Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
microtonal 13 hours ago

My impression is that they are against remote attestation in apps/websites in general and if apps really want to do it, they should do it using the attestation API that AOSP already provides. The attestation API in AOSP allows companies to trust signing key fingerprints (such as those of GrapheneOS), which means that the attestation system is not controlled by a single company (Google).

The most damning part about Google Play Integrity is that, as the thread states, that Google lets devices pass that are full of known security holes, whereas they do not allow what is very likely to be the most secure mobile OS. This shows that they only use it as a method to shut out competitors and to control Android device manufacturers to pre-install Google software like Chrome (otherwise their devices do not get certified and won't pass Play Integrity).

IANAL, but anti-competition lawyers/bodies should have a field day with this, but nobody seems to care. Worse, the EU, despite their talk of sovereignty adds Play Integrity-based to their own age verification reference app.

I recommend every EU citizen, also if you do not use GrapheneOS, to file a DMA complaint about this anti-competitive behavior:

https://digital-markets-act.ec.europa.eu/contact-us-eu-citiz...

Also, every time this comes up, @ the relevant EU bodies, commissioners and your government's representative on Mastodon, etc.

Hoodedcrow 12 hours ago | parent | next [-]

> The attestation API in AOSP allows companies to trust signing key fingerprints (such as those of GrapheneOS), which means that the attestation system is not controlled by a single company (Google).

I wonder if this would exclude rooted OSes, non-relocked bootloaders and things like that? Sorry for stupid question, still not quite understanding how this works.

microtonal 11 hours ago | parent [-]

Currently probably not, because there are leaked keys, etc. But otherwise it would, since the verified boot state, etc. is added as part of the signed material.

dataflow 12 hours ago | parent | prev [-]

> very likely to be the most secure mobile OS

> IANAL, but anti-competition lawyers/bodies should have a field day with this, but nobody seems to care

I'm gonna take a wild guess that proving the above statement in court (and then its necessary impact) might be a significant obstacle here?

kelnos 11 hours ago | parent [-]

You don't really "prove" statements like that. You get some "expert witnesses" to testify one way or another, and your opposition gets some "expert witnesses" to testify the opposite, and then the judge/jury decides who they think was more credible.

I imagine the way to do this effectively would be to get some well-regarded infosec firms to audit both OSes (from source as much as possible), and also compile lists of vulnerabilities found, fixed, not-fixed, etc. over time. Then you need a witness who can explain all of it in a way that's accessible to and likely to sway a jury.