GrapheneOSWe strongly oppose the Unified Attestation initiative and call for app developers supporting privacy, security and freedom on mobile to avoid it. Companies selling phones should not be deciding which operating systems people are allowed to use for apps.
Google's Play Integrity API is a horrible system enforcing using devices officially licensing Google Mobile Services. It permits those regardless of how many years behind they are on security patches. The solution to this isn't another anti-competitive system based in Europe.
Play Integrity API should be regulated out of existence rather than making another system where companies permit their own products while disallowing others. It shouldn't be legal when Google does it and it shouldn't be legal when Volla and Murena do it either. This is wrong.
Hardware-based attestation has valid use cases including the Auditor app on GrapheneOS for protecting users. The way these companies are using it serves no truly useful purpose beyond giving themselves as unfair advantage while pretending it has something to do with security.
If banks and governments insist on checking devices for security they should define actual standards. It should be possible for any tiny project to be certified at no cost and the standards should be fairly enforced so a mainstream device without current patches is disallowed.
Volla, Murena and iodé sell products with atrocious security. They fail to provide important patches and protections while misleading users with inaccurate claims about privacy and security. That includes setting an inaccurate Android security patch level despite missing patches.
These companies should not have any say over which devices can be used for European banking and government apps. It will reduce competition and reduce security exactly as the Play Integrity API is already doing. The EU should ban using attestation to determine OS compatibility.
Murena and iodé are extremely hostile towards GrapheneOS. They've spent years misleading people about it with inaccurate claims to promote their insecure products. We'll never work with them. Volla, Murena and iodé should have no say in which OS people can use on their devices.
There's no legitimate purpose for either Play Integrity or Unified Attestation to exist. Both will inherently fail to uphold even basic security standards since otherwise their own products wouldn't be allowed. Root-based attestation is also inherently not a secure approach.
Having a European version of the Play Integrity which permits people to use insecure products from specific European companies participating in it while disallowing using arbitrary hardware or software is the opposite of a solution. It's more of the same anti-competitive garbage.
ṫẎℭỚ◎ᾔ ṫ◎ℳ@GrapheneOS Totally, 🤦🏼 I don't wanna be locked-in📵 😠
Daniel@TycoonTom @GrapheneOS you will not be, the standard is open for everyone
@DanielDNK @TycoonTom The standard is not open to everyone. It's run by a group of companies hostile to GrapheneOS which will be permitting their own products but not GrapheneOS.
Unified Attestation is a centralized system built on top of the Android hardware attestation API for the sole purpose of a power grab where these companies can control which devices and operating systems are allowed. They haven't made their own attestation system. They've made a system to control use of a standard API.
@TycoonTom @GrapheneOS and if you install it in another profile, alone without Bitwarden in the same profile?
@DanielDNK With play installed cuz you gotta get it via google only nowadays 🤦🏼
HybridStaticAnimate@DanielDNK @TycoonTom @GrapheneOS Attestation as a process is open. The approved OSs would be controlled by the owners of unified attestation. The approach of just making more play integrity clones makes no sense when the service can just pick the OSs themselves.
Nicholas B.@GrapheneOS I would like to say Thank You! GrapheneOS devs for giving us the best Privacy and Security on a phone and also a LOT of Peace of Mind for the privacy concious people. 😉👍 Also been using it for a month now and I pretty much like it even if I had to get a Pixel for it, it was worth it!
@GrapheneOS Also I really hope that Android won't have the same fate as iOS, otherwise our only open-source option remaining is Linux.
@privacyfriendly Android Open Source Project and GrapheneOS are Linux. AOSP is open source and has a massive ecosystem built on the open source code. There are many stakeholders interested in continuing it. It would be a very messy situation if the original upstream stopped existing but it's entirely possible for development on it as an open source project to continue. It hopefully won't come to that. Ideally Android will be forcibly split from Google into a company friendlier to open source.
@GrapheneOS OK, I understand it a bit better now. Thanks for the explanation! Let's HOPE For The BEST!
Dr0id@GrapheneOS @privacyfriendly I have a question in a hypothetical framework. If that was like this in the end and Android closed completely... What would you do in that case??? Is it possible for you to participate in the development of an alternative Linux operating system like those already underway???