Mastodawn

Android provides a standard hardware attestation system with support for alternate operating systems via allowing their verified boot key fingerprints. It's mainly used with Google's root of trust and remote key provisioning service but the API supports alternative roots of trust.

Volla's Unified Attestation is fully built on Android's hardware attestation API. It solely exists to create a centralized authority and service determining what's allowed under their control.

https://mastodon.social/@volla/116238706890314617

Show thread

GrapheneOS 1d ago

Unified Attestation will permit using products from the companies involved in it while forbidding using arbitrary alternatives. They clearly aren't going to enforce reasonable security standards since their products wouldn't meet those. The whole purpose of the system is to permit their products regardless of merit and convince banking/government apps to adopt it.

There's nothing neutral or fair about a system controlled by companies approving their own products while disallowing other options.

Show thread

GrapheneOS 1d ago

Companies forming an anti-competitive cartel providing a service which permitting their products and while disallowing others isn't legal regardless of how they market it. It's not legal when Google does it with the Play Integrity API and it's not legal when it's Volla, Murena and iodé doing it.

We won't be participating in a system which gives these companies veto power over app compatibility on GrapheneOS. These companies will not be given the power to make arbitrary demands of GrapheneOS.

Show thread

GrapheneOS 1d ago

We've been talking back and forth with multiple regulators over the past several years about the Play Integrity API to have action taken against it. Unified Attestation is a massive disruption to our efforts and will get in the way of having regulators take action against this. We've also been considering filing a lawsuit against Google over the Play Integrity API.

Unlike Google, the companies involved in Unified Attestation don't have massive resources to defend their anti-competitive system.

Show thread

GrapheneOS

Android's standard hardware API doesn't require delegating verification to a centralized service. One or more neutral organizations could exist certifying devices and operating systems without providing a centralized API. Those organizations could simply provide signed releases with the roots of trust, revoked keys and operating system key fingerprints. Apps could use multiple different certifying organizations. This is already something Android's hardware attestation API fully supports today.

Show thread

GrapheneOS 1d ago

Volla, Murena and iodé are each a for-profit company selling devices. Each of them has failed to keep up with important security patches and protections. Each has marketed their products as providing a level of security they don't provide. It's very clear why these 3 companies want to be in charge of choosing which devices and operating systems people are allowed to use. They want to make sure their products are permitted and want to have an advantage over others to boost their profits.

Show thread

GrapheneOS 1d ago

Unified Attestation is an anti-competitive cartel turning a decentralized decision into a centralized one. Instead of neutral organizations being formed to certify devices without a massive conflict of interest, these companies will sign off on their products regardless of the level of insecurity. Multiple competing companies forming a cartel which locks out other options is not legal. We're fully willing to file one or more lawsuits over this. It should be discontinued now prior to harming us.

Show thread

Klaus Frank 1d ago

@GrapheneOS

Well on the bright side as long as they sign their own insecure crap there will always be enough vulnerabilities to break their entire vendor-lock-in system...

Show thread

ṫẎℭỚ◎ᾔ ṫ◎ℳ 14h ago

@GrapheneOS Thank you GOS🙏 for defending everyone’s👨‍⚖️privacy.🕵️‍♀️