GrapheneOSWe strongly oppose the Unified Attestation initiative and call for app developers supporting privacy, security and freedom on mobile to avoid it. Companies selling phones should not be deciding which operating systems people are allowed to use for apps.
Google's Play Integrity API is a horrible system enforcing using devices officially licensing Google Mobile Services. It permits those regardless of how many years behind they are on security patches. The solution to this isn't another anti-competitive system based in Europe.
Play Integrity API should be regulated out of existence rather than making another system where companies permit their own products while disallowing others. It shouldn't be legal when Google does it and it shouldn't be legal when Volla and Murena do it either. This is wrong.
Hardware-based attestation has valid use cases including the Auditor app on GrapheneOS for protecting users. The way these companies are using it serves no truly useful purpose beyond giving themselves as unfair advantage while pretending it has something to do with security.
If banks and governments insist on checking devices for security they should define actual standards. It should be possible for any tiny project to be certified at no cost and the standards should be fairly enforced so a mainstream device without current patches is disallowed.
Volla, Murena and iodé sell products with atrocious security. They fail to provide important patches and protections while misleading users with inaccurate claims about privacy and security. That includes setting an inaccurate Android security patch level despite missing patches.
These companies should not have any say over which devices can be used for European banking and government apps. It will reduce competition and reduce security exactly as the Play Integrity API is already doing. The EU should ban using attestation to determine OS compatibility.
Murena and iodé are extremely hostile towards GrapheneOS. They've spent years misleading people about it with inaccurate claims to promote their insecure products. We'll never work with them. Volla, Murena and iodé should have no say in which OS people can use on their devices.
ftm@GrapheneOS and what exactly is your conflict with volla. I get the iodé and Murena part, but what's wrong with Volla?
KernackIf I had to guess than locked bootloader or something similar.
@ftm Murena and iodé relentlessly spread false claims about GrapheneOS and our team. That includes personall targeting our team with absolutely vile bullying and harassment.
Here's the founder and CEO of /e/ and Murena linking to content from a neo-nazi conspiracy site targeting our founder with blatant fabrications including links to harassment content from Kiwi Farms users:
https://archive.is/SWXPJ
https://archive.is/n4yTO
Volla is fully aware of all this but works closely with these groups.
@ftm Their Unified Attestation system is a proposal to ban people from using GrapheneOS while permitting using insecure operating systems from the companies working with them. Why wouldn't we have an issue with that? Even if they did give in and permit using GrapheneOS, we don't want these systems to exist. Hardware attestation should be used to protect users rather than determining OS compatibility in a way that has nothing to do with security. Banning using an OS based on this is wrong.
DekOfTheYautja@GrapheneOS @ftm Ah geeze, here we go again 🤣
Daniël de Kok@ftm @GrapheneOS it is worth checking Volla's source trees. They use ancient kernels firmware blobs, etc. It's pretty much the same issue as GMS Android, the whole attestation thing becomes security theater if phones with years of known holes get attested.
@danieldk @ftm It's inherently security theatre because neither companies and governments are willing to ban using the majority of Android phones which is what would happen if even basic security standards such as keeping up with High and Critical severity patches from AOSP and the SoC / radio vendors was enforced. Instead, they're disallowing people having the freedom to use their hardware or OS of choice while not enforcing even basic security standards. They're disallowing better security.
@ftm @GrapheneOS Another thing I don't really like about Volla is that they seem to do Eurowashing.
Maybe (some part of) the Volla Phone Quintus is assembled in Europe, but the phone seems to be a rebranding of the Daria Bond 5G (stated by multiple sources, including the PostmarketOS wiki) with a markup of ~550 Euro (~160 -> 719 Euro): https://www.amazon.ae/Android-Smartphone-Storage-Octa-Core-Monetization/dp/B0DDYDZC4V?th=1
The Daria Bond 5G is sold by an UAE company that also maintains the Volla Phone Quintus source trees (well, 'maintain' is a big word).
Daria BOND 5G Android 14 Smartphone, 8GB RAM, 256GB Storage, 50MP AI Triple Camera, 120Hz Curved AMOLED, Octa-Core 2.6 GHz, Web3 Monetization, Built-In Wallet with Free Super Fast Charge Power Adaptor: Buy Online at Best Price in UAE - Amazon.ae
Buy Daria BOND 5G Android 14 Smartphone, 8GB RAM, 256GB Storage, 50MP AI Triple Camera, 120Hz Curved AMOLED, Octa-Core 2.6 GHz, Web3 Monetization, Built-In Wallet with Free Super Fast Charge Power Adaptor online on Amazon.ae at best prices. ✓ Fast and free shipping ✓ free returns ✓ cash on delivery available on eligible purchase.
Rik ShawSorry a bit unrelated, @ftm but I *don't* get the iodé part?
Locked bootloaders, v7.3 just released is A16 QPR2. Yes it is LineageOS based, but with tracking etc. blocked. Personally I would rather run open-source microG than *full fat proprietary Google Play Services* even if they are unprivileged or sandboxed, etc.
iodé and /e/ are both LineageOS based and use microG but otherwise aren't related. Too bad they always get lumped together.