needed.
The only thing that I can think of that requires this attention and integrity stuff is anything shady that you want nobody to look at.
And device ecosystem extortion, of course.
-
@GrapheneOS ich erlebe das genauso umgekehrt von euch gegenüber den anderen Custom ROMs. Ihr seid denen nicht weniger feindlich eingestellt wie ihr das von ihnen behauptet.
@MrGR aber halt mit recht.
-
Is it me or grapheneos is only supporters on google pixel models ?
If yes why should we give money to google ?@Paul_stilgar
They have very good reasoning: https://grapheneos.org/faq#future-devicesAnd they will be expanding now with their Motorola partnership. GrapheneOS isn't like Lineage, it can't be put on any phone.
-
Murena and iodé are extremely hostile towards GrapheneOS. They've spent years misleading people about it with inaccurate claims to promote their insecure products. We'll never work with them. Volla, Murena and iodé should have no say in which OS people can use on their devices.
@GrapheneOS Well, I don't know what's going on in your heads, but whether people want to use Murena, Volla, etc., or GrapheneOS, that's up to the users themselves to decide... It's okay if you don't like each other, but making a statement like that is below the belt... As a GrapheneOS user, I feel embarrassed on your behalf... Just because you've teamed up with Motorola doesn't mean you have to be so arrogant... My two cents.
-
Is it me or grapheneos is only supporters on google pixel models ?
If yes why should we give money to google ?@Paul_stilgar man, if only they had a website with an FAQ that explains this.... Alas
-
@GrapheneOS So if Im understanding this correctly, what GOS wants is for apps to use an API that will interface with a hardware chip like the titan m2 and will report that the bootloader is locked etc and also report the signing key to apps? Then it would be up to the app to trust that key (which necessitates an allowlist of sorts maintained by apps individually). Is my understanding correct?
@pixelsfanryo No, your understanding is not correct. We want apps to start implementing proper server side security protections instead of using obfuscation and weak anti-tampering systems such as this to try to stop people looking at their code and experimenting with their services to find vulnerabilities. Apps shouldn't be enforcing using only specific operating systems. They're welcome to warn people about having an insecure OS but shouldn't be banning users from using what they want to use.
-
Murena and iodé are extremely hostile towards GrapheneOS. They've spent years misleading people about it with inaccurate claims to promote their insecure products. We'll never work with them. Volla, Murena and iodé should have no say in which OS people can use on their devices.
@GrapheneOS Also ich weiß ja nicht, was in euren Köpfen vorgeht aber: Ob die Menschen Murena, Volla und Co nutzen wollen oder GrapheneOS nutzen, dass sollen die user selbst entscheiden ..... Das ihr euch untereinander nicht leiden könnt okay, sei es drum, aber so ne Aussage abzuliefern ist unterhalb der Gürtellinie..... Da muss man sich als GrapheneOS User ja für eure Aussage regelrecht fremd schämen .... Nur weil ihr nun mit Motorola euch zusammengetan habt, heißt es noch lange nicht das ihr euch so überheblich ablästern müsst ..... Meine Meinung
-
@GrapheneOS If that is the case, then IMO uattest is actually better. A CA like uattest, as bad as it sounds, will probably be more amenable to allowing reasonably secure alternative OS like LineageOS. You only need to persuade one entity. While if each app gets to decide then you have to convince each dev, bank, gov to allow your OS. That doesnt sound very practical. And the uattest proposal can be implemented right now on most devices while most devices dont have a security chip at the moment.
@pixelsfanryo No, your understanding is not correct. We want apps to start implementing proper server side security protections instead of using obfuscation and weak anti-tampering systems such as this to try to stop people looking at their code and experimenting with their services to find vulnerabilities. Apps shouldn't be enforcing using only specific operating systems. They're welcome to warn people about having an insecure OS but shouldn't be banning users from using what they want to use.
-
@GrapheneOS Well, I don't know what's going on in your heads, but whether people want to use Murena, Volla, etc., or GrapheneOS, that's up to the users themselves to decide... It's okay if you don't like each other, but making a statement like that is below the belt... As a GrapheneOS user, I feel embarrassed on your behalf... Just because you've teamed up with Motorola doesn't mean you have to be so arrogant... My two cents.
@Pingitux Their products aren't at all what they claim but rather have poor privacy and atrocious security. They feel very threatened by GrapheneOS. Murena and iodé have engaged in many years of attacks on GrapheneOS including personal attacks on our team. They've engaged in absolutely vile fabrications and bullying aimed at directing harassment towards our team. Their communities have relentlessly targeted our team with harassment. You're pushing a false narrative about what's happening.
-
@GrapheneOS Also ich weiß ja nicht, was in euren Köpfen vorgeht aber: Ob die Menschen Murena, Volla und Co nutzen wollen oder GrapheneOS nutzen, dass sollen die user selbst entscheiden ..... Das ihr euch untereinander nicht leiden könnt okay, sei es drum, aber so ne Aussage abzuliefern ist unterhalb der Gürtellinie..... Da muss man sich als GrapheneOS User ja für eure Aussage regelrecht fremd schämen .... Nur weil ihr nun mit Motorola euch zusammengetan habt, heißt es noch lange nicht das ihr euch so überheblich ablästern müsst ..... Meine Meinung
@Pingitux Their products aren't at all what they claim but rather have poor privacy and atrocious security. They feel very threatened by GrapheneOS. Murena and iodé have engaged in many years of attacks on GrapheneOS including personal attacks on our team. They've engaged in absolutely vile fabrications and bullying aimed at directing harassment towards our team. Their communities have relentlessly targeted our team with harassment. You're pushing a false narrative about what's happening.
-
@Paul_stilgar
They have very good reasoning: https://grapheneos.org/faq#future-devicesAnd they will be expanding now with their Motorola partnership. GrapheneOS isn't like Lineage, it can't be put on any phone.
-
@Pingitux Their products aren't at all what they claim but rather have poor privacy and atrocious security. They feel very threatened by GrapheneOS. Murena and iodé have engaged in many years of attacks on GrapheneOS including personal attacks on our team. They've engaged in absolutely vile fabrications and bullying aimed at directing harassment towards our team. Their communities have relentlessly targeted our team with harassment. You're pushing a false narrative about what's happening.
@Pingitux Here's the founder and CEO of /e/ and Murena linking to harassment content from a neo-nazi conspiracy site targeting our founder with fabrications:
https://archive.is/SWXPJ
https://archive.is/n4yTOTheir founder and CEO has regularly engaged in vile personal attacks on our including spreading harassment content directly from Kiwi Farms.
Debunking lies about GrapheneOS and our team along with providing accurate information countering their false marketing isn't what you claim it is.
torment nexus
european torment nexus
