Comment by gaiagraphia
10 hours ago
Big shout out to Google Play Integrity/Safety Net (or whatever it's currently called).
Was the one thing which ended my couple of years without Google, as my banking apps started banning my phones fingerprint for being insecure.
Seems like in a major part of '''Pax Americana''' is needing to use a Google or Apple fingerprint to participate in society. Makes you laugh when people whinge about China.
Attesting that a closed source device meets arbitrary closed source standards is a necessary evil.
One real world problem is that some existing systems are built relying on the integrity of the components within, i.e. BART in the bay area relies on the BART cards being honest and secure. If iPhones are to be allowed into the system, they also have to be honest and secure.
The capability is being over-used and abused, and we should design systems to never need it, but some do.
> If iPhones are to be allowed into the system, they also have to be honest and secure.
This describes a 1:1, total-trust relationship. There are other types of systems fulfilling the requirements without needing a 1:1, total-trust relationship.
For example, the main requirements here are: The account succeeds at making requests it is allowed to make, and the account fails at making requests it is not allowed to make. Both those requirements can be fulfilled entirely server-side, and should be. Why require the client to be locked down?
> Why require the client to be locked down?
It is hard and likely expensive to require every single reader in every single city to be networked:
> Because Clipper operates in multiple geographical areas with sporadic or non-existent internet access, the fare collection and verification technology needs to operate without any networking. To accomplish this, the Clipper card memory keeps track of balance on the card, fares paid, and trip history.
https://en.wikipedia.org/wiki/Clipper_card#Technology
Don't worry, Pax China will have you giving the fingerprint to Xiaomi and Huawei instead.
In Europe, banking apps block root but still work on a custom OS (like LineageOS) without contactless payments. I guess this is because many people here buy Chinese phones and they just can't ignore them.