I was reviewing the Android world, apparently if you want updates you either pick google, samsung or lineageos or grapheneos (still google).
Now, if you pick the first 2,you get tracking.
if you pick the other two, you are banned from various apps and functionality even if the phone is not rooted because "there is no megacorp backing you up".
This is really, really bad. Equivalent to the linux secureboot issue that could have been.
It's certainly not the case with GrapheneOS. I have hardly faced any issues with the apps that I use. And if it's complaining about not having play services, you can install sandboxed play services on a new profile
Most apps work fine, but certain cases like NFC payments generally don't because those apps require that you are using an OS that is signed by someone on their allow-list.
On GrapheneOS, I have one banking app that works, and one that doesn't because of the linked issue.
Hilariously the message in the app says I can't be signed in because it's detected the phone is "jailbroken/rooted" and I "can still use our mobile site". The phone is not jailbroken or rooted, and using the mobile site on the same "untrustworthy" device is just as risky...
Even with the maximum of proprietary services I just about got reliable location sensing while outside. Still much worse than on iOS/stock Android. Banking did work however, kudos for that.
Fantastic line. I imagine I'm trying to escape from Google HQ while GLaDOS makes me test repeatedly, and through a crack in the wall in a storage area I see scrawled in charcoal and blood: "Play Integrity API is based on lies."
It's such a shame, too. The principle is sound, the feature is clearly wanted by security-conscious apps, but Google can't make an integrity API that a vast amount of their partners' existing customers won't pass.
Something as simple as "has received a security update the past 12 months" seems like an basic requirement for fraud prevention and DRM, but doing so will kick millions of people out of common apps and make their API pretty useless while also pissing off their partners. Instead, we get this vague "does the user run a custom ROM that didn't put effort into not being detected" API that serves no purpose.
From a user perspective, GrapheneOS is a better partner for Google to work with than so many manufacturers. The amount of straight-up spyware and API-noncompliance I've seen from super cheap phones that somehow managed to pass Google's inspection makes the entire certification process a joke. Meanwhile, Graphene manages to protect its users against exploits better than even Google can.
Perhaps it's time for someone to write an app that spoofs the Play Integrity API not by pretending to only support software integrity, like many workarounds do, but by using the leaked manufacturer certificates to fake hardware signatures for any device, forcing Google to choose between redesigning the API or banning their partners' unrelated devices (that, let's be realistic, probably haven't received an update for their key store). Getting one of these leaked keys is probably not easy, but I'm sure _someone_ in the Android modding scene has managed to get their hands on it.
I do wonder what Google's response will be once Graphene does indeed stop taking part in the bug bounty program and a serious exploit hits Google's devices because of code pushed to the Graphene source tree. If I were malicious, I'd start watching the GrapheneOS patches very closely now that they've indicated they're no longer reporting security bugs upstream. They've found several serious vulnerabilities in the past, and are probably one of the few projects that actually inspects and cares about Android's security mechanisms (Google's partners sure don't seem to), so I'm sure they'll find serious security flaws before Google changes its mind.
"Play Integrity" is not there for your, the user's, security. It's there for the app makers' security and guaranteed control, so that they can force you, the user, to endure their every whim and their applications' every shit dark pattern and user-hostile behavior. It is there to make all that unmitigable. If any regulator were to put an end to all that, I'd be all for it.
Users should support the lawsuit. GrapheneOS is not "less secure", it's just that it doesn't give Google preinstalled privileged unremovable spyware present on the device.
"Integrity API" doesn't really check the security model, it checks whether the Google privileged spyware is installed on the device.
The article unfortunately leaves out most of the points we made in the thread.
GrapheneOS supports hardware-based attestation and it's entirely possible for Google to allow it as part of the Play Integrity API. They choose to ban using GrapheneOS.
As a baseline for discussion, I agree that GrapheneOS is far more secure than stock Android (fantastic Cellebrite citation, by the way). I'm not attacking your assertion that Google is misusing Play Integrity anticompetitively, which you make a plausible case for.
But hardware-based attestation is fundamentally based on a whitelist of OS images. With AVB, the only job of hardware is to validate that the chain of trust starts with the certificate the user provides (or the factory default). That certificate, if controlled by a trusted party, attests that the resulting chain of trust implements the Android security model correctly. But all the Android API does is provide a verifiable attestation of what is running; it can't attest that Android hasn't been e.g. Magisk'd and then re-signed. (Please correct me if I'm wrong here!)
Google trusts themselves, of course, perhaps too much. But, they're unwilling to add others to the whitelist of things they trust. I think what you're asking for, is actually for the Play Integrity code to have some mechanism to become trusted/whitelisted (this would prevent other app devs from having to play whack-a-mole to allow other secure images). Phrasing it that way might be a good clarification.
What is the perspective of the authors of Authy here? If they want the integrity API to limit their app to official builds, then it is working as intended by them and presumably by the users who freely choose Authy over other apps. I am not sure why Graphene has standing here.
1. According to the article, graphene says that the play integrity API doesn't do what it is advertised to do, so arguing that it is a security mechanism is false.
2. Speculation: They could argue that apps should not be allowed to lock out alternative OSes, but only alert users of "reduced security".
But there could be no "reduced security", even for apps. It's just that there's no Google spyware installed on the device with elevated permissions, that's why Google won't approve GrapheneOS.
The reason is that there is no open source os that can be verified with the play integrity api. Forget authy, you cannot run netflix or most banking apps.
That's effectively discrimination for people who don't want to be tracked or people who don't want to give money to google.
Given Google has a monopoly, this is pretty heavy.
I agree with some of your facts but not your conclusions. I see why people want to use GrapheneOS. I respect and admire the security efforts of the authors of GrapheneOS. The users of GrapheneOS may have totally legitimate security requirements that lead them to choose it. But if Netflix doesn't want their program to run on GrapheneOS, isn't that their business?
This isn't entirely true. My phone runs a custom ROM, but has no root. Google Wallet works (to my surprise) as does my banking app.
Amazon Prime and Netflix will play video, but only in SD, so I torrent all of those shows for when I'm not watching them on Windows.
Once you root your phone, more features get disabled. You can still get everything to work again (as root detection APIs still cannot beat root access) but that's an ever lasting arms race of annoying workarounds and features that break randomly.
To be somewhat fair to Google, several custom ROMs, including LineageOS, do disable a LOT of security features that even outdated vendor ROMs will keep enabled, because they're a pain to implement properly. However, GrapheneOS is one of the few operating systems that would rather break app compatibility than risk exposing their users to software vulnerabilities. A Pixel with an official GrapheneOS ROM and a locked bootloader should receive the same security status, or perhaps an even better one, than many phones running stock firmware.
I'm not sure I agree, to be honest. As far as I'm aware: Google doesn't force app developers distributing on the Play Store to opt-in to Play Integrity; Google doesn't force app developers to exclusively distribute through the Play Store; Google doesn't force third party Android-based operating systems to use Google Play Services or the Play Store; and Google doesn't force end-users into using official Android builds versus third party builds.
I have zero energy toward feeling anger at this situation. I don't even feel Google should or aught to change their behavior.
I was reviewing the Android world, apparently if you want updates you either pick google, samsung or lineageos or grapheneos (still google).
Now, if you pick the first 2,you get tracking. if you pick the other two, you are banned from various apps and functionality even if the phone is not rooted because "there is no megacorp backing you up".
This is really, really bad. Equivalent to the linux secureboot issue that could have been.
It's certainly not the case with GrapheneOS. I have hardly faced any issues with the apps that I use. And if it's complaining about not having play services, you can install sandboxed play services on a new profile
As far as I'm aware, it is not possible to use google pay on grapheneos because of device attestation
Most apps work fine, but certain cases like NFC payments generally don't because those apps require that you are using an OS that is signed by someone on their allow-list.
On GrapheneOS, I have one banking app that works, and one that doesn't because of the linked issue.
Hilariously the message in the app says I can't be signed in because it's detected the phone is "jailbroken/rooted" and I "can still use our mobile site". The phone is not jailbroken or rooted, and using the mobile site on the same "untrustworthy" device is just as risky...
Even with the maximum of proprietary services I just about got reliable location sensing while outside. Still much worse than on iOS/stock Android. Banking did work however, kudos for that.
Unless you want tap to pay with google wallet.
Always ask, where this comes up:
What apps are you using that won't work on GrapheneOS?
I can't find any that anyone actually needs.
Uber Driver. Uber Driver does not work on GrapheneOS. If you know of a way to get it working, let me know.
Netflix, my banking app, google pay
4 replies →
Google wallet for tap to pay.
2 replies →
> I was reviewing the Android world, apparently if you want updates you either pick google, samsung or lineageos or grapheneos (still google).
What do you mean? Plenty of ROMs get regular updates on a variety of hardware.
Yes, sorry I should have specified, they are all affected by the same problem though: no hardware attestation
> Play Integrity API is based on lies.
Fantastic line. I imagine I'm trying to escape from Google HQ while GLaDOS makes me test repeatedly, and through a crack in the wall in a storage area I see scrawled in charcoal and blood: "Play Integrity API is based on lies."
It's such a shame, too. The principle is sound, the feature is clearly wanted by security-conscious apps, but Google can't make an integrity API that a vast amount of their partners' existing customers won't pass.
Something as simple as "has received a security update the past 12 months" seems like an basic requirement for fraud prevention and DRM, but doing so will kick millions of people out of common apps and make their API pretty useless while also pissing off their partners. Instead, we get this vague "does the user run a custom ROM that didn't put effort into not being detected" API that serves no purpose.
From a user perspective, GrapheneOS is a better partner for Google to work with than so many manufacturers. The amount of straight-up spyware and API-noncompliance I've seen from super cheap phones that somehow managed to pass Google's inspection makes the entire certification process a joke. Meanwhile, Graphene manages to protect its users against exploits better than even Google can.
Perhaps it's time for someone to write an app that spoofs the Play Integrity API not by pretending to only support software integrity, like many workarounds do, but by using the leaked manufacturer certificates to fake hardware signatures for any device, forcing Google to choose between redesigning the API or banning their partners' unrelated devices (that, let's be realistic, probably haven't received an update for their key store). Getting one of these leaked keys is probably not easy, but I'm sure _someone_ in the Android modding scene has managed to get their hands on it.
I do wonder what Google's response will be once Graphene does indeed stop taking part in the bug bounty program and a serious exploit hits Google's devices because of code pushed to the Graphene source tree. If I were malicious, I'd start watching the GrapheneOS patches very closely now that they've indicated they're no longer reporting security bugs upstream. They've found several serious vulnerabilities in the past, and are probably one of the few projects that actually inspects and cares about Android's security mechanisms (Google's partners sure don't seem to), so I'm sure they'll find serious security flaws before Google changes its mind.
This nitter instance gives me a 403 error but here's the original x.com link:
https://x.com/GrapheneOS/status/1818415391791570995
as well as an alternate mirror
https://nitter.privacydev.net/GrapheneOS/status/181841539179...
https://archive.ph/OUry5
xcancel.com usually works reliably.
"Play Integrity" is not there for your, the user's, security. It's there for the app makers' security and guaranteed control, so that they can force you, the user, to endure their every whim and their applications' every shit dark pattern and user-hostile behavior. It is there to make all that unmitigable. If any regulator were to put an end to all that, I'd be all for it.
It's not even for the app makers.. it's actually for Google to ensure their spyware is installed on the device with elevated permissions.
Go tell that to all those people who defend Apple's walled garden and/or Secure Boot-like crap.
The mods changed the links, again (WHY?). The replaced link does no justice to the actual topic being discussed here. Here's the original tweet which I posted: https://nitter.poast.org/GrapheneOS/status/18184153917915709...
Users should support the lawsuit. GrapheneOS is not "less secure", it's just that it doesn't give Google preinstalled privileged unremovable spyware present on the device.
"Integrity API" doesn't really check the security model, it checks whether the Google privileged spyware is installed on the device.
Actual link: https://arstechnica.com/gadgets/2024/07/loss-of-popular-2fa-...
Off twitter/x you miss the tweet quoted reply[1]:
The article unfortunately leaves out most of the points we made in the thread.
GrapheneOS supports hardware-based attestation and it's entirely possible for Google to allow it as part of the Play Integrity API. They choose to ban using GrapheneOS.
[1]: https://nitter.privacydev.net/GrapheneOS/status/181841539179...
As a baseline for discussion, I agree that GrapheneOS is far more secure than stock Android (fantastic Cellebrite citation, by the way). I'm not attacking your assertion that Google is misusing Play Integrity anticompetitively, which you make a plausible case for.
But hardware-based attestation is fundamentally based on a whitelist of OS images. With AVB, the only job of hardware is to validate that the chain of trust starts with the certificate the user provides (or the factory default). That certificate, if controlled by a trusted party, attests that the resulting chain of trust implements the Android security model correctly. But all the Android API does is provide a verifiable attestation of what is running; it can't attest that Android hasn't been e.g. Magisk'd and then re-signed. (Please correct me if I'm wrong here!)
Google trusts themselves, of course, perhaps too much. But, they're unwilling to add others to the whitelist of things they trust. I think what you're asking for, is actually for the Play Integrity code to have some mechanism to become trusted/whitelisted (this would prevent other app devs from having to play whack-a-mole to allow other secure images). Phrasing it that way might be a good clarification.
1 reply →
I don’t use twitter, so I - and anyone else who does not use twitter - only see a link to ars. It’s literally just a link to a link.
If there’s more information, that information should be on a public site (maybe the grapheneos website?)
What is the perspective of the authors of Authy here? If they want the integrity API to limit their app to official builds, then it is working as intended by them and presumably by the users who freely choose Authy over other apps. I am not sure why Graphene has standing here.
1. According to the article, graphene says that the play integrity API doesn't do what it is advertised to do, so arguing that it is a security mechanism is false.
2. Speculation: They could argue that apps should not be allowed to lock out alternative OSes, but only alert users of "reduced security".
3. I'm glad I left authy for Proton.
But there could be no "reduced security", even for apps. It's just that there's no Google spyware installed on the device with elevated permissions, that's why Google won't approve GrapheneOS.
1 reply →
The reason is that there is no open source os that can be verified with the play integrity api. Forget authy, you cannot run netflix or most banking apps.
That's effectively discrimination for people who don't want to be tracked or people who don't want to give money to google.
Given Google has a monopoly, this is pretty heavy.
I agree with some of your facts but not your conclusions. I see why people want to use GrapheneOS. I respect and admire the security efforts of the authors of GrapheneOS. The users of GrapheneOS may have totally legitimate security requirements that lead them to choose it. But if Netflix doesn't want their program to run on GrapheneOS, isn't that their business?
2 replies →
> you cannot run netflix or most banking apps
This isn't entirely true. My phone runs a custom ROM, but has no root. Google Wallet works (to my surprise) as does my banking app.
Amazon Prime and Netflix will play video, but only in SD, so I torrent all of those shows for when I'm not watching them on Windows.
Once you root your phone, more features get disabled. You can still get everything to work again (as root detection APIs still cannot beat root access) but that's an ever lasting arms race of annoying workarounds and features that break randomly.
To be somewhat fair to Google, several custom ROMs, including LineageOS, do disable a LOT of security features that even outdated vendor ROMs will keep enabled, because they're a pain to implement properly. However, GrapheneOS is one of the few operating systems that would rather break app compatibility than risk exposing their users to software vulnerabilities. A Pixel with an official GrapheneOS ROM and a locked bootloader should receive the same security status, or perhaps an even better one, than many phones running stock firmware.
I'm not sure I agree, to be honest. As far as I'm aware: Google doesn't force app developers distributing on the Play Store to opt-in to Play Integrity; Google doesn't force app developers to exclusively distribute through the Play Store; Google doesn't force third party Android-based operating systems to use Google Play Services or the Play Store; and Google doesn't force end-users into using official Android builds versus third party builds.
I have zero energy toward feeling anger at this situation. I don't even feel Google should or aught to change their behavior.
4 replies →
Sounds like Graphene OS is going to lose authy and anything else that uses the Google Integrity API.
Recommendations for a similar 2FA app that does not use the Google Integrity API?
https://archive.ph/OUry5
[dupe]
Actual article link: https://news.ycombinator.com/item?id=41114531)
[flagged]
[flagged]
[flagged]