Mastodawn

CVE-security&privacy Mar 7

@sassdawe you also can install sandboxed google play services and store if you so choose with which gives no extra or crazy permissions and is treated as any normal app and does not have or gain access to hardware identifiers unless you explicitly give them access @GrapheneOS

Sass, David Mar 7

@LearnToLivePrivate @GrapheneOS I didn't know. Thanks for pointing this out.

I'm actually surprised that there is a "monopoly" here as well. I would have expected some collaboration in this area better Microsoft and all the OS makers.

CVE-security&privacy Mar 8

@sassdawe ????

Sass, David Mar 8

@LearnToLivePrivate to me it seems that the play store api requirement shows the monopoly of Google, and I'd want to have alternatives to it to make the authenticator supported everywhere. Even on the simple not-smartphones as well which are getting their comeback - I was told.

CVE-security&privacy Mar 8

@sassdawe using the google stuff on graphene with there implementation is a better way then any other current way and as for the idea of those dumb phones I would not recomend those they have there own issues as it is and tend to not get the security patches they should get graphene gives alot of control over your device and allows you to deal with google how you wish even not installing it if you so choose since they dont run/install google play store or services by default and if you choose -

CVE-security&privacy

@sassdawe to use them you can install the sandboxed version which then google play is run in an unprivileged environment by default and has no special privaliged permissions or hardware access. Using graphene will give you the most access and control and allow for the most security and privacy no other phone gives the control graphene os gives I promise that.

CVE-security&privacy Mar 8

@sassdawe I should mention I have zero affiliation to graphene this is me as a user speaking.

Sass, David 6d ago

@LearnToLivePrivate I just ran into this https://volla.online/en/resources/documents/Volla-initiiert-Industriekonsortium-fuer-offene-Alternative-zu-Google-Play-Integrity-en-US.pdf

This is what I have been missing, and my understanding is that this would enable Microsoft Authenticator to function securely on @GrapheneOS devices.

@sassdawe @GrapheneOS thats a download I wont download from links off someones posts will you explain what it says basically.

Sass, David 5d ago

No problem @LearnToLivePrivate

I found the link in this news post (in Hungarian) https://hup.hu/cikkek/20260311/europai-konzorcium-epit-nyilt-alternativat-a-google-play-integrity-helyett

The machine translation:

German company Volla Systeme GmbH has formed an industry consortium to develop an open-source, Google-independent alternative to Google Play Integrity. The goal of the project is to enable mobile operating systems without Google services, typically based on AOSP, to use security checks that are required by banking, government, identification, and wallet applications.

Google describes the Play Integrity API as an interface that allows the application backend to verify that user actions and server requests come from a genuine application, a copy installed from Google Play, and an authenticated Android device. The goal is to filter out manipulated apps, untrusted devices, and emulated environments, as well as to protect against abuse, fraud, unauthorized access, and other attacks.

According to Volla, this model creates structural dependency because the reliability checks required for sensitive apps are tied to Google's infrastructure and certification system. The consortium believes that this could be a de facto barrier to Google-free alternative systems such as /e/OS and other custom ROMs.

The UnifiedAttestation system, currently under development, consists of three main components: an operating system-level service that applications can invoke with a few lines of code; a decentralized validation service that checks whether the operating system certificate is valid on a given device; and an open test suite that can be used to test the security compliance of an operating system and a specific device model.

According to Volla, Murena, e.foundation, France's iodé, and Switzerland's Apostrophy are among those participating in the initiative, and other manufacturers and the UBports Foundation have also expressed interest. The software will be published under an Apache 2.0 license as open source, and in the longer term, an open collaboration format under the auspices of the Eclipse Foundation is envisaged.

The essence of the story is not purely technical. According to the consortium, the goal is to strengthen digital sovereignty: to ensure that mobile reliability checks are not solely in the hands of a single American player, but operate in an open, transparent, and multi-stakeholder verifiable manner.

@GrapheneOS

Európai konzorcium építene nyílt alternatívát a Google Play Integrity helyett | HUP

@sassdawe @GrapheneOS problem is those companys dont even maintain there own security in turn privacy of there devices thats not what your looking for at all i trust google far more when it comes to security and privacy then them and google is not known for privacy but they can maintain and keep things secure which affects privacy in my eyes thats moving to a worse goal post over all and mostly an idea based off avoiding google which is a big thing with people anything other then google is

@sassdawe @GrapheneOS better but thats not the case all the time. Google has positives and negatives but being blind and going with an option that also has bad security and even privacy is no better most privacy phones make more connections to google then people think and have worse security

@sassdawe @GrapheneOS also android has its own implimentation of attestation on its own. That litterally looks like saying instead of them pick us situation.

@sassdawe @GrapheneOS if im not mistaken graphene doesnt agree either with that implimentation nor whould they recommend it for there own devices

@LearnToLivePrivate @sassdawe Unified Attestation is built on top of the standard Android hardware attestation API. It fully depends on standard Android hardware attestation. The only thing it does is create a centralized service where they get to choose which devices and operating systems are allowed to be used. The only thing it brings to the table is this group of 3 companies being in control of what's allowed where they'll permit their own products but not GrapheneOS or arbitrary options.

@LearnToLivePrivate @sassdawe If there's going to be a centralized service determining which devices and operating systems are allowed to be used it should not be from a group of companies selling devices where they'll approve their own devices and gain an anti-competitive advantage over alternatives through it. It's incredibly wrong for them to do this and put themselves in a position of power over others. It means they can impose arbitrary requirements including harmful ones on others.

@LearnToLivePrivate @sassdawe For example, they could impose a process where each release needs to be certified which slows down the release process and therefore harms security through delaying updates. They could disallow us from making our special security preview releases. We won't put a group of hostile companies in control of what GrapheneOS is allowed to ship and when we can ship it. This kind of anti-competitive cartel is illegal and they should cancel it before it causes harm.

@LearnToLivePrivate @sassdawe Unified Attestation is nothing more than a middleman between Android hardware attestation and apps where this group of companies decide which devices and operating systems are allowed. They didn't create their own attestation system but rather they created a centralized service for controlling what's done with it.

Android hardware attestation can be used in a decentralized way but it should be noted it's mainly used for root-based verification with a Google root.

@LearnToLivePrivate @sassdawe For Google certified devices, Unified Attestation is depending on verification via the Google attestation roots which includes depending on Google's remote key provisioning service. Devices not part of the Google Mobile Services ecosystem can have their own attestation roots and key provisioning service. Android hardware attestation also has pinning-based verification not requiring depending on root-based verification, but that's not useful for banning devices.

Hammerwell 5d ago

@GrapheneOS @LearnToLivePrivate @sassdawe According to Google, its like this only because of scammers and the resulting political pressure. (is it?) https://www.androidauthority.com/google-android-17-sideloading-interview-sameer-samat-3647478/

Google's Android boss talks Android 17, sideloading drama, and why he hates phone cases

We sat down with Google's Sameer Samat to talk about Android's next transitional moment, sideloading, and his favorite devices right now.

Android Authority

Olivenolje 5d ago

@Hammerwell @GrapheneOS @LearnToLivePrivate @sassdawe They have to somehow justify their control seizure 🤷

@Hammerwell @LearnToLivePrivate @sassdawe That's a different topic and doesn't directly impact GrapheneOS.

@sassdawe @LearnToLivePrivate No, that's wrong. Android has a standard hardware attestation API which has always been supported on GrapheneOS. Microsoft could either use the hardware attestation API to verify GrapheneOS or stop engaging in phony security practices in the first place. Play Integrity API permits devices with 8 years of missing security patches but not intentionally using another OS. GrapheneOS is much far secure than anything Play Integrity or Unified Attestation will allow.

@sassdawe @LearnToLivePrivate The purpose of Volla's system is to have the group of companies participating approve their own products while disallowing anything else. Joining would mean given veto power over app compatibility to multiple for-profit companies which have engaged in years of attacks on GrapheneOS. These companies sell outrageously insecure products missing bare minimum security patches. If there's going to be a system controlling what can be used, they shouldn't be involved.

@sassdawe @LearnToLivePrivate See https://grapheneos.social/@GrapheneOS/116200110686604617 for more information. Unified Attestation a major setback for our fight against the Play Integrity API. Unified Attestation is another anti-competitive system which will be banning GrapheneOS. All they've done is make a wrapper around Android hardware attestation where a centralized service run by them will permit using their own products while disallowing others. What they're doing isn't legal and we have every intention to fight it.

GrapheneOS (@[email protected])

We strongly oppose the Unified Attestation initiative and call for app developers supporting privacy, security and freedom on mobile to avoid it. Companies selling phones should not be deciding which operating systems people are allowed to use for apps. https://uattest.net/

GrapheneOS Mastodon