Comment by ulrikrasmussen
7 hours ago
Even relying on Android's hardware attestation API instead of Play Integrity is an attack on digital autonomy in my opinion. Any security feature which relies on remote attestation of the users entire platform is government overreach as it ultimately gives the government the power to choose what operating systems are acceptable. It is only a matter of time before this power will be misused to put pressure on OS developers to install backdoors for the intelligence agencies. And no, asking people to own two smartphones is not a solution to this problem.
Anonymous digital age verification based on a suitable ZKP scheme and/or blind signatures does not require a general purpose operating system, it just requires a few cryptographic primitives and a set of device-bound keys. It is not too much to ask that the EU develops a specialized hardware token with these exact capabilities and offer them for free to all citizens as an alternative to the app. This also gives the citizens of EU the freedom to choose not to own a smartphone without having their access to digital services severely restricted.
I'm ok with enforcing hardware security. Both for banks and governments.
But it must not limit the ability of running custom software on a phone. And especially not enforcing every person to get a Google/Apple signed phone.
Like if I get GrapheneOS on my phone. Banking/gov apps should work. But I believe this could be possible with enforcing hardware security as well.
The chain of trust always has a software layer. I don’t believe what you want is possible.
I find the bank talking point strange, why are they special, are they even targeted more. It just feels like a boogeyman “think of your money!”
For all practical purposes it's possible to do this. The boot ROM only boots a vendor-signed bootloader, the bootloader verifies the OS kernel, etc., until you have a fully verified boot chain. A secure enclave, which is completely separated from the main CPU and OS performs the attestation using a private key in its tamper-resistant storage and embeds the results of verification by the bootloader. There may be some vulnerabilities, but most of them can be fixed in updates, with exception of the boot ROM.
The reason why the system gets broken in Android occasionally is that most Android phones have terrible security and do not use a secure enclave/processor, etc. (which the iPhone had since 5s + Google/Samsung for quite some years through Titan M/Knox Vault). Instead they use TrustZone, which set up a TEE on the same CPU/RAM as the main OS. Of course, it uses memory protection for separation, but is often vulnerable to side-channel attacks. This is also the reason many Android phones will be cracked by Cellebrite in seconds (recently such a Mediatek TEE vulnerability was made public [1]).
[1] https://www.malwarebytes.com/blog/news/2026/03/this-android-...
1 reply →
The software layer in age verification is not necessary to trust though. The worst that could happen is that a compromised software layer steals your age credential, but it is by design anonymous so you don't risk getting your money or account stolen or anything. This makes it a different threat model from the banking case.
You can store key material in hardware-backed enclaves without involving remote attestation. If someone has a modified device/client that stores the keys elsewhere, that's on them - they're only weakening their own security.
You can't have both. "Hardware security" means the manufacturer decides which OS can run and you can't override it.
Exactly, I'm not sure what benefits hardware attestation offers to the government. Sure, it's potentially useful for the customer that they can trust their keys are secure on their device, but it kind of misses the point.
It should really be an open-source specification that defines a standard protocol, but where the device just signs a request that it knows has come from a trusted source (so maybe signed by the government's key) with a key that the government's API knows that represents you.
So, I'd envisage something like government portal lets you add a bunch of public keys, one for each device, and shares a public key of its own that can be used to verify any requests. Something that wants to verify your identity can request your public key, and ask the government API for a challenge token which it passed back to you. You can verify the challenge token is signed by the key you trust, you can sign the challenge and return it to the app, which can pass it back to the government API which can then grant access to whatever subset of information they requested (and the challenge key can include enough information for the signing app to present a meaningful request).
Very simple in terms of protocol. Only the government needs to store any of your private data. If an application just needs to know if you are of a sufficient age or not, that's all the information it gets. If you lose your device you can easily revoke your keys and add new ones.
Sure, a specific implementation on a phone might want to use hardware attestation in order to keep its keys safe, but there's no reason that it has to be mandated. A well designed public key system should be sufficient leaving the implementation to safeguard its keys, while providing a simple way to replace keys if needed.
I think the reason these systems require device bound keys is because the government is concerned with easily mass-produced forged age certificates. With software keys you can get an age certificate which can be copied instantly to a large number of devices, with hardware keys the government knows that the certificate is tied to a single physical unit.
Again, at this point, they're taking things too far,age gates shouldn't need to be an impenetrable fortress (notwithstanding the question of whether they should exist in the first place).
It should simply be the adult account on the device is notified if the device is rooted, effectively no longer in child mode. Go crazy with the warnings on both devices if you want as they've opted in at that point.
Is this EU protocol so weak that it cannot withstand this attack, i.e. is duplicate age certificate use not detected or prevented?
1 reply →
> it just requires a few cryptographic primitives and a set of device-bound keys
Question: how do you make sure the keys are device-bound if you have no attestation about the hardware or operating environment?