Comment by 015a
2 years ago
I'm not sure I agree, to be honest. As far as I'm aware: Google doesn't force app developers distributing on the Play Store to opt-in to Play Integrity; Google doesn't force app developers to exclusively distribute through the Play Store; Google doesn't force third party Android-based operating systems to use Google Play Services or the Play Store; and Google doesn't force end-users into using official Android builds versus third party builds.
I have zero energy toward feeling anger at this situation. I don't even feel Google should or aught to change their behavior.
But Google is the dominant player and this makes a difference (Google is not always free to do what they want). GrapheneOS is not allowed in Play Integrity not because of reduced security, but because Google's spyware is not installed there with elevated permissions and unremovable.
I don't feel that's relevant when app developers are free to recognize that as a drawback of Play Integrity and not use it (which to my understanding is the case, but I have not done android development in many years).
On the one hand, you can make the argument that Google "ought" to allow Graphene into this program, because they have at least as good operating system security and hardware attestation as first-party android distributions. On the other hand: doing so would effectively mean Google is now a responsible party in the security processes and posture of Graphene; which isn't only a level of responsibility Google likely does not want, its a level of responsibility Graphene is unlikely to grant or agree to.
Google being the dominate player is not relevant. Google acting anti-competitively would be; but I have seen no evidence of this, at least when it comes to their treatment of third party android operating systems and third party app stores. (Google's other business divisions are a different story; and specifically, Google's interactions and deals with the Galaxy Store are a little suspicious and IIRC came under fire from regulators recently. But, none of this is relevant to this discussion as far as I can tell).
Everyone is free not to use a smartphone at all, yet it doesn't affect whether something is anticompetitive or not
> On the other hand: doing so would effectively mean Google is now a responsible party in the security processes and posture of Graphene
Hey, wait.. I don't see why that'd have to be the case. Google could make a set of security standards and then include relevant OSes in Play Integrity.. However, these standards could then be checked for being anticompetitive, and a requirement that Google spyware needs to be preinstalled with elevated privileges would certainly be anticompetitive.
> but I have seen no evidence of this, at least when it comes to their treatment of third party android operating systems and third party app stores.
Well, I and GrapheneOS claim that Play Integrity not including GrapheneOS is the evidence here :)
> On the one hand, you can make the argument that Google "ought" to allow Graphene into this program, because they have at least as good operating system security and hardware attestation as first-party android distributions. On the other hand: doing so would effectively mean Google is now a responsible party in the security processes and posture of Graphene; which isn't only a level of responsibility Google likely does not want, its a level of responsibility Graphene is unlikely to grant or agree to.
Is Google responsible for the security posture of any other vendor? If not, why would this be any different?