| ▲ | 201984 a day ago |
| Are techniques like using Frida and mitmproxy on Android apps still going to be possible after the signing requirement goes into effect next year? |
|
| ▲ | bri3d a day ago | parent | next [-] |
| Overall: yes, but it will get much harder for apps which need attestation, which is sort of the point, for better or for worse. As far as I know you'll still be able to OEM unlock and root phones where it's always been allowed, like Pixels, but then they'll be marked as unlocked so they'll fail Google attestation. You should also be able to still take an app, unpack it, inject Frida, and sideload it using your _own_ developer account (kind of like you can do on iOS today), but it will also fail attestation and is vulnerable to anti-tampering / anti-debugging code at the application level. |
| |
| ▲ | josteink 21 hours ago | parent [-] | | So for people with any practical needs what so ever (like banking): No. At this point Android isn’t meaningfully an open-source platform any more and it haven’t been for years. On the somewhat refreshing side, they are no longer being dishonest about it. | | |
| ▲ | bri3d 21 hours ago | parent | next [-] | | I don't think any vendor should be solving for "I want to do app RE and banking on the same device at the same time;" that seems rather foolish. These are sort of orthogonal rants. People view this as some kind of corporate power struggle but in this context, GrapheneOS, for example also doesn't let you do this kind of thing, because it focuses on preserving user security and privacy rather than using your device as a reverse-engineering tool. There is certainly a strong argument that limiting third-party app store access and user installation of low-privilege applications is an anticompetitive move, but by and large, that's a different argument from "I want to install Frida on the phone I do banking on," which just isn't a good idea. The existence of device attestation is certainly hostile to reverse engineering, and that's by design. But from an "I own my hardware and should use it" perspective, Google continue to allow OEM unlock on Play Store purchased Pixel phones, and the developer console will allow self-signing arbitrary APKs for development on an enrolled device, so not so much has changed with next year's Android changes. | | |
| ▲ | franga2000 20 hours ago | parent | next [-] | | > But from an "I own my hardware and should use it" perspective, Google continue to allow OEM unlock on Play Store purchased Pixel phones, and the developer console will allow self-signing arbitrary APKs for development on an enrolled device [...] But that's not really using it, is it? If the process of getting access to do whatever I want on my smartphone makes it cease to be a viable smartphone, can you really count that as being able to use it? It's like if having your car fixed by a third party mechanic made it not street legal. It is still a car and it does still drive, but are you really still able to meaningfully use it? And before anyone jumps on my metaphor with examples of where that's actually the case with cars, think about which cases and why. There are modifications that are illegal because they endanger others or the environment, but everything else is fair game. | |
| ▲ | 3abiton 20 hours ago | parent | prev | next [-] | | What I don't get is, if I am using my bank website on linux (with full root ability), it's still almost nearly the same as having the app on Android. The argument of "we lock it down to protect you makes 0 sense to me" | | |
| ▲ | bri3d 20 hours ago | parent | next [-] | | * Your bank (and Google) want to deal with as little fraud as possible. * Market forces demand they provide both a website and an Android app. * If both platforms are equally full of fraud, have the same features, and both have similar use, they cut out half the fraud even if they can only make one or the other fraud proof. * But it isn't like that in reality: in reality, something more like 80% of their use and 90% of their fraud comes from mobile devices, and so cutting off that route immediately reduces their fraud-load by a lion's share. Ergo, locking down the app is still in everyone's best interest, before we even get into the mobile app having features the desktop one does not (P2P payments, check deposit, etc.) And this isn't just a weird theory / ivory tower problem: Device Takeover banking fraud on Android is _rampant_ (see Gigabud/GoldDigger). | | |
| ▲ | Wowfunhappy 20 hours ago | parent [-] | | Why does most fraud come from locked down mobile devices and not open Windows/Linux PCs? If it's true that 90% of fraud comes from mobile despite all of the restrictions, what that tells me is that locking down devices doesn't actually prevent fraud. --- > before we even get into the mobile app having features the desktop one does not (P2P payments, check deposit, etc.) I think it would be reasonable to disable those specific features on mobile while leaving the rest of the app accessible. Actually, back when jailbreaking iOS was still actually feasible, I recall the Chase app doing exactly that. The app worked fine, but it wouldn't let me deposit checks, I had to go to a branch for that. A bit annoying, but I can mostly understand that one. | | |
| ▲ | bri3d 19 hours ago | parent [-] | | > If it's true that 90% of fraud comes from mobile despite all of the restrictions Statistics on mobile vs. desktop banking will really shock you; the mobile usage penetration is easily well upwards of 90% in many markets. There's also a skewed distribution for fraud-vulnerable users and scenarios. > I think it would be reasonable to disable those specific features on mobile while leaving the rest of the app accessible. I agree with you in an idealist sense; it would be awesome to be able to use GrapheneOS and have 80% app functionality instead of 0% app functionality. I also completely understand why nobody does it; supporting what's probably <0.001 (if not lower)% of legitimate users in exchange for development time and fraud risk isn't a particularly appealing tradeoff. If I were in a situation to advocate for such a trade-off, I probably would, but I don't think it's evidence of a sinister conspiracy that nobody does that. | | |
| ▲ | Wowfunhappy 18 hours ago | parent [-] | | > Statistics on mobile vs. desktop banking will really shock you; the mobile usage penetration is easily well upwards of 90% in many markets. There's also a skewed distribution for fraud-vulnerable users and scenarios. But if my goal was to commit fraud, wouldn't I go to wherever it was easiest to commit fraud? The actual market penetration of each platform shouldn't matter. | | |
| ▲ | dsymonds 18 hours ago | parent [-] | | It's usually done in bulk, so the overall payoff is the combination of value and number of targets, but the effort is typically sublinear with the targets. Something easier to attack but relatively low in number is not as juicy as something a bit harder (where the effort is mostly a one-off up-front rather than per target) but having many, many more targets. |
|
|
|
| |
| ▲ | machinate 20 hours ago | parent | prev [-] | | They usually don't let you deposit checks via web app. | | |
| ▲ | jrockway 17 hours ago | parent [-] | | It's unclear what device attestation does here. You can print a fake check and take whatever picture you want. If it's using dead pixels or something as a device fingerprint, you get those dead pixels. You can also fake dead pixels, of course. Authenticating the phone's OS doesn't authenticate the camera, or what the camera's looking at. It's a signal, maybe, but the weak link in "a napkin with the right numbers and scribble on it is a money transfer" is probably not whether someone has root on the device that's taking a picture of the napkin. |
|
| |
| ▲ | KetoManx64 21 hours ago | parent | prev [-] | | GrapheneOS strongly recommends that you do not do it, but it will not stop you if you want to.
You can root and leave your bootloader unlocked or create a custom user signed image with root support included. Plenty of user written guides out there how to do so. | | |
| |
| ▲ | akimbostrawman 11 hours ago | parent | prev | next [-] | | >At this point Android isn’t meaningfully an open-source platform any more Google Android as installed on 99% of stock android phones never was open source. AOSP continues to be open source and is not effected by any changes made in the proprietary google android and google play services eco system. People would do good by stop conflating the two. | |
| ▲ | miki123211 21 hours ago | parent | prev | next [-] | | Open source has nothing to do with hackability. Firmware which requires updates to be signed with a manufacturer key can still be open source. As long as its code is available publicly, under a license which lets the user create derivative works, it meets the definition. You can still make a version of it that doesn't contain that check, you just can't install that version on the device you bought from the original firmware developer. Some FIDO keys (and I think Bitcoin wallets) do this. | | |
| ▲ | jcalvinowens 10 hours ago | parent [-] | | > Open source has nothing to do with hackability. That's not universally true, it depends on the license we're talking about. As an arbitrary counterexample, the LGPL specifically requires you to give end users of your thing a way to link your object code with their own modified version of the LGPL'd library. |
| |
| ▲ | Wowfunhappy 20 hours ago | parent | prev [-] | | I'm stuck on iOS for various reasons, but if I was on Android I could do without mobile banking in exchange for having root privileges. I don't entirely understand why this is such a big deal. If e.g. Slack required attestation that would be a different story. I need that for work. | | |
|
|
|
| ▲ | pimterry 20 hours ago | parent | prev | next [-] |
| It's not really going to be directly affected by that change I would expect. Most reverse engineering is on rooted devices & emulators anyway, which are already outside the bounds of those kinds of Google restrictions. For the (less common) cases where you want to use a non-rooted device (e.g. using Frida by injecting it into the APK via gadget) it gets trickier, but I think in practice there will still be a way for developers to build & install their own APKs with developer mode enabled. This will be tightened, but removing that restriction would effectively make Android development impossible so it seems very unlikely - I think they will block sideloading on all non-developer devices only, or allow you to add your own developer cert for development or similar (all of which would probably be fine for development & reverse engineering, while still being a massive pain for actual distribution of apps). The larger issue is device attestation, which _could_ make all rooted/non-certified devices progressively less practical, as more apps attempt to aggressively detect unmodified devices. Right now that's largely limited to big financial apps, and has some downsides (you get a bunch of complaints from all 3 GrapheneOS users, and it requires a bunch of corresponding server work to be reliable) but it could become more widespread. |
|
| ▲ | mschuster91 a day ago | parent | prev [-] |
| They're already barely possible as it is. For frida to work you need to root the device, which is impossible on ever more models, and there's an endless supply of very good rooting detection SDKs on the market, not to mention Play Integrity. |
| |
| ▲ | pimterry 20 hours ago | parent | next [-] | | > For frida to work you need to root the device, which is impossible on ever more models There's plenty of physical devices where it is possible, and Google publish official emulator images with root access for every Android version released to date. This part is still OK. > there's an endless supply of very good rooting detection SDKs on the market, not to mention Play Integrity Most of the root detection is beatable with Frida etc, mostly. Play Integrity & attestation (roughly: 'trusted computing' on your phone, which signs messages as 'from an unmodified certified device' in a way that the server can verify, to only allow connections from known-good devices) is a much larger problem. Best hope here is that a) it creates much work for most apps to bother and b) it eventually gets restricted as anti-competitive. It's literally them charging & setting rules on their competitors for how they get a certificate which allows phones they make to function with all the Android apps on the market, and pushing app makers to restrict their apps to not work on phones from competitors who don't play ball, so I don't think anti-competition pushback here is that implausible medium term. | | |
| ▲ | mschuster91 18 hours ago | parent [-] | | > There's plenty of physical devices where it is possible Yup, but say Samsung, kiss KNOX goodbye. Fused off once you flash a non-Samsung image. > and Google publish official emulator images with root access for every Android version released to date. This part is still OK. Many apps will straight refuse to run in emulators unless you're lucky to snag a debug build that accidentally got pushed to production. > Most of the root detection is beatable with Frida etc, mostly. It's a cat and mouse game and frankly, I'm sick of it - and especially about the fact that it's either "accept that you'll need to wait X weeks until <Magisk plugin> gets an update" or "install some unofficial closed source fork that may or may not be laced with malware". > Best hope here is that a) it creates much work for most apps to bother and b) it eventually gets restricted as anti-competitive. Rooting detection used to be too much work, then SDKs cropped up that made it very easy, and that will be the case for remote-verifiable hardware attestation. And restrictions from anti-trust? No way that will happen in the next three years in the US, and here in the EU it takes about 5-10 years until our parliament finally gets to work after a problem gets too much attention for their lazy asses to ignore. And even then, the lobby from banks, game studios ("them cheaters!!!" in f2p scam games) and other influential lobbyists will likely prevent any serious action. |
| |
| ▲ | crowfunder 21 hours ago | parent | prev [-] | | As far as I'm aware it is possible to use Frida without rooting, by using Objection
https://github.com/sensepost/objection | | |
| ▲ | bri3d 21 hours ago | parent [-] | | > Patch iOS and Android applications, embedding a Frida gadget that can be used with objection or just Frida itself. This is the key thing, and the part that will change next year: previously, you could unpack, patch, and repack an APK with the Frida gadget and install it onto an Android device in Developer mode, while the device remained in a "Production" state (with only Developer mode enabled, and no root). Now, the device would either need to be removed from the Android Certified state (unlocked/rooted) or you would need to sign the application with your own Developer Console account and install it on your own device, like the way iOS has worked for years. | | |
|
|
