Mastodawn

En god nyhed: Unified Attestation - et Google Play Integrity API alternativ er under udvikling, iniativ fra @volla og med deltagelse af blandt andet @murena!

https://uattest.net/

Brug det i din app, og fortæl din bank, mobliepay, digitaliseringsstyrelsen og alle mulige andre om det :-)

#engodting #opensource #alternative

Unified Attestation

Unified Attestation is a free, open-source alternative to Google Play Integrity with offline verification and simple app + server integration.

@anderslund @volla @murena wohooo!

GrapheneOS Mar 16

@Laust Android already has a hardware attestation system open to everyone unlike this centralized system. Volla, Murena and iodé made a centralized system on top of the Android hardware attestation API to permit their own products while forbidding others. They're not enabling anything which wasn't already possible and are fully dependent on standard Android hardware attestation. Unified Attestation is anti-competitive and it clearly isn't legal.

https://grapheneos.social/@GrapheneOS/116239523775374959

GrapheneOS (@[email protected])

Android provides a standard hardware attestation system with support for alternate operating systems via allowing their verified boot key fingerprints. It's mainly used with Google's root of trust and remote key provisioning service but the API supports alternative roots of trust. Volla's Unified Attestation is fully built on Android's hardware attestation API. It solely exists to create a centralized authority and service determining what's allowed under their control. https://mastodon.social/@volla/116238706890314617

GrapheneOS Mastodon

Benjamin Lyng Jørgensen Mar 14

@anderslund @volla @murena fantastiske nyheder!

GrapheneOS Mar 16

@benjaminlj @anderslund Android already has a hardware attestation system open to everyone unlike this centralized system. Volla, Murena and iodé made a centralized system on top of the Android hardware attestation API to permit their own products while forbidding others. They're not enabling anything which wasn't already possible and are fully dependent on standard Android hardware attestation. Unified Attestation is anti-competitive and it clearly isn't legal.

https://grapheneos.social/@GrapheneOS/116239523775374959

GrapheneOS (@[email protected])

Android provides a standard hardware attestation system with support for alternate operating systems via allowing their verified boot key fingerprints. It's mainly used with Google's root of trust and remote key provisioning service but the API supports alternative roots of trust. Volla's Unified Attestation is fully built on Android's hardware attestation API. It solely exists to create a centralized authority and service determining what's allowed under their control. https://mastodon.social/@volla/116238706890314617

GrapheneOS Mastodon

@anderslund @volla @murena Sådan! Det er et længe ventet produkt!

Anders Lund Mar 14

@theizo @volla @murena Jep - lad os håbe det bliver anerkendt som sikkert nok fx af mobilepay, bec etc.

GrapheneOS Mar 16

@theizo Android already has a hardware attestation system open to everyone unlike this centralized system. Volla, Murena and iodé made a centralized system on top of the Android hardware attestation API to permit their own products while forbidding others. They're not enabling anything which wasn't already possible and are fully dependent on standard Android hardware attestation. Unified Attestation is anti-competitive and it clearly isn't legal.

https://grapheneos.social/@GrapheneOS/116239523775374959

GrapheneOS (@[email protected])

Android provides a standard hardware attestation system with support for alternate operating systems via allowing their verified boot key fingerprints. It's mainly used with Google's root of trust and remote key provisioning service but the API supports alternative roots of trust. Volla's Unified Attestation is fully built on Android's hardware attestation API. It solely exists to create a centralized authority and service determining what's allowed under their control. https://mastodon.social/@volla/116238706890314617

GrapheneOS Mastodon

Peter Makholm Mar 14

@anderslund Nogen der kort, men teknisk, kan forklare hvad en app-udvikler får ud af dette API.

Ikke bare "det øger sikkerheden - og det er best practise" men "det fjerner denne type angreb på bekostning af denne funktionalitet".

Hvorfor er det en god ting og ikke bare en workaround for sikkerhedsteater?

Anders Lund Mar 14

@pmakholm I mine øjne er det en god ting hvis det betyder at man ikke skal tvinges til at underkaste sig googles (eller apples) totalovervågning hvis man vil bruge mobilbank, mobilepay og offentlige apps.

Som appudvikler giver det dig potentielt mulighed for at tilbyde din app til brugere som vil have et googlefrit android-system.

Peter Makholm Mar 14

@anderslund Det var ikke rigtigt et svar på det spørgdmål jeg prøvede at stille.

Jeg et med på at det er en fordel ikke at være afhængig af Google. Men "uafhængig af Google" er ikke en funktionalitet. Det forklarer ikke hvilket problem API'et løser.

Anders Lund Mar 14

@pmakholm Ideen er vel at det skal verificere at den app der bruges er den det forventes at være.

Jeg er ikke klog nok til at kunne afgøre om det har betydning eller mening, men siden fx banker og digitaliseringsstyrelsen går så meget op i det, er det en efterspurgt funktion.

Sune Stolborg Vuorela Mar 14

@anderslund @pmakholm det er vel stadig at nogen skriver under på at de har kontrol over din telefon

Anders Lund Mar 14

Så vidt jeg kan læse det, verificerer man at appens fingeraftryk svarer til det man har fra app-storen.

Sune Stolborg Vuorela Mar 14

@anderslund @pmakholm men så kan den stadig hackes fra operativsystemet

GrapheneOS Mar 16

@svuorela Android already has a hardware attestation system open to everyone unlike this centralized system. Volla, Murena and iodé made a centralized system on top of the Android hardware attestation API to permit their own products while forbidding others. They're not enabling anything which wasn't already possible and are fully dependent on standard Android hardware attestation. Unified Attestation is anti-competitive and it clearly isn't legal.

https://grapheneos.social/@GrapheneOS/116239523775374959

GrapheneOS (@[email protected])

Android provides a standard hardware attestation system with support for alternate operating systems via allowing their verified boot key fingerprints. It's mainly used with Google's root of trust and remote key provisioning service but the API supports alternative roots of trust. Volla's Unified Attestation is fully built on Android's hardware attestation API. It solely exists to create a centralized authority and service determining what's allowed under their control. https://mastodon.social/@volla/116238706890314617

GrapheneOS Mastodon

Anders Lund Mar 14

Jeg glæder mig over at nogen tager fat i dette, fordi det er et problem der skal løses hvis man skal kunne bruge visse apps på (google-) frie mobil-operativ-systemer. Jeg er naiv/dum nok til at forestille mig at de folk hos Volla og murena, og andre parthavere, faktisk har hjerner. 😅

Jonas Høgh Mar 14

@svuorela @pmakholm @anderslund Det er ikke nødvendigvis et problem der skal løses. Man kunne også løse det problem, at din bank lider af den opfattelse, at du ikke skal have lov til at tilgå deres selvbetjening fra en computer, du har kontrol over. En opfattelse de sjovt nok kun har for computere i lommeformat

Anders Lund Mar 14

@h0gh @svuorela @pmakholm

Det mobilepay og mobilbankapps'ene gør, er jo at suspendere brugen af MitID i alt fald delvis. Du kan godt bruge netbank på mobil, også på googlefri mobiler. Det er en del besværligere, hvilket i nogen grad er et (web-) designproblem.

Med mobilepay/mobilbank identificerer du dig én gang, derefter blot et swipe og/eller en pinkode, istedet for mitID. Efter min mening burde mobilepay blot tilbyde at identificere med mitID pr betaling. Bankerne kunne gøre det samme.

Jonas Høgh Mar 14

@anderslund @svuorela @pmakholm Nordeas iPhone-app beder om MitID ved hver ikke-trivielle transaktion, pinkode er ikke nok. Jeg har ikke brugt Android-versionen i nogle år, men jeg antager det er det samme. Og det er vel grundlæggende inkonsistent at kræve Google Play Integrity i en app, der opfører sig på samme måde som webbank gør på en linux-pc.

Anders Lund Mar 14

@h0gh @svuorela @pmakholm Jep, enig. Min netbank kræver ofte lige password eller kode, altså en bekræftelse af det eksisterende login. Det burde være fint.

GrapheneOS Mar 16

@h0gh Android already has a hardware attestation system open to everyone unlike this centralized system. Volla, Murena and iodé made a centralized system on top of the Android hardware attestation API to permit their own products while forbidding others. They're not enabling anything which wasn't already possible and are fully dependent on standard Android hardware attestation. Unified Attestation is anti-competitive and it clearly isn't legal.

https://grapheneos.social/@GrapheneOS/116239523775374959

GrapheneOS (@[email protected])

Android provides a standard hardware attestation system with support for alternate operating systems via allowing their verified boot key fingerprints. It's mainly used with Google's root of trust and remote key provisioning service but the API supports alternative roots of trust. Volla's Unified Attestation is fully built on Android's hardware attestation API. It solely exists to create a centralized authority and service determining what's allowed under their control. https://mastodon.social/@volla/116238706890314617

GrapheneOS Mastodon

Johan Pelck Olsen Mar 14

@anderslund @svuorela @pmakholm jeg er ikke ekspert, men mit indtryk er at det handler om at en server skal vide med sikkerhed at et api kald kommer fra den rigtige app, så man ikke f.eks. kan lave en MenID app som ligner og opfører sig som NemID.

Anders Lund Mar 14

@jpkolsen @svuorela @pmakholm
Præcis.

Sune Stolborg Vuorela Mar 15

@jpkolsen @anderslund @pmakholm men for at det kan virke helt skudsikkert er der behov for kontrol over hele kæden fra Secure boot i hardware der godkender os der så kan validere apps.

Hvis noget i den kæde er brudt kan der lyves.

Johan Pelck Olsen Mar 15

@svuorela @anderslund @pmakholm interessant. Jeg troede egentlig bare det var betroet autoritet der sammenlignede nogle hashes eller noget i den stil, men jeg har aldrig sat mig ind i arkitekturen

Sune Stolborg Vuorela Mar 15

@jpkolsen @anderslund @pmakholm men hashes af hvad? Og foretaget af hvem?

Johan Pelck Olsen Mar 15

@svuorela @anderslund @pmakholm du siger noget… :-D

GrapheneOS Mar 16

@jpkolsen Android already has a hardware attestation system open to everyone unlike this centralized system. Volla, Murena and iodé made a centralized system on top of the Android hardware attestation API to permit their own products while forbidding others. They're not enabling anything which wasn't already possible and are fully dependent on standard Android hardware attestation. Unified Attestation is anti-competitive and it clearly isn't legal.

https://grapheneos.social/@GrapheneOS/116239523775374959

GrapheneOS (@[email protected])

Android provides a standard hardware attestation system with support for alternate operating systems via allowing their verified boot key fingerprints. It's mainly used with Google's root of trust and remote key provisioning service but the API supports alternative roots of trust. Volla's Unified Attestation is fully built on Android's hardware attestation API. It solely exists to create a centralized authority and service determining what's allowed under their control. https://mastodon.social/@volla/116238706890314617

GrapheneOS Mastodon

GrapheneOS Mar 16

@pmakholm Android already has a hardware attestation system open to everyone unlike this centralized system. Volla, Murena and iodé made a centralized system on top of the Android hardware attestation API to permit their own products while forbidding others. They're not enabling anything which wasn't already possible and are fully dependent on standard Android hardware attestation. Unified Attestation is anti-competitive and it clearly isn't legal.

https://grapheneos.social/@GrapheneOS/116239523775374959

GrapheneOS (@[email protected])

Android provides a standard hardware attestation system with support for alternate operating systems via allowing their verified boot key fingerprints. It's mainly used with Google's root of trust and remote key provisioning service but the API supports alternative roots of trust. Volla's Unified Attestation is fully built on Android's hardware attestation API. It solely exists to create a centralized authority and service determining what's allowed under their control. https://mastodon.social/@volla/116238706890314617

GrapheneOS Mastodon

Bettina Hartmann Mar 14

@anderslund @volla @murena Jeg kunne ikke lige se af linket, at Murena også deltager?

Anders Lund Mar 14

@bettina @volla @murena hehe, det kommer fra nicks (the linuxexperiement ) seneste video, hvor han omtaler det.

Bettina Hartmann Mar 14

@anderslund @volla @murena Ok, tak! Jeg fik også et svar i murena-community men har ikke fået læst det endnu: https://community.e.foundation/t/article-paying-without-google/80205

ARTICLE: Paying without Google

Paying without Google: New consortium wants to remove custom ROM hurdles Using banking and payment apps on Android smartphones with custom ROMs is a problem: A European industry consortium now wants to change that. Full article here: Paying without Google: New consortium wants to remove custom ROM hurdles | heise online Regain your privacy! Adopt /e/OS the deGoogled mobile OS and online services

/e/OS community

Sune Stolborg Vuorela Mar 16

@bettina Det ligner at dette i praksis rykker Murena / e/os fra en dries software-freedom a-c til en klart D. Det gør i praksis man ikke kan bruge sin egen modificerede android/linux men er bundet op på nogen andres ubetinget. @anderslund @volla @murena

GrapheneOS Mar 16

@svuorela @bettina Android already has a hardware attestation system open to everyone unlike this centralized system. Volla, Murena and iodé made a centralized system on top of the Android hardware attestation API to permit their own products while forbidding others. They're not enabling anything which wasn't already possible and are fully dependent on standard Android hardware attestation. Unified Attestation is anti-competitive and it clearly isn't legal.

https://grapheneos.social/@GrapheneOS/116239523775374959

GrapheneOS (@[email protected])

Android provides a standard hardware attestation system with support for alternate operating systems via allowing their verified boot key fingerprints. It's mainly used with Google's root of trust and remote key provisioning service but the API supports alternative roots of trust. Volla's Unified Attestation is fully built on Android's hardware attestation API. It solely exists to create a centralized authority and service determining what's allowed under their control. https://mastodon.social/@volla/116238706890314617

GrapheneOS Mastodon

Bettina Hartmann Mar 16

@svuorela @anderslund Jeg kan ikke se, at det er anderledes end hvad Google gør? Og så synes jeg at den cyber bullying som GOS udfører lige nu, er meget ubehagelig. De siger dels lige ud, at de ikke ønsker at de andre styresystemer overhovedet eksisterer. Og så bliver de ved med at gentage deres egne synspunkter uanset hvad vi andre skriver, og uden at svare rigtigt på kommentarerne. Det er ikke sådan man fører en demokratisk samtale jf. eks. Peter Lauritsen i "På sporet af Hørups demokrati".

Sune Stolborg Vuorela Mar 16

@bettina @anderslund det er præcis det samme volla, murena m.fl. som google gør. Men det at en anden gør det gør det ikke bedre.
Det rykker os kun fra en effektivt E til effektivt D på dries - skalaen. Jeg vil højere op.

Bettina Hartmann Mar 16

@svuorela Ja, men når Google lukker de andre ude, hvilke alternativer har de så? Jeg vil også hellere leve i en helt anden verden, der passer til mine værdier, men for at citere Voltaire "Det bedste er det godes værste fjende".

Sune Stolborg Vuorela Mar 16

@bettina men graphene vil ikke nøjes med 'D' - det passer ikke med deres model, så de kæmper i mod. Det passer heller ikke til min model.

Bettina Hartmann Mar 16

@svuorela De må kæmpe imod alt det de vil (selv om jeg foretrækker at de kæmper for det de selv vil, og lade de andre om deres). Men jeg bliver altid mistænksom, når folk ikke kan lade deres argumenter stå for sig selv, men i stedet tyr til cyber bullying. Hvis vi accepterer at blive skammet eller mobbet ud af samtalen, så har demokratiet tabt. Det er ikke i orden.

Sune Stolborg Vuorela Mar 16

@bettina men hvornår må man sige 'forhelvede'? Alle unified attestation marketingsting kommer som om det er løsning*en* for alle de små eller uafhængige androider.
Hvis man er en af de store af de små og man slet ikke mener det er løsningen, og man har bedt om bedre kommunikation, hvornår må man sige 'sgu'?

Bettina Hartmann Mar 16

@svuorela Jeg synes din kommunikation er fin, og du må gerne sige sgu' og forhelvede! men det jeg har det svært med er, når en organisation ikke kommunikerer sagligt, men bruger mobbemetoder. Ved at gentage de samme standardsvar alle steder, de ser emnet blive drøftet. Sådan at folk holder op med at sige noget.

Jeg vil meget hellere høre en saglig uddybning af, hvad det er V & M gør, som Google ikke også gør? Og hvad de skulle / kunne gøre i stedet for (realistisk set).

Sune Stolborg Vuorela Mar 17

@bettina men hvornår må en organisation sige forhelvede? Graphene ligner de er nået til det punkt.

V & M vil gerne lige som google skrive under på du ikke kontrollerer din telefon. Og det er et koncept vi i stedet skal afvise.

Bettina Hartmann Mar 17

@svuorela Det er fair at man ønsker at afvise noget, men det er ikke det GOS gør. De ønsker at udslette det. Og det er jo den tankegang krige starter ud af. Der er alle slags mennesker og vi har kun een jord, så vi skal alle være her.

I stedet kan man argumentere sagligt, og appellere til fællesskabsfølelse, etc. men GOS gør nærmest det modsatte. Bush-retorik: Hvis du ikke er med os, er du i mod os.

Man kan sagtens rase og være vred uden at lade det gå ud over andre.

#NoToToxicMasculinity

Benjamin Lyng Jørgensen Mar 17

@bettina @svuorela jeg er helt enig Bettina. Uanset hvor gode deres argumenter er så holder jeg op med at lytte til dem fordi de er så giftige at høre på.

Sune Stolborg Vuorela Mar 17

@benjaminlj @bettina Jeg er ikke helt uenig. Men jeg forstår dem godt. På et tidspunkt får man nok - selv som organisation - når nogen andre sige "det her er løsningen for alle os"

Jeg synes dog også de er faktuelle; eksempelvis i tråden startende her: https://grapheneos.social/@GrapheneOS/116239523775374959

Bettina Hartmann Mar 17

@benjaminlj @svuorela Tak Benjamin! Jeg mener vi er nødt til at skille tingene ad: personen og emnet. Vi må mene hvad vi vil, men vi skal holde det sagligt. Vi må endda også gerne vise følelser, og eks. skrive "det gør mig vred og frustreret når jeg oplever, at vi går baglæns ved at vælge x, y og z". Men at mobbe andre, at monopolisere samtalen, og generelt bare at acceptere en tale, der er designet til at mobbe og skade mental trivsel er ikke i orden, og noget vi skal væk fra. Det er ALDRIG ok.

Benjamin Lyng Jørgensen Mar 17

@bettina @svuorela lige præcis. Det hører ikke hjemme i en saglig diskussion. Og de mudrer deres gode argumenter til ved at gøre det til en personlig hetz.

@bettina @svuorela @anderslund som jeg læser GOS indlæg, så siger de ikke, at de ikke vil have, at de andre systemer skal/må eksistere, men at de andre systemer ikke vil have, at konkurrerende systemer eksisterer, og at det prøver de at opnå ved at bruge Googles tricks i stedet for at arbejde for at få lovgivere til at slå ned på Googles tricks (sådan som GOS åbenbart gør).

@bettina @svuorela @anderslund men tonen i deres indlæg er aggressiv og konfrontatorisk, hvilket ikke er fremmende for en debat.

Bettina Hartmann Mar 17

@Laust @svuorela @anderslund OK, jeg må tilstå at jeg læste deres kommentar her som om de ikke ønsker de andre systemer eksisterer.

Vicomte Folmer af Helvede Mar 17

@bettina @Laust @svuorela @anderslund

"These systems" er ikke operativ systemerne.

Sune Stolborg Vuorela Mar 17

@folfdk @bettina @Laust @anderslund nej. Det er de der integrity/attestation - systemer

@svuorela @folfdk @bettina @anderslund hvad Folmer og Sune siger :)

Bettina Hartmann Mar 17

@svuorela @folfdk @Laust @anderslund Ok, tak for opklaringen! Det er da en my bedre. Men resten af min pointe står jeg ved.

Og jeg synes egentlig heller ikke det er klædeligt at trashe når folk forsøger at løse et akut problem ved at lave et nyt system. Det ene udelukker ikke det andet. Men man kan jo ikke finde en fælles løsning, når man ikke kan tale sammen...

Harold Smith Mar 16

@bettina @anderslund @volla @murena awesome: “With #UnifiedAttestation, we are creating a transparent and trustworthy procedure for security checks that developers and app publishers can rely on equally. This removes the last hurdle for the use of alternative mobile operating systems"
“We don't want to centralize trust, but organize it transparently and publicly verifiable. When companies check competitors' products, we can strengthen that trust," #unplugtrump #degoogle

https://www.heise.de/en/news/Paying-without-Google-New-consortium-wants-to-remove-custom-ROM-hurdles-11204037.html

Paying without Google: New consortium wants to remove custom ROM hurdles

Using banking and payment apps on Android smartphones with custom ROMs is a problem: A European industry consortium now wants to change that.

heise online

Harold Smith Mar 16

RE: https://grapheneos.social/@GrapheneOS/116200110686604617

@bettina @anderslund @volla @murena just read the protest from GrapheneOS: https://mastodon.social/@GrapheneOS@grapheneos.social/116200111659862792

I cannot see through the technical background how this system closes the space and just deamercanizes it, being from EU.

https://www.heise.de/en/news/Paying-without-Google-New-consortium-wants-to-remove-custom-ROM-hurdles-11204037.html

Bettina Hartmann Mar 16

@MisterSmith @anderslund @murena To quote Voltaire quoting an Italian: "The best is the enemy of the good". Without having much technical insight, I think the initiative by Volla, Murena etc. is trying to fix a problem in a structure none of us created in the first place. So I welcome it.

Do I also want to see a world where tech is structured in a completely different way? Of course. But one step at a time.

And shaming others or wanting them obliterated is not a path to peaceful coexistence

Harold Smith Mar 16

@bettina @anderslund @murena thank you for furthering :]

GrapheneOS Mar 16

@bettina @MisterSmith @anderslund Android already has a standard hardware attestation API which can be used to permit each of these options. The entire purpose of this system made by Volla, Murena and iodé is to centralize control over what's allowed to be use with a service under their control. The whole point of their service is to permit their own insecure products with no serious security standards while forbidding everything not part of it including GrapheneOS. It's definitely not legal.

GrapheneOS Mar 16

@bettina @MisterSmith @anderslund Forming an anti-competitive cartel which pushes a centralized system only permitting using the products of the companies forming it while disallowing anything else is clearly not legal. We fully intend to file a lawsuit against Volla, Murena and iodé once the damages against GrapheneOS start building up. This highly unethical anti-competitive power grab by these companies will not stand. There's nothing peaceful about this aggressive power grab they're making.