I was reviewing the Android world, apparently if you want updates you either pick google, samsung or lineageos or grapheneos (still google).
Now, if you pick the first 2,you get tracking.
if you pick the other two, you are banned from various apps and functionality even if the phone is not rooted because "there is no megacorp backing you up".
This is really, really bad. Equivalent to the linux secureboot issue that could have been.
It's certainly not the case with GrapheneOS. I have hardly faced any issues with the apps that I use. And if it's complaining about not having play services, you can install sandboxed play services on a new profile
Most apps work fine, but certain cases like NFC payments generally don't because those apps require that you are using an OS that is signed by someone on their allow-list.
On GrapheneOS, I have one banking app that works, and one that doesn't because of the linked issue.
Hilariously the message in the app says I can't be signed in because it's detected the phone is "jailbroken/rooted" and I "can still use our mobile site". The phone is not jailbroken or rooted, and using the mobile site on the same "untrustworthy" device is just as risky...
Even with the maximum of proprietary services I just about got reliable location sensing while outside. Still much worse than on iOS/stock Android. Banking did work however, kudos for that.
Can you cast it from the browser? And doesn't support offline, which is important when traveling (the only moment I would use netflix on the phone)
And the banking app can scan checks, but the web version cannot. Unfortunately in north America we still live in the 90s and checks are still widely used.
And yeah, cut out of google pay. Which there is no reason to, given grapheneos is outright safer
Fantastic line. I imagine I'm trying to escape from Google HQ while GLaDOS makes me test repeatedly, and through a crack in the wall in a storage area I see scrawled in charcoal and blood: "Play Integrity API is based on lies."
It's such a shame, too. The principle is sound, the feature is clearly wanted by security-conscious apps, but Google can't make an integrity API that a vast amount of their partners' existing customers won't pass.
Something as simple as "has received a security update the past 12 months" seems like an basic requirement for fraud prevention and DRM, but doing so will kick millions of people out of common apps and make their API pretty useless while also pissing off their partners. Instead, we get this vague "does the user run a custom ROM that didn't put effort into not being detected" API that serves no purpose.
From a user perspective, GrapheneOS is a better partner for Google to work with than so many manufacturers. The amount of straight-up spyware and API-noncompliance I've seen from super cheap phones that somehow managed to pass Google's inspection makes the entire certification process a joke. Meanwhile, Graphene manages to protect its users against exploits better than even Google can.
Perhaps it's time for someone to write an app that spoofs the Play Integrity API not by pretending to only support software integrity, like many workarounds do, but by using the leaked manufacturer certificates to fake hardware signatures for any device, forcing Google to choose between redesigning the API or banning their partners' unrelated devices (that, let's be realistic, probably haven't received an update for their key store). Getting one of these leaked keys is probably not easy, but I'm sure _someone_ in the Android modding scene has managed to get their hands on it.
I do wonder what Google's response will be once Graphene does indeed stop taking part in the bug bounty program and a serious exploit hits Google's devices because of code pushed to the Graphene source tree. If I were malicious, I'd start watching the GrapheneOS patches very closely now that they've indicated they're no longer reporting security bugs upstream. They've found several serious vulnerabilities in the past, and are probably one of the few projects that actually inspects and cares about Android's security mechanisms (Google's partners sure don't seem to), so I'm sure they'll find serious security flaws before Google changes its mind.
"Play Integrity" is not there for your, the user's, security. It's there for the app makers' security and guaranteed control, so that they can force you, the user, to endure their every whim and their applications' every shit dark pattern and user-hostile behavior. It is there to make all that unmitigable. If any regulator were to put an end to all that, I'd be all for it.
Users should support the lawsuit. GrapheneOS is not "less secure", it's just that it doesn't give Google preinstalled privileged unremovable spyware present on the device.
"Integrity API" doesn't really check the security model, it checks whether the Google privileged spyware is installed on the device.
The article unfortunately leaves out most of the points we made in the thread.
GrapheneOS supports hardware-based attestation and it's entirely possible for Google to allow it as part of the Play Integrity API. They choose to ban using GrapheneOS.
As a baseline for discussion, I agree that GrapheneOS is far more secure than stock Android (fantastic Cellebrite citation, by the way). I'm not attacking your assertion that Google is misusing Play Integrity anticompetitively, which you make a plausible case for.
But hardware-based attestation is fundamentally based on a whitelist of OS images. With AVB, the only job of hardware is to validate that the chain of trust starts with the certificate the user provides (or the factory default). That certificate, if controlled by a trusted party, attests that the resulting chain of trust implements the Android security model correctly. But all the Android API does is provide a verifiable attestation of what is running; it can't attest that Android hasn't been e.g. Magisk'd and then re-signed. (Please correct me if I'm wrong here!)
Google trusts themselves, of course, perhaps too much. But, they're unwilling to add others to the whitelist of things they trust. I think what you're asking for, is actually for the Play Integrity code to have some mechanism to become trusted/whitelisted (this would prevent other app devs from having to play whack-a-mole to allow other secure images). Phrasing it that way might be a good clarification.
What is the perspective of the authors of Authy here? If they want the integrity API to limit their app to official builds, then it is working as intended by them and presumably by the users who freely choose Authy over other apps. I am not sure why Graphene has standing here.
1. According to the article, graphene says that the play integrity API doesn't do what it is advertised to do, so arguing that it is a security mechanism is false.
2. Speculation: They could argue that apps should not be allowed to lock out alternative OSes, but only alert users of "reduced security".
But there could be no "reduced security", even for apps. It's just that there's no Google spyware installed on the device with elevated permissions, that's why Google won't approve GrapheneOS.
The whole thing is about trust. Google, Apple and MS are setting themselves up as authorities of trust for hardware.
Authy took the stance that if an OS vendor doesn't sign the bootloader/OS, then it is possible the OS is compromised and other apps could maliciously interact with Authy.
I don't like where that takes us from a computing freedom perspective.
The reason is that there is no open source os that can be verified with the play integrity api. Forget authy, you cannot run netflix or most banking apps.
That's effectively discrimination for people who don't want to be tracked or people who don't want to give money to google.
Given Google has a monopoly, this is pretty heavy.
I agree with some of your facts but not your conclusions. I see why people want to use GrapheneOS. I respect and admire the security efforts of the authors of GrapheneOS. The users of GrapheneOS may have totally legitimate security requirements that lead them to choose it. But if Netflix doesn't want their program to run on GrapheneOS, isn't that their business?
Netflix wants a hardware attestation API to prevent abuse, GrapheneOS can provide that API abstracted through the integrity API, but Google won't authorize it.
This, but notably also: the hardware attestation API will report a device as fully locked down and secured even when a device is infected with a sophisticated-enough piece of malware. Plus, in the past manufacturer keys have leaked but keys have not been revoked.
Hardware attestation is quite useless when a device that hasn't received a single security update in four years is considered safe, but a locked-down ROM implementing everything Google has invented and more is considered dangerous.
This isn't entirely true. My phone runs a custom ROM, but has no root. Google Wallet works (to my surprise) as does my banking app.
Amazon Prime and Netflix will play video, but only in SD, so I torrent all of those shows for when I'm not watching them on Windows.
Once you root your phone, more features get disabled. You can still get everything to work again (as root detection APIs still cannot beat root access) but that's an ever lasting arms race of annoying workarounds and features that break randomly.
To be somewhat fair to Google, several custom ROMs, including LineageOS, do disable a LOT of security features that even outdated vendor ROMs will keep enabled, because they're a pain to implement properly. However, GrapheneOS is one of the few operating systems that would rather break app compatibility than risk exposing their users to software vulnerabilities. A Pixel with an official GrapheneOS ROM and a locked bootloader should receive the same security status, or perhaps an even better one, than many phones running stock firmware.
I'm not sure I agree, to be honest. As far as I'm aware: Google doesn't force app developers distributing on the Play Store to opt-in to Play Integrity; Google doesn't force app developers to exclusively distribute through the Play Store; Google doesn't force third party Android-based operating systems to use Google Play Services or the Play Store; and Google doesn't force end-users into using official Android builds versus third party builds.
I have zero energy toward feeling anger at this situation. I don't even feel Google should or aught to change their behavior.
But Google is the dominant player and this makes a difference (Google is not always free to do what they want). GrapheneOS is not allowed in Play Integrity not because of reduced security, but because Google's spyware is not installed there with elevated permissions and unremovable.
I don't feel that's relevant when app developers are free to recognize that as a drawback of Play Integrity and not use it (which to my understanding is the case, but I have not done android development in many years).
On the one hand, you can make the argument that Google "ought" to allow Graphene into this program, because they have at least as good operating system security and hardware attestation as first-party android distributions. On the other hand: doing so would effectively mean Google is now a responsible party in the security processes and posture of Graphene; which isn't only a level of responsibility Google likely does not want, its a level of responsibility Graphene is unlikely to grant or agree to.
Google being the dominate player is not relevant. Google acting anti-competitively would be; but I have seen no evidence of this, at least when it comes to their treatment of third party android operating systems and third party app stores. (Google's other business divisions are a different story; and specifically, Google's interactions and deals with the Galaxy Store are a little suspicious and IIRC came under fire from regulators recently. But, none of this is relevant to this discussion as far as I can tell).
Everyone is free not to use a smartphone at all, yet it doesn't affect whether something is anticompetitive or not
> On the other hand: doing so would effectively mean Google is now a responsible party in the security processes and posture of Graphene
Hey, wait.. I don't see why that'd have to be the case. Google could make a set of security standards and then include relevant OSes in Play Integrity.. However, these standards could then be checked for being anticompetitive, and a requirement that Google spyware needs to be preinstalled with elevated privileges would certainly be anticompetitive.
> but I have seen no evidence of this, at least when it comes to their treatment of third party android operating systems and third party app stores.
Well, I and GrapheneOS claim that Play Integrity not including GrapheneOS is the evidence here :)
> On the one hand, you can make the argument that Google "ought" to allow Graphene into this program, because they have at least as good operating system security and hardware attestation as first-party android distributions. On the other hand: doing so would effectively mean Google is now a responsible party in the security processes and posture of Graphene; which isn't only a level of responsibility Google likely does not want, its a level of responsibility Graphene is unlikely to grant or agree to.
Is Google responsible for the security posture of any other vendor? If not, why would this be any different?
Now, if you pick the first 2,you get tracking. if you pick the other two, you are banned from various apps and functionality even if the phone is not rooted because "there is no megacorp backing you up".
This is really, really bad. Equivalent to the linux secureboot issue that could have been.