Any bootloader or OS that doesn't allow the user to tamper with it or the other tools they're using on it is obviously illegitimate malware.

▲

AppAttestationz 10 hours ago | parent [-]

It's a funny comment, because actual malware, very much loves to tamper with the bootloader and OS.

Which was the motivation for cryptographically attesting the boot process and OS, and in part paved the way for app attestation.

There are alternatives though: The Android Hardware Attestation API enables attestation on custom ROMs, but the attestation verifier needs a list of hashes for all "acceptable" ROMs. GrapheneOS publishes these but there's nobody, to my knowledge, maintaining a community list.

	▲	seba_dos1 10 hours ago \| parent [-]
		Nothing funny in it, I'm afraid. Socially accepted malware is still malware. Caffeine is a stimulant, alcohol is a drug, a piece of software that works against the user is a malware. Cryptographic attestation is not a problem in itself, the problem is exactly what you already somewhat hinted at: it's who and how decides who to trust and who gets to make (or delegate) the choices. You can make a secure system that lets the user be in charge, but these systems we're discussing here don't (and that's by design; they're made to protect "apps", not users).