Comment by goldenarm
6 hours ago
Yes fortunately we have browser alternatives.
But on mobile, my bank and my government force me to use the Android/iOS duopoly.
6 hours ago
Yes fortunately we have browser alternatives.
But on mobile, my bank and my government force me to use the Android/iOS duopoly.
How do they do that? I'm not doubting that, it's an honest question. I understand how this works on Apple phones but I don't understand why an identity or attestation service cannot be replaced by another one by the alternative operating system when the hardware is not controlled by Google. Does Google have keys in tamper-proof chips? How else would those banks determine their apps are on the right phone? Or do those apps use Google authentication directly over the Internet, using hard-coded Google public keys?
Depending on the level of security you ask for Play Integrity, it can be:
* is this device rooted, is it an unsigned build ?
* Device is signed, but is it part of the blessed signing keys ? is play services untampered with ?
* Additional checks over the lifetime of the device.
You could fully trust the results of Play Integrity on device, but you can also send the returned token to your server, and your server then contacts play integrity to validate that token. So unless you know how to spoof those encrypted tokens, you won't go very far.
https://developer.android.com/google/play/integrity/overview
So basically an alternative OS can offer a service like Play Integrity and the only problem is that those banks hard-code a dependence on Google's Play Integrity and Google has a monopoly for that service?
This is something that could be addressed at least in the EU by mandating banks to allow alternative services or not use this service at all.
1 reply →