Comment by formerly_proven
14 hours ago
If I had to guess it’s liability concerns around the app-based remote unlock and parking + R155 and CRA. A lot of european companies have moved to require attestation in their apps, likely spurred on by the CRA.
But why? I'd understand (though not approve) them tightening down everything about the car firmware to the max. They are responsible for the app, sure (it's a "digital element"), but they aren't responsible for the OS the app runs on. The CRA should not be used as an excuse to enact stupid restrictions.
Unfortunately, due to the nature of these things, you cannot verify an app is unmodified without also verifying the OS running it is also unmodified. So if VW decides that only their unmodified app may access APIs, then they kind of are stuck verifying the OS.
They can, given basic competence in SW engineering, also verify against GrapheneOS' published release keys. The reason they don't is the same reason Google closed my ticket asking them to include Graphene keys in Play Integrity checks: they don't care.