@anderslund Nogen der kort, men teknisk, kan forklare hvad en app-udvikler får ud af dette API.
Ikke bare "det øger sikkerheden - og det er best practise" men "det fjerner denne type angreb på bekostning af denne funktionalitet".
Hvorfor er det en god ting og ikke bare en workaround for sikkerhedsteater?
@pmakholm I mine øjne er det en god ting hvis det betyder at man ikke skal tvinges til at underkaste sig googles (eller apples) totalovervågning hvis man vil bruge mobilbank, mobilepay og offentlige apps.
Som appudvikler giver det dig potentielt mulighed for at tilbyde din app til brugere som vil have et googlefrit android-system.
@anderslund Det var ikke rigtigt et svar på det spørgdmål jeg prøvede at stille.
Jeg et med på at det er en fordel ikke at være afhængig af Google. Men "uafhængig af Google" er ikke en funktionalitet. Det forklarer ikke hvilket problem API'et løser.
@pmakholm Ideen er vel at det skal verificere at den app der bruges er den det forventes at være.
Jeg er ikke klog nok til at kunne afgøre om det har betydning eller mening, men siden fx banker og digitaliseringsstyrelsen går så meget op i det, er det en efterspurgt funktion.
@svuorela Android already has a hardware attestation system open to everyone unlike this centralized system. Volla, Murena and iodé made a centralized system on top of the Android hardware attestation API to permit their own products while forbidding others. They're not enabling anything which wasn't already possible and are fully dependent on standard Android hardware attestation. Unified Attestation is anti-competitive and it clearly isn't legal.
Android provides a standard hardware attestation system with support for alternate operating systems via allowing their verified boot key fingerprints. It's mainly used with Google's root of trust and remote key provisioning service but the API supports alternative roots of trust. Volla's Unified Attestation is fully built on Android's hardware attestation API. It solely exists to create a centralized authority and service determining what's allowed under their control. https://mastodon.social/@volla/116238706890314617
Jeg glæder mig over at nogen tager fat i dette, fordi det er et problem der skal løses hvis man skal kunne bruge visse apps på (google-) frie mobil-operativ-systemer. Jeg er naiv/dum nok til at forestille mig at de folk hos Volla og murena, og andre parthavere, faktisk har hjerner. 😅
Det mobilepay og mobilbankapps'ene gør, er jo at suspendere brugen af MitID i alt fald delvis. Du kan godt bruge netbank på mobil, også på googlefri mobiler. Det er en del besværligere, hvilket i nogen grad er et (web-) designproblem.
Med mobilepay/mobilbank identificerer du dig én gang, derefter blot et swipe og/eller en pinkode, istedet for mitID. Efter min mening burde mobilepay blot tilbyde at identificere med mitID pr betaling. Bankerne kunne gøre det samme.
@h0gh Android already has a hardware attestation system open to everyone unlike this centralized system. Volla, Murena and iodé made a centralized system on top of the Android hardware attestation API to permit their own products while forbidding others. They're not enabling anything which wasn't already possible and are fully dependent on standard Android hardware attestation. Unified Attestation is anti-competitive and it clearly isn't legal.
Android provides a standard hardware attestation system with support for alternate operating systems via allowing their verified boot key fingerprints. It's mainly used with Google's root of trust and remote key provisioning service but the API supports alternative roots of trust. Volla's Unified Attestation is fully built on Android's hardware attestation API. It solely exists to create a centralized authority and service determining what's allowed under their control. https://mastodon.social/@volla/116238706890314617
@jpkolsen @anderslund @pmakholm men for at det kan virke helt skudsikkert er der behov for kontrol over hele kæden fra Secure boot i hardware der godkender os der så kan validere apps.
Hvis noget i den kæde er brudt kan der lyves.
@jpkolsen Android already has a hardware attestation system open to everyone unlike this centralized system. Volla, Murena and iodé made a centralized system on top of the Android hardware attestation API to permit their own products while forbidding others. They're not enabling anything which wasn't already possible and are fully dependent on standard Android hardware attestation. Unified Attestation is anti-competitive and it clearly isn't legal.
Android provides a standard hardware attestation system with support for alternate operating systems via allowing their verified boot key fingerprints. It's mainly used with Google's root of trust and remote key provisioning service but the API supports alternative roots of trust. Volla's Unified Attestation is fully built on Android's hardware attestation API. It solely exists to create a centralized authority and service determining what's allowed under their control. https://mastodon.social/@volla/116238706890314617
Anders Lund
Peter Makholm
Sune Stolborg Vuorela
GrapheneOS
Jonas Høgh
Johan Pelck Olsen