Post AkXB1jnFk456mIdrgO by GrapheneOS@grapheneos.social
(DIR) More posts by GrapheneOS@grapheneos.social
(DIR) Post #AkTfnPq7S8aymjnH60 by GrapheneOS@grapheneos.social
2024-07-30T23:36:58Z
0 likes, 1 repeats
https://arstechnica.com/gadgets/2024/07/loss-of-popular-2fa-tool-puts-security-minded-grapheneos-in-a-paradox/The article unfortunately leaves out most of the points we made in the thread.GrapheneOS supports hardware-based attestation and it's entirely possible for Google to allow it as part of the Play Integrity API. They choose to ban using GrapheneOS.
(DIR) Post #AkTfnRHS603NFnacL2 by GrapheneOS@grapheneos.social
2024-07-30T23:37:09Z
0 likes, 0 repeats
Play Integrity API has no minimum security patch level and nearly all these apps use weak software-based checks that are easily bypassed by attackers. The hardware-based checks rely on trusting every key distributed to every certified Android device, which are often leaked.
(DIR) Post #AkTfnRvrfkNbH8UtKS by GrapheneOS@grapheneos.social
2024-07-30T23:37:12Z
0 likes, 0 repeats
Hardware-based attestation can be used for security purposes such as verifying device integrity with a pinning-based approach without the weakness of being vulnerable to leaked keys from the whole Android ecosystem since specific per-app keys in the secure element can be pinned.
(DIR) Post #AkTfnSGQRIpIIu7JNQ by GrapheneOS@grapheneos.social
2024-07-30T23:37:18Z
0 likes, 0 repeats
Play Integrity API is claimed to be based on devices complying with the Compatibility Test Suite and Compatibility Definition Document. We have irrefutable proof that the majority of certified Android devices do not comply with the CTS/CDD. Play Integrity API is based on lies.
(DIR) Post #AkTfnSj8iXnLjxYF8K by GrapheneOS@grapheneos.social
2024-07-30T23:37:24Z
0 likes, 0 repeats
Essentially every non-Pixel device has important CTS failures not caused by CTS bugs. OEMs are cheating to obtain certification. Google claims GrapheneOS can't be permitted because we don't have a certification where they freely allow cheating and don't ban non-compliant devices.
(DIR) Post #AkTfnSwxt8r0Qq1HgO by GrapheneOS@grapheneos.social
2024-07-30T23:37:30Z
0 likes, 0 repeats
Since Play Integrity doesn't even have a minimum security patch level, it permits a device with multiple years of missing patches. Hardware attestation was required on all devices launched with Android 8 or later, but they don't enforce it to permit non-compliant devices.
(DIR) Post #AkTfnTK0VTHlaIngbA by GrapheneOS@grapheneos.social
2024-07-30T23:37:38Z
0 likes, 0 repeats
The reality is that the Play Integrity API permits devices from companies partnered with Google with privileged Google Play integration when they're running the stock OS. It's easy to bypass, but they'll make changes to block it being done at scale long term such as if we did it.
(DIR) Post #AkTfnTYXdQuaJNbIFk by GrapheneOS@grapheneos.social
2024-07-30T23:37:42Z
0 likes, 0 repeats
It does not matter if these devices have years of missing security patches. It doesn't matter if the companies skipped or improperly implemented mandatory security features despite that being required by CDD compliance. Failing even very important CTS tests doesn't matter either.
(DIR) Post #AkTfnTskQJ4hK33QkS by GrapheneOS@grapheneos.social
2024-07-30T23:37:49Z
3 likes, 1 repeats
Google can either permit GrapheneOS in the Play Integrity API in the near future via the approach documented at https://grapheneos.org/articles/attestation-compatibility-guide or we'll be taking legal action against them and their partners. We've started the process of talking to regulators and they're interested.
(DIR) Post #AkTfnUqepYzsJr5H84 by GrapheneOS@grapheneos.social
2024-07-30T23:37:54Z
0 likes, 0 repeats
We're not going to give Google veto power over what we're allowed to do in GrapheneOS. We comply with CTS and CDD except when it limits our ability to provide our users with privacy and security. Google wants to be in charge of which privacy/security features can be added. Nope.
(DIR) Post #AkTfnW22Qjh7zRPsVU by GrapheneOS@grapheneos.social
2024-07-30T23:37:59Z
0 likes, 0 repeats
Google's behavior in the mobile space is highly anti-competitive. Google should be forbidden from including Google Mobile Services with privileged access unavailable to regular apps and services. GrapheneOS sandboxed Google Play proves that hardly anything even needs to change.
(DIR) Post #AkTfnXa6fYXYnOMbFQ by GrapheneOS@grapheneos.social
2024-07-30T23:38:04Z
0 likes, 0 repeats
Google should also be forbidden from participating in blocking using alternate hardware/firmware/software. They've abused their market position to reinforce their monopolies. They've used security as an excuse despite what they're doing having no relevance to it and REDUCING it.
(DIR) Post #AkTfnZKEBZ1kCiwwm8 by GrapheneOS@grapheneos.social
2024-07-30T23:39:23Z
0 likes, 0 repeats
Google is forbidding people from using a growing number of apps and services on an objectively far more private and secure OS that's holding up much better against multiple commercial exploit developers: https://grapheneos.social/@GrapheneOS/112826067364945164They're holding back security, not protecting it.
(DIR) Post #AkTfnarwRhaazZjNxo by GrapheneOS@grapheneos.social
2024-07-30T23:39:42Z
0 likes, 0 repeats
We've put a lot of effort into collaborating with Google to improve privacy and security for all Android users. Their business team has repeatedly vetoed even considering giving us partner access. They rolled back us being granted security partner access by the security team.
(DIR) Post #AkTfncaI4IesJPUJjE by GrapheneOS@grapheneos.social
2024-07-30T23:39:54Z
0 likes, 0 repeats
As with how they handle giving out partner access, the Play Integrity API serves the interests of Google's business model. They have no valid excuse for not allowing GrapheneOS to pass device and strong integrity. If app developers want to ban it, they can still do it themselves.
(DIR) Post #AkTfne3kaFokt4HMHo by GrapheneOS@grapheneos.social
2024-07-30T23:40:06Z
1 likes, 1 repeats
After our security partner access was revoked, we stopped most of our work on improving Android security. We continued reporting vulnerabilities upstream. However, we're going to stop reporting most vulnerabilities until GrapheneOS is no longer blocked by the Play Integrity API.
(DIR) Post #AkTfnfbop4fBh1E51k by GrapheneOS@grapheneos.social
2024-07-30T23:41:28Z
0 likes, 0 repeats
This year, we reported multiple serious vulnerabilities to Android used by widely used commercial exploit tools:https://source.android.com/docs/security/overview/acknowledgementsIf Google wants more of that in the future, they can use hardware attestation to permit GrapheneOS for their device/strong integrity checks.
(DIR) Post #AkTfnhQY3wpvKdy6jo by GrapheneOS@grapheneos.social
2024-07-30T23:41:34Z
0 likes, 0 repeats
Authy's response about their usage of the Play Integrity API shows their service is highly insecure and depends on having client side validation. Play Integrity is thoroughly insecure and easily bypassed, so it's unfortunate that according to Authy their security depends on it.
(DIR) Post #AkTfnj0kArNqFBuWnI by GrapheneOS@grapheneos.social
2024-07-30T23:41:41Z
0 likes, 0 repeats
If Authy insists on using it, they should use the standard Android hardware attestation API to permit using GrapheneOS too. It's easy to do:https://grapheneos.org/articles/attestation-compatibility-guideBanning 250k+ people with the most secure smartphones from using your app is anti-security, not pro-security.
(DIR) Post #AkUtldN7lItWgyEhNo by Hyolobrika@social.fbxl.net
2024-07-31T18:05:37.974791Z
0 likes, 0 repeats
@GrapheneOS I think if their security model depends upon banning alternative OS's then they need to get a better security model.
(DIR) Post #AkUuH3MnAG62I33wJc by GrapheneOS@grapheneos.social
2024-07-31T00:19:41Z
0 likes, 0 repeats
@kkarhan That's completely wrong, they exactly these same restrictions and signed up to be part of the same anti-competitive cartel as other OEMs. It has nothing to do with Pixels. GrapheneOS on a Fairphone would be insecure and would have the same anti-competitive Play Integrity API limiting it, while the stock Fairphone OS despite being highly insecure is allowed. You've got this completely wrong. Fairphone is one of the vendors which clearly violates the CTS/CDD and yet is permitted...
(DIR) Post #AkUuH4QjD6q5aXub5c by Hyolobrika@social.fbxl.net
2024-07-31T18:11:17.914245Z
0 likes, 0 repeats
@GrapheneOS I think what he's saying is that you are relying on Google, which is a bad idea as they have been proven in this case to be unreliable. Is that right, @kkarhan?
(DIR) Post #AkUuH4uVQOet4tqNVI by GrapheneOS@grapheneos.social
2024-07-31T00:22:21Z
1 likes, 0 repeats
@kkarhanFairphone is a clear example of the anti-competitive and unfair approach that's being used. Their devices and OS have huge security flaws and they've repeatedly screwed up mandatory security features. Despite that, the Play Integrity API allows their stock OS but would not allow GrapheneOS on the device if it did support them. How does it make any sense that an OS and device lagging behind on security patches and security features is allowed by GrapheneOS isn't?
(DIR) Post #AkUwEYMvdtBNTu3us4 by CriticalSilence@social.tchncs.de
2024-07-31T00:42:44Z
1 likes, 0 repeats
@GrapheneOS I'd love to use an alternative OS, but it sometimes is even considered illegal by hardware contract or risks bricking the device. We could've been so far with smartphones without that monopolist idea. We had and have this with possibly all device vendors. I have the feeling, an alternative OS is reserved for technical specialists, that can hack into and dont mind bricked devices. This is so scary, I could never risk that. And this is our state of the art - its so sad.
(DIR) Post #AkUxMthGKTg3tq7EWW by GrapheneOS@grapheneos.social
2024-07-31T14:33:12Z
0 likes, 0 repeats
It's very unfortunate when new apps adopt the Play Integrity API and stop working. Authy isn't a very good choice for 2FA but many people use it and it's a problem for us for a widely used app to be incompatible. A single widely used app losing compatibility is a big deal to us.
(DIR) Post #AkUxMuM1suHrwHBn4C by doerk@nrw.social
2024-07-31T14:41:53Z
1 likes, 0 repeats
@GrapheneOS Am I the only one who has the feeling that there might be intent behind it?
(DIR) Post #AkUxRtTqYr8ug0DteS by GrapheneOS@grapheneos.social
2024-07-31T15:04:45Z
1 likes, 0 repeats
@doerk Authy likely doesn't actually want to ban GrapheneOS. However, that's what the Play Integrity API does.We believe they adopted Play Integrity to make it appear that they're improving security after the breach including by making hard decisions which make people upset. However, using the Play Integrity API does not in any way improve the security of their app.They COULD follow our guide and permit GrapheneOS but likely won't. They don't understand what it is or how many users it has.
(DIR) Post #AkV7yWX5tr9AbTwKsy by GrapheneOS@grapheneos.social
2024-07-31T19:56:03Z
1 likes, 0 repeats
@Hyolobrika Their security model doesn't depend on it at all but rather their business model benefits from it.This exists to hurt app/service compatibility on operating systems not licensing Google Play, giving it immense privileged access and complying with all their rules.They tried to put the same thing into Chromium for web sites but ended up backing down for the time being. This should be killed too, regardless of their willingness to do so. Regulators can simply ban it.
(DIR) Post #AkV8X4jZFNraWSFXiC by GrapheneOS@grapheneos.social
2024-07-31T19:57:42Z
0 likes, 0 repeats
@Hyolobrika @kkarhan We'd rather discontinue the project than support insecure devices where we're unable to protect users from even basic commercial exploit tools. If no one else is going to make secure devices, then we're not able to support more devices. GrapheneOS does not exist to make insecure devices a bit less insecure while still having the door wide open. They have proven reliable at securing the devices. This has nothing to do with them being unreliable in any way.
(DIR) Post #AkV8X5iXagdVZYmEka by Hyolobrika@social.fbxl.net
2024-07-31T20:51:04.029436Z
0 likes, 0 repeats
@GrapheneOS @kkarhan >GrapheneOS does not exist to make insecure devices a bit less insecure while still having the door wide open.I've always wondered why not? It still helps.I guess that's what DivestOS is for though.
(DIR) Post #AkV8X5nrGutDq3GU2S by GrapheneOS@grapheneos.social
2024-07-31T19:59:20Z
0 likes, 0 repeats
@Hyolobrika @kkarhan Play Integrity API is not a new move on their part. What's new is that more mainstream apps that have nothing to do with banking are adopting it. This impacts running Android apps in a virtual machine on Windows just as much as it impacts GrapheneOS, so in what way is what was stated relevant? It's not feasible to make a whole new app ecosystem with all these mainstream apps from big companies. Apple and Google shouldn't be allowed to block running the apps elsewhere.
(DIR) Post #AkXB1jnFk456mIdrgO by GrapheneOS@grapheneos.social
2024-08-01T17:27:21Z
0 likes, 0 repeats
@kkarhan @tasket @stman > To me it's still flabberghasting me that #GrapheneOS doesn't seem to be interested in partnering with or starting their own devices if they know their field so well...No, this is thoroughly inaccurate. We've actively pursued partnerships with multiple OEMs. They've failed to provide what we need and create devices meeting our requirements.Fairphone and Shift have made it fairly clear that security is not a priority to them and have not wanted to collaborate.
(DIR) Post #AkXB1kiKJrjddJLRdw by icedquinn@blob.cat
2024-08-01T20:28:26.154810Z
0 likes, 0 repeats
@GrapheneOS @kkarhan @tasket @stman its too bad HTC is out of the phone game.
(DIR) Post #AkXBpbxn7ziuyNLwO0 by icedquinn@blob.cat
2024-08-01T20:37:27.054938Z
0 likes, 0 repeats
@kkarhan @tasket @GrapheneOS they did project work with Valve before the front fell off the VR market. and weren't too big of dicks about bootloader unlocking.might have been negotiable.
(DIR) Post #Al6KrorLqol9fW48gq by 00Aaron@social.coop
2024-07-31T00:08:58Z
0 likes, 0 repeats
@GrapheneOS Uh oh. Authy still seems to be working on GrapheneOS for me right now. Is that about to change?Also, does that mean that Bitwarden Authenticator and other authenticators would stop working too?
(DIR) Post #Al6KrpOfqvPlKrekd6 by civicDetroitDan@a2mi.social
2024-07-31T00:16:08Z
0 likes, 0 repeats
@00Aaron @GrapheneOS Looping in @bitwarden in case they can comment on GrapheneOS support.
(DIR) Post #Al6Krpl0VtHMS86aRM by GrapheneOS@grapheneos.social
2024-07-31T00:17:59Z
0 likes, 0 repeats
@civicDetroitDan @00Aaron @bitwarden There's 0 reason for any app to forbid using GrapheneOS this way. Any app choosing to use the incredibly easy to bypass Play Integrity API attestation can use hardware attestation as an extra option to permit GrapheneOS:https://grapheneos.org/articles/attestation-compatibility-guideAuthy adopted the Play Integrity API as a marketing move after they had a major breach to make it look like they're improving things. It does not improve the security of their service in any way.
(DIR) Post #Al6Krq6dDUZnXCDr96 by Andreas_Sturm@mastodon.social
2024-08-18T13:57:41Z
0 likes, 0 repeats
@GrapheneOS If an app is no longer running with graphene OS, I will find another one with similar functionality. If a service like uber only runs with an app that is unacceptable to me, I won't use this service any more.If a device is shipped with an app, not running on graphene OS, I will not buy it.If no app runs on graphene OS at all, I no longer need a mobile phone 😉@civicDetroitDan @00Aaron @bitwarden
(DIR) Post #Al6KrqJkQj4IBsMKae by GrapheneOS@grapheneos.social
2024-08-18T16:39:13Z
2 likes, 2 repeats
@Andreas_Sturm @civicDetroitDan @00Aaron @bitwarden Uber works fine on GrapheneOS, but they added a Play Integrity API to the Uber Driver app a few years ago. As with other apps adopting it, they fell for Google's propaganda pushing it as a security feature checking for a trustworthy device. It has nothing to do with security. People who earn money as Uber Drivers were faced with a tough problem and many had to quickly flash back to the stock OS to keep earning money...