Comment by torginus
8 hours ago
Isn't this for the same reason why you can't do banking on an unlocked bootloader phone?
There's no way to verify the integrity of the system, and any malicious app can just grab your banking credentials or enable criminals to unlock and drive away with your car.
GrapheneOS requires a locked bootloader and supports using deveice attestation via the generic attestation functionality in the Android Open Source Project.
Play integrity is an anticompetitive tool that ignores this, and artificially limits itself on GrapheneOS. It is not due to any incompatibility.
The GrapheneOS supporters are not on our sides, apparently. The seem to actually like remote attestation. They just don't like that they are not in on Play Integrity. But what is won if attestation includes official GrapheneOS releases but would still otherwise be exactly the same evil stuff that takes control of the user's device?
I still am hoping that at one point they understand the full consequences of remote attestation. There are some signs they start to notice, but it's slow...
Note that I am a GrapheneOS supporter. You seem to have a few misconceptions.
GrapheneOS is one of, if not the most vocal organization against the abuse of attestation mechanisms. GrapheneOS and its userbase feel the consequences of play integrity every single day.
Im not sure where you got the idea that all GrapheneOS wants is to be accepted by play integrity, because that is not the case. GrapheneOS has been working with regulators to get play integrity banned. Being accepted by play integrity, but nothing else changing, is not good enough for GrapheneOS. It would only be a small victory along the path of abolishing this nonsense.
So, no, GrapheneOS and its community are definitely against play integrity. The "signs" that they are "starting to notice" are not there. They are already fully aware of what attestation is and how it can be abused. They are definitely not ignorant on the subject.
You might be confusing root based attestation with pinned attestation. Root based attestation is flimsy and allows tools like play integrity to ban operating systems they do not like. Pinned attestation, on the other hand, has real security properties and cannot be abused to block certain operating systems. GrapheneOS uses pinned attestation as a part of their Auditor app, and it has other cool uses we could see in the future.
2 replies →
> There's no way to verify the integrity of the system, and any malicious app can just grab your banking credentials or enable criminals to unlock and drive away with your car.
I get that Google doesn't want to be sued for failing to protect its users and indirect users of the mobile phones sold by other companies, but for advanced users there should be an option to update the signing keys used by the bootloader, so that you can unlock, flash your custom ROM, update keys, and relock bootloader. Such a phone should still be considered "trusted" by Google Integrity APIs. But currently there's no way to do this, so basically you don't really own your hardware.
I gave up on custom ROMs trying to extend my devices' lives and bought a Fairphone instead, so I have the assurance from the vendor that I will have software updates for a very long time.
Note that Fairphone does not provide software updates for anywhere near as long as they claim, and using a modern device with 7 years of support, such as a pixel or iphone, will be far better in the long term. Fairphone is basically e-waste out of the box.
Somehow that stands in stark contrast with the many Fairphone users that I know use their device for many years. One of them uses it as their primary computing device, not owning something like a laptop because the Ubuntu Touch that runs on it plugs into a screen and keyboard and works like a desktop as well as a phone for them. I don't understand why the derogatory statement about that being e-waste out of the box when it obviously works great, at least for those willing to pay the premium for as-fair-as-they-can-make-it part sourcing
1 reply →
> There's no way to verify the integrity of the system, and any malicious app can just grab your banking credentials or enable criminals to unlock and drive away with your car.
I don't see how the second half of the sentence follows from the first half.
> or enable criminals to unlock and drive away with your car
Has this ever happened?
The VW app can't do remote unlock so that's not a problem. It allows you to turn on the aircon or start charging and that's about it. That only works 50% of the time anyway.
Actually, it can (at least for my combination of country and vehicle).
a criminal can just steal your keys and take the car too... why is the phone subject to more stringent restrictions?