RE: https://mastodon.social/@fsfe/116131145887510612
@volla has initiated the industry consortium #UnifiedAttestation for an open-source alternative to Google Play Integrity. That will be a game-changer. All major European OS producers are joining. We have a golden opportunity now to boot out Google.
@vollaficationist @volla Unified Attestation is the direct opposite of keeping Android open. It's an anti-competitive centralized system putting Volla and other companies selling devices working with them in control of which devices and operating systems people are allowed to use. It's the direct opposite of open. There's nothing neutral or fair about companies approving using their products while disallowing others. Unified Attestation needs to be stopped.
@GrapheneOS If it's illegal in Canada, well, then I'm sorry to hear that. Volla is seeking constructive collaboration, and the entire design of the UA is set for open and transparent collaboration. You know, if we could sidestep Google, we would all gain: the companies involved, the citizens, organisations and companies, as well as security itself.
As for Canada law, would it be possible (legal) for you to get certificated by UA (without actively partaking in the consortium)?
@vollaficationist @GrapheneOS An anti-competitive cartel violates the principle of fair competition not only in Canada but in most countries, including the EU.
https://competition-policy.ec.europa.eu/antitrust-and-cartels_en
Unified Attestation is an initiative with Murena, Iodé, and Volla, three untrustworthy for-profit companies that want to copy Google Play Integrity API, which is already abusive and illegal, to manipulate the market and impose their misleading standards.
There is nothing neutral about it, and the fact that it’s “open-source” doesn’t change a thing.
@meowki @vollaficationist @GrapheneOS Most banking apps work well on GrapheneOS; check out this list : https://privsec.dev/posts/android/banking-applications-compatibility-with-grapheneos/
The attestation compatibility guide is a good, neutral approach that is not controlled by a centralized authority : https://grapheneos.org/articles/attestation-compatibility-guide
Unified Attestation threatens the compatibility of apps for developers who refuse to participate in their illegal cartels. This seriously undermines the efforts of a project like GrapheneOS, which strives to make as many Android apps as possible compatible with a truly secure and privacy-respecting operating system, one without user accounts, AI, age verification, client-side analysis, or any default Google services nor any other tech companies, etc
We need to support it because there’s no one else doing what GrapheneOS does.
Maintained Compatibility List for International Banking Apps This list includes banking apps that have been tested, submitted, reviewed, and verified as compatible. LIST | SUBMIT | UPDATE | POSSIBLE WORKAROUND SOLUTIONS Introduction Welcome to the crowd-sourced dataset for GrapheneOS users on currently supported devices. New visitors are encouraged to read the official usage guide on banking apps for comprehensive details about how these apps function on GrapheneOS. IMPORTANT Please read GrapheneOS’s important announcement, officially released on Dec 1, 2023:
@meowki It would be great if banking apps could work without Google Play Services; that said, keep in mind that on GrapheneOS, you install Play Services and Google Play as standard, non-privileged apps that run in the hardened sandbox.
This is a significant difference compared to stock Android, where Google Play Services runs as a system app with elevated privileges that you cannot control. MicroG works in the same way and is often mistakenly presented as a more private alternative to Google Play Services.
What cross-app sandboxing doesn't protect is communication between apps based on mutual consent. If you install Instagram and Facebook on the same profile, the apps still only have access to what you authorize them to access, but since they belong to Meta, they could exchange telemetry data with each other.
To stop this, the solution is to use a system-wide secondary profile, which offers excellent isolation but is somewhat cumbersome to use, or the private space, which provides less robust isolation but is easier to use. This decision really depends on your threat model and whether or not you consider plausible communication between these applications to be acceptable.
There is nuance, as always. Not everyone uses GPI, as there are several “Integrity Check” and “App Security” frameworks on the market. From my experience, only the “hardliners” like some payment apps and the entertainment industry tend to use it. You can also exclusively secure only parts of you app, for example a working banking app, but NFC payments cannot be set up without a passed integrity check. As for why it’s used: Easy way to tick off a checkbox on the compliance requirement checklist...
@meowki SailfishOS is a scam who has collaborated with the Russian government before the invasion of Ukraine and continues to have ties to the Russian government. AuroraOS, used by the Russian government, is a fork of SailfishOS.
Curve Pay work well on GrapheneOS for the contactless payment, available for EU users currently, and I recently discovered a interesting a project that look interesting, which is actually in development.
"Are there other alternatives to UA there?"
Unified Attestation is an alternative of Google Play Integrity API, both are abusive, illegal and completely useless.
The AOSP attestation hardware is available since Android 8, is functional, and is neutral.
https://en.wikipedia.org/wiki/Aurora_OS_(Russian_Open_mobile_platform)
The developers of the digital wallet of some member countries such as Italy and France have created the app by implementing the check of the Play Integrity. Probably following the directive contain...
@Xtreix I can’t speak about Walt. There is too little information about it.
When I used Graphene, Vipps worked just fine. But it required Integrity protection and thus Google Play Services.
I also had many issues where people would just tell me to install the Google official apps. Eg. Gallery, camera app, and especially keyboard! The keyboard may be sandboxed, but it still requires network to work, and is the only decent JP romaji keyboard.
So in the end I decided I may as well use iPhone.
There's a lot of GOS guys calling scam and throwing out Russian ties. It's a little desperate.
For the record the Jolla guys had a job of detangling themselves from Russia, but they did and have no ties to Russia any longer.
AuroraOS is a fork of SailfishOS, but the two projects are totally separate.
Should Jolla have worked with Russia at all? Nah they shouldn't but they were many major companies that continued to operate in Russia after 2014.
@meowki Well we cannot deny that GOS is the gold standard for secure mobile OS, but the social media stuff does put me off somewhat.
I've asked a few times for the proof of slander and I've never been given solid proof - aside from Jolla bragging that their project isn't another ASOP project. Which is not and they're proud of that, but them being proud of it doesn't put down what Graphene are doing. GOS should really focus more on their stellar system and not other people.
@meowki and 100% they should not have worked with Russia. I'm not sure what prompted them to do so in the first place.
They've cut ties with Russia as of 2023, and I wouldn't hold anything against people for past mistakes when they're trying to move on from them and do something good.
Vollaficationist
GrapheneOS
Xtreix
meowki
doubleubee