Comment by freedomben
2 years ago
> Play Integrity API is based on lies.
Fantastic line. I imagine I'm trying to escape from Google HQ while GLaDOS makes me test repeatedly, and through a crack in the wall in a storage area I see scrawled in charcoal and blood: "Play Integrity API is based on lies."
It's such a shame, too. The principle is sound, the feature is clearly wanted by security-conscious apps, but Google can't make an integrity API that a vast amount of their partners' existing customers won't pass.
Something as simple as "has received a security update the past 12 months" seems like an basic requirement for fraud prevention and DRM, but doing so will kick millions of people out of common apps and make their API pretty useless while also pissing off their partners. Instead, we get this vague "does the user run a custom ROM that didn't put effort into not being detected" API that serves no purpose.
From a user perspective, GrapheneOS is a better partner for Google to work with than so many manufacturers. The amount of straight-up spyware and API-noncompliance I've seen from super cheap phones that somehow managed to pass Google's inspection makes the entire certification process a joke. Meanwhile, Graphene manages to protect its users against exploits better than even Google can.
Perhaps it's time for someone to write an app that spoofs the Play Integrity API not by pretending to only support software integrity, like many workarounds do, but by using the leaked manufacturer certificates to fake hardware signatures for any device, forcing Google to choose between redesigning the API or banning their partners' unrelated devices (that, let's be realistic, probably haven't received an update for their key store). Getting one of these leaked keys is probably not easy, but I'm sure _someone_ in the Android modding scene has managed to get their hands on it.
I do wonder what Google's response will be once Graphene does indeed stop taking part in the bug bounty program and a serious exploit hits Google's devices because of code pushed to the Graphene source tree. If I were malicious, I'd start watching the GrapheneOS patches very closely now that they've indicated they're no longer reporting security bugs upstream. They've found several serious vulnerabilities in the past, and are probably one of the few projects that actually inspects and cares about Android's security mechanisms (Google's partners sure don't seem to), so I'm sure they'll find serious security flaws before Google changes its mind.