As I explained elsewhere in this post, I got to this installer page by clicking on "Check device compatibility" on the https://e.foundation/e-os/ page.
So I was actually expecting a device listing page, not a WebUSB program.
That's a bizarre one. 'You need Chrome' is bad enough, which even the bloody NHS are guilty of, but I always assume that's 'just' an assumption that not Chrome means IE or something, and they haven't woken up even to the proliferation of mobile Safari users.
How do they do that? I'm not doubting that, it's an honest question. I understand how this works on Apple phones but I don't understand why an identity or attestation service cannot be replaced by another one by the alternative operating system when the hardware is not controlled by Google. Does Google have keys in tamper-proof chips? How else would those banks determine their apps are on the right phone? Or do those apps use Google authentication directly over the Internet, using hard-coded Google public keys?
Depending on the level of security you ask for Play Integrity, it can be:
* is this device rooted, is it an unsigned build ?
* Device is signed, but is it part of the blessed signing keys ? is play services untampered with ?
* Additional checks over the lifetime of the device.
You could fully trust the results of Play Integrity on device, but you can also send the returned token to your server, and your server then contacts play integrity to validate that token. So unless you know how to spoof those encrypted tokens, you won't go very far.
Chrome is just an example. Google stopped pretending Android is a general purpose OS and started cracking down on what is possible without Google’s approval. See developer verification, everything within Google services, etc.
The irony of this is that when using Firefox to browse to /e/OS url to check for compatible devices:
https://e.foundation/installer/
I get a pop-up telling me that my browser is not compatible, and I should use Edge, Opera or Chrome. See [1]
[1] https://imgur.com/a/al1Q9DM
When I clicked "Browse supported devices" it took me to https://doc.e.foundation/devices
I think it's due to the lack of WebUSB API support in Firefox, it is needed for the web installer, both for eOS and GrapheneOS
As I explained elsewhere in this post, I got to this installer page by clicking on "Check device compatibility" on the https://e.foundation/e-os/ page.
So I was actually expecting a device listing page, not a WebUSB program.
That's a bizarre one. 'You need Chrome' is bad enough, which even the bloody NHS are guilty of, but I always assume that's 'just' an assumption that not Chrome means IE or something, and they haven't woken up even to the proliferation of mobile Safari users.
How is it "bizarre" when it even tells you why it needs a Chromium-based browser?
1 reply →
Yes fortunately we have browser alternatives.
But on mobile, my bank and my government force me to use the Android/iOS duopoly.
How do they do that? I'm not doubting that, it's an honest question. I understand how this works on Apple phones but I don't understand why an identity or attestation service cannot be replaced by another one by the alternative operating system when the hardware is not controlled by Google. Does Google have keys in tamper-proof chips? How else would those banks determine their apps are on the right phone? Or do those apps use Google authentication directly over the Internet, using hard-coded Google public keys?
Depending on the level of security you ask for Play Integrity, it can be:
* is this device rooted, is it an unsigned build ?
* Device is signed, but is it part of the blessed signing keys ? is play services untampered with ?
* Additional checks over the lifetime of the device.
You could fully trust the results of Play Integrity on device, but you can also send the returned token to your server, and your server then contacts play integrity to validate that token. So unless you know how to spoof those encrypted tokens, you won't go very far.
https://developer.android.com/google/play/integrity/overview
2 replies →
Chrome is just an example. Google stopped pretending Android is a general purpose OS and started cracking down on what is possible without Google’s approval. See developer verification, everything within Google services, etc.