Remix.run Logo
monksy 6 hours ago

I agree with that.. additionaly, I'm finding it to be insane that organizations are trying to force you to have a "audited" phone to interact with them. (I.e. events, businesses, etc)

matheusmoreira 5 hours ago | parent | next [-]

Remote attestation is not just insane, it's the technology that will end free computing as we know it today.

What good is free software if using it marks our devices as untrusted and gets us banned from every service out there? Gets us ostracized from digital society? Because we "tampered" with the device?

We should be able to run whatever software we want and they should be none the wiser. Instead, we are part of the threat model now. Our devices are now cryptographically attesting that they are corporate owned and that we are under corporate control. It's so disgusting. The future we're heading towards is terrifying. Everything the word hacker ever stood for will be destroyed if this keeps up.

Cider9986 4 hours ago | parent | next [-]

It can be used for security and used privately [1] but I entirely agree with you, Google's use of it is anti-competitive and terrible.

[1] attestation.app

preisschild an hour ago | parent [-]

Yeah same as TPM and Secureboot. They can improve your own personal security (and thereby privacy) drastically, but it has to be controlled by the user.

myaccountonhn 2 hours ago | parent | prev | next [-]

You'll probably just need to keep two phones. One hostile spying device that you use for authenticating and dealing with government stuff, and that becomes e-waste every 2 years. Then you have one that you can repair and extend for your own stuff that respects you and your privacy.

collabs 20 minutes ago | parent [-]

I am doing this now. I have had a carrier locked iPhone SE 2020 which I only use on Wi-Fi for over five years now. I also have an android phone and I don't install any banking apps on my android phone.

charcircuit 3 hours ago | parent | prev [-]

>What good is free software if using it marks our devices as untrusted

That is not what remote attestation is for. The operating system maintains isolation between apps, so a free software app being installed doesn't mean an app that needs high security is compromised.

marmarama 3 hours ago | parent [-]

I think you've misunderstood. It's not an app problem. The problem is that it makes Free Software OSes unviable. The copy of Android you compile and install yourself - or your copy of desktop Linux where you upgraded the kernel yourself - will never pass remote attestation, and it gives both the attestation provider and software that checks attestation the ability to unilaterally shut out any OS they like with no workaround, even those that do pass attestation.

In a world of deeply untrustworthy Big Tech, and trend of governments, banks and other basic services needed to exist in society relying on apps and in the future, websites that use remote attestation, that is very troubling.

There are better ways of dealing with the bad actors problem, but Big Tech has chosen violence.

floam 2 hours ago | parent [-]

I don’t see how it’s incompatible with open source, just because my development builds aren’t being blessed.

dpark 2 hours ago | parent | next [-]

It’s not incompatible with open source. It’s incompatible with free software. If Apple or Google or Microsoft or the government needs to “bless” your build, then you have no freedom to actually use your build.

marmarama 2 hours ago | parent | prev [-]

Your "development build" is another person's daily driver.

Case in point: GrapheneOS (or any other custom Android distro) is unlikely to be able to ever pass remote attestation, even a signed, secure boot build with the bootloader relocked, because it's not the original OS for the hardware.

Same goes for any desktop Linux.

andai 6 hours ago | parent | prev | next [-]

What is that? I don't seem to be finding anything relevant on Google.

monksy 5 hours ago | parent | next [-]

We're running into situations where the usage of smart phones and apps are becoming mandatory for using services.

For example: The UK has a digital ID requirement which is required for you to be employed in the UK. Additionally the EU digital identity services have a hardware/software attestitation that is required to run their apps. (Many of those which 3rd party software can't run).

Another example of this is the Australian eTA - (Everyone has to have a visa to visit Australia.. but the real only way to get a visa* is you have to get an electronic travel authorization which only works via an App)

https://grapheneos.org/articles/attestation-compatibility-gu...

Apps that ban graphene-os being used:

    myGov (Australian government app)
    gov.br (Brazilian government app)
    Ticketcorner
    Authy
    Chyrpe Dating
    TextNow
    mada Pay (Saudi NFC payment app)
    McDonald's (International app used for many but not all countries not including the US)
    Dott
    My SEAT (Connectivity for SEAT cars)
    SwissID
    Volkswagen
    BKK Faber-Castell & Partner
    TK-Doc
    TK-Ident
    TK-App (Blocks access to TK-Safe, TK-GesundheitsMessenger, fingerprint login)
    IO (Italian government app which uses it to gate access to the digital wallet feature)
    PosteID (Italian postal service’s app used to access the national digital identity system "SPID")
    Singpass
subscribed 3 hours ago | parent | next [-]

> The UK has a digital ID requirement which is required for you to be employed in the UK.

That's untrue.

There was a strong push towards the digital ID from the current administration, but it was abandoned 6 months ago.

What you likely mixed up with digital ID is the old digital visa scheme, mandatory for all non-UK citizens to prove right to work.

Re: your app list: looks a little bit eclectic, so it's worth mentioning most of the apps don't ban GoS specifically, but enforce Google play strong or device integrity pass, which GoS doesn't pass.

Some trip on some exploit protections, like secure app spawning, but these can be turned off per app in the latest releases based on Android 17.

anonzzzies 4 hours ago | parent | prev | next [-]

GrapheneOS and others should have lobbyists or rather lawyers and lawmakers to fight for using secure systems to mandatory be allowed for these. Sure, there must be some type of OS guarantee, but that should not be exclusive to Google and Apple. And indeed browsers with otp/authn devices (not one per service but yubi/thetis type of thing as those can be made sovereign for a large part); when an OS is not allowed, the browser and app should be mandatory allowed with such a device as that is, actually, more secure than the original device as it is an external encryption and encryption key source the hacker cannot reach.

Cider9986 4 hours ago | parent [-]

Us users might be effective as well. Hopefully anti-trust law catches up and bans play integrity. They are probably going to spend their money improving features and experience to get more users. There's threads on the forum dedicated to sending emails to Volkswagen to get them to support Grapheneos and it may be working.

z3t4 2 hours ago | parent | prev [-]

This sucks. The solution is to buy the cheepest iPhone and use it just for the goverment services.

andwur 6 hours ago | parent | prev [-]

Likely referring to Android's Play Integrity/hardware attestation API (good explainer from GrapheneOS [1]) that is practically used to restrict what devices/brands/Android builds an app will allow itself to be run on.

[1] https://grapheneos.org/articles/attestation-compatibility-gu...

LoganDark 5 hours ago | parent | prev | next [-]

I miss the days when iOS jailbreaks allowed you to completely circumvent basically all DRM because the trust in Apple was so high that you could just assume a device is secure. Contrast that with Android, which has always had invasive attestation mechanisms because of widespread mistrust in OEMs. On iOS, sometimes you had individual apps trying to check for jailbreak but that was it

realusername 4 hours ago | parent [-]

Apps trying to check for jailbreak is still a thing on iOS and as you would expect, it's jank and can trigger on stock iOS if you are unluky

preisschild an hour ago | parent | prev | next [-]

> that organizations are trying to force you to have a "audited" phone to interact with them. (I.e. events, businesses, etc)

Even worse, GOVERNMENTS do that. EU Governments basically forcing you to give Google (via the Google Mobile Services rootkit) or Apple (and via the cloud act also the Trump Admin) access to your entire phone (including all of your saved personal data) to use the govt eID system...

daniela-vera 4 hours ago | parent | prev [-]

[flagged]