Remix.run Logo
ChocolateGod 2 hours ago

> Still leaves the attestation API though. Which makes using a non-Google sanctioned device a non-viable option

The attestation API isn't Google 'being evil', it exists as part of legal requirements that exists, namely for financial and banking applications.

Any alternative platform that wanted similar kind of apps would almost certainly have to implement a similar system.

> Ok, that's some good news

The fact you thought wrong shows the confusion being caused by these factually incorrect articles.

ulrikrasmussen an hour ago | parent | next [-]

What legal requirements are you referring to?

angoragoats 43 minutes ago | parent | prev [-]

> as part of legal requirements that exists, namely for financial and banking applications.

Please cite the laws or regulations you’re referring to, because I don’t think there are any.

ChocolateGod 26 minutes ago | parent [-]

PCI-DSS (enforced by banks/payment processors) means the EMV token store on your Android phone must be in an isolated uncompromised location (usually the TEE).

If your phone is rooted or has an unlocked bootloader then it's possible that trusted store is no longer secure or can be snooped on by a third party. Given Google Wallet/Pay handles EMV tokens and stores them on the phone, it has to pass PCI-DSS before banks will allow it.

This is the biggest reason why Google tries as much as possible to block Google Pay on rooted/unlocked devices. If a device fails compliance (a rooted phone certainly does), as far as banks are concerned it's not safe.

But people just find it easier to say "Google is Evil".

You also have the EUs Payment Services Directive (so a law) which require strong customer authentication, rooted devices can also fail up here.