Mastodawn

GrapheneOS 2d ago

If apps are required to verify the hardware, operating system and their app for regulatory reasons they should use an approach supporting arbitrary roots of trust and operating systems. Android already has a standard hardware attestation system usable for this.

Android's documentation and sample libraries are biased towards Google by using them as the only valid root of trust and the API is biased towards stock operating systems but it's better than a centralized API.

https://infosec.exchange/@rene_mobile/116286110700616525

Apps should only resort to this if they're forced to do it. Root-based attestation provides minimal security and is easy to bypass. It's inherently insecure due to trusting the weakest security systems. A leaked key from the TEE/SE on any device can be used to spoof attestations for any device.

Play Integrity permits a device with years of missing security patches. It isn't a legitimate security feature. It checks for a device in compliance with Google's Android business model, not security.

GrapheneOS 2d ago

Unified Attestation is another anti-competitive system putting companies selling products in control of which devices and operating systems are allowed to be used. As with the Play Integrity API, it's a phony security feature existing solely to get their products permitted while disallowing fair market competition.

GrapheneOS 2d ago

Android's hardware attestation API is problematic for a free and open market because it supports root-based attestation. However, it does at least support choosing arbitrary trusted roots and arbitrary trusted operating systems. It isn't locked to Google's roots or stock OSes they certify.

GrapheneOS 2d ago

We made a proposal to Google for pinning-based attestation support for Android hardware attestation and they ended up implementing it. It can be used in combination with root-based attestation or without it. It doesn't have the anti-competitive properties and provides far more actual security value.

GrapheneOS 2d ago

Root-based attestation trusts the whole hardware attestation ecosystem. Leaked keys from any device can be used to bypass it. Pinning-based attestation starts trust from first use and then provides a high level of security based on the security of the device's early boot chain and secure element.

GrapheneOS 2d ago

Root-based attestation is mainly used to disallow an arbitary device, OS or modified app for control rather than security. Pinning-based attestation lacks those negatives and can be very secure. It can be bootstrapped by root-based attestation but it works without it and it's not the only approach.

opinonToo 2d ago

@GrapheneOS do you have links to more information on pinning-based attestation? It is important to point app devs to it in order to avoid attestation by play integrity api.

Is there an in-depth blogpost that lays how you define root-based vs pinning-based attestation?

I'm trying to understand the argumentation why root-based attestation is considered bad and why pinning-based attestation is better.
I've been going through the auditor app's about page and some of your comments in the source code, but I'm failing to understand the difference between root-based vs pinning-based attestation, so far.

From my PoV Auditor just uses the standard Android app attestation (in a neat way). Is there anything specific that libraries like Warden do differently architecturally, something that you consider being problematic?
Or do the approaches distinguish themselves, mostly by the threat model instead?

Tbf, I really just started looking more deeply into how attestation works on Android the other night, so please excuse my ignorance. I just can't seem to find a good resource that explains the differences between the approaches.

@GrapheneOS
I also want to be up-front about it and disclose that I do know people involved in the Warden library.

GrapheneOS 2d ago

@hupf There's a clear difference between verification via chaining to a root of trust where a leaked key from any device can be used to bypass it and it can be used for anti-user control vs. generating a key in the secure element for signing attestations which is pinned. Auditor combines both together but is primarily based as pinning-based attestation. Your earlier posts show you don't have a good understanding of Android hardware attestation with or without the attest key feature for pinning.

@GrapheneOS
Yep that's true. I really didnt (and dont yet). Thanks for the learning opportunity. Im gonna try and change that

@GrapheneOS
One of the main gaps in my understanding disappeared after realizing that the auditor app does not use a rotating Attestation key.
The whole protocol makes a lot more sense to me now.

Essentially, a potential attacker CANNOT just use any leaked attestation key AFTER initial setup. They would need the SAME key to forge an attestation statement.

@GrapheneOS
oh and that is really neat, because even IF an attcker has gained root access on a device, the attacker will not be able to create fresh attestation results that contain a spoofed OS version/patch level in order to trick auditors (unless the attacker also manages to break VerifiedBoot, but that is considered really hard).

Henning 22h ago

I agree with your point but would appreciate a transparent and open way for other OSes and devices to be accepted on the #AttestationApp / #Auditor.

So that it becomes less of a #GrapheneOS-only tool.

I have used other Androids on a Pixel with locked bootloader but their hash was not in your database so there was zero information to see for me. Apparently, multiple users could try to authenticate an OS and then there would be a chance for you to add it.

PlutonicXT 2d ago

@GrapheneOS I use Graphene / Nitrokey phone. Is there a site I can go to to learn about this stuff - like, what is pinning, etc.? Thank you.

@GrapheneOS And leaked keys are used to bypass Play Integrity (cf. https://xdaforums.com/t/tricky-store-bootloader-keybox-spoofing.4683446/)

Tricky Store - Bootloader & Keybox Spoofing

IMPORTANT: I'm not the dev. of this module or have any affiliated with the dev. So a Big Thanks to the devs (5ec1cff & aviraxp) of this great module. All the credits for the images and apps and modules, go to the original devs. (I only share...

XDA Forums

🅱🅻🆄🅴🅱️2d ago

What do you feel is the culture or climate for Google when it comes to allowing others to utilize Android?

Do you feel they are conflicted? It sounds like they are still working with you which is good, but that they are equal parts working against you. That's vague, but hopefully makes sense.

Do you think the culture is supportive of your work? That they are resisting the capture of Android as a purely extractive operating system?

@GrapheneOS I haven't seen you post about unified attestation for days. I was beginning to worry you'd changed your mind. How am I supposed to know your thoughts on unified attestation if you don't post about it daily?

@GrapheneOS The above is a joke, GrapheneOS is an awesome project.

GrapheneOS 2d ago

@migam830 We'll stop posting about it after it's discontinued.

pixelschubsi 23h ago

@GrapheneOS Are you talking about https://uattest.net/? I had a glimpse at it, and they talk about multiple backends and federation of backends. As I understood it, everyone can create a backend and create tokens for devices/OS that they like, it's then subject for the app developers to accept those tokens, either directly or indirectly through federation. Which means it does allow for competitor OS to also be accepted for as long as the app developer or their selected backends support it.

Unified Attestation

Unified Attestation is a free, open-source alternative to Google Play Integrity with offline verification and simple app + server integration.

pixelschubsi 23h ago

@GrapheneOS Notably, if you worry about old and insecure devices (like those still accepted by Play Integrity) as an app developer your just need to make sure to use a backend that would not sign them off. Which may well be one that's not the hardware manufacturer. I see Unified Attestation more as a decentralized/federated version of Play Integrity that gives app developers control to decide which devices, operating system creators or third-party attestors they trust.

pixelschubsi 23h ago

@GrapheneOS As an app developer that needs to take care of this, I don't want to open the https://grapheneos.org/articles/attestation-compatibility-guide page and copy out the fingerprints for those various devices out and update my local copy of them whenever a new device is supported by GrapheneOS. I just want to have a way to say "I trust whatever GrapheneOS guys consider safe". In understand Unified Attestation could be that way (if GrapheneOS was to provide a backend for it).

GrapheneOS attestation compatibility guide

Guide on using remote attestation in a way that's compatible with GrapheneOS.

GrapheneOS

GrapheneOS 23h ago

@pixelschubsi That's a misrepresentation of the alternative to putting Volla, Murena and iodé in charge of which devices and operating systems are allowed to be used. It would be entirely possible to distribute signed lists of verified boot key fingerprints for use with a library using the Android hardware attestation API. It would also be possible to distribute alternative roots of trust. Why should there be another API layered on top of it controlled by these for-profit companies attacking us?

pixelschubsi 16h ago

@GrapheneOS Well, I guess those lists would need to be updated regularly, so there's need to do that automatically. And you might want to go further than just the fingerprint (e.g. compare security patch level against what it should be). Of course all of these could be provided in an openly standardized API and then the verification is done at the app server, but that increases complexity for the app developer.

pixelschubsi 16h ago

@GrapheneOS If things are openly standardized I wouldn't consider them controlled by the author anymore. In the end, what app developers verify is some JWT with a few standardized fields, signed by whoever they decide to trust. Even if the Unified Attestation authors were to intentionally act malicious, as long as GrapheneOS would be able to provide such JWT, it could be compatible with the system and allow app developers to easily accept GrapheneOS devices.

GrapheneOS 23h ago

@pixelschubsi The companies behind Unified Attestation are heavily misleading people about what they're doing and we've already provided a detailed response debunking it.

You should read https://grapheneos.social/@GrapheneOS/116239523775374959 and stop promoting this anti-competitive garbage from companies which are actively attacking the GrapheneOS project and our team.

Android already has a hardware attestation API open to permitting anything which is literally what they're using to make an anti-competitive system on top.

GrapheneOS 23h ago

@pixelschubsi Here's a thread documenting attacks made by Volla on GrapheneOS from a sockpuppet account which they've clearly shown belongs to one of them:

https://grapheneos.social/@GrapheneOS/116251325625494349

We know which employee at Volla this account belongs to based on their specific writing style and unique attacks. They were involved in Volla reaching out to us where it was clear they were unable and unwilling to meet our requirements so it didn't go anywhere. This account posted non-public info about that.

GrapheneOS 23h ago

@pixelschubsi Why do you think it makes sense for a company using sockpuppet accounts to promote themselves and attack GrapheneOS to be in charge of which devices and operating systems people are allowed to use?

The two other companies they've named as being involved in it have been attacking the GrapheneOS project with fabrications for years.

Why not simply use the standard Android hardware attestation API rather than an API layered on top of it which exists to put them in control of it?

pixelschubsi 16h ago

@GrapheneOS As I said, the standard hardware attestation API bears to much work on the app developer. That's the reason why everyone uses Play Integrity and not directly hardware attestation, even though doing so could provide much better security (as old and insecure devices can be kicked out). Some app developers would go as far as adding GrapheneOS next to Play Integrity, but that's a minority and that also doesn't improve security for them (because they still accept Play Integrity).

pixelschubsi 16h ago

@GrapheneOS The Unified Attestation system would make things easy for all developers and is not tied to a single trust root. You can use the system entirely without trusting Volla or any if the other companies currently involved. In fact, as I understand, Volla at most wants to be a trust root for their own devices.

pixelschubsi 16h ago

@GrapheneOS But for the system to work and be adopted as an alternative to Play Integrity and to be able to entirely replace it, one would need independent trust root(s) for the majority of secure devices (e.g. all the Samsung phones people actually have). As these trust roots would no longer be bound to GMS certification (which is what Play Integrity is essentially about), they could even have GrapheneOS in it (and there's no good reason why it wouldn't).

pixelschubsi 15h ago

@GrapheneOS What confuses me is that you're making a huge effort to argue against Unified Attestation when at the same time, you could build something that's compatible with it (don't need to use their source, just their openly specified API) and profit from someone else promoting an alternative to Play Integrity that is compatible with GrapheneOS through your independent backend. If this gets adopted by apps and you have a backend for it working, your users will be able to profit from it.

GrapheneOS 9h ago

@pixelschubsi It makes absolutely no sense to use an API which solely exists for them to gain centralized control over attestation. Android already has a far superior hardware attestation API. Unified Attestation is entirely built on top of the standard API. It serves no valid purpose, and contrary to the inaccurate information you're peddling does not require more complexity or manually choosing which keys to allow. Your claims are inaccurate and you're basing them on their false marketing.

GrapheneOS 9h ago

@pixelschubsi Apps adopting it would not work with GrapheneOS unless they went out of the way to allow it. That's a worse situation than them using the Android hardware attestation API and permitting GrapheneOS through it. Contrary to your inaccurate claims, that doesn't at all imply manually adding each of our verified boot keys. There's no reason there can't be a signed JSON file listing out our verified boot keys. There's no reason organizations can't make a larger signed JSON file with more.

pixelschubsi 7h ago

@GrapheneOS sure, but not even you provided such a signed JSON file listing all your keys. If you think that Unified Attestation is bad, please go ahead and solve the issues it tries to solve that you didn't solve yet. If you specify and establish an open standard format for a signed JSON file that lists keys, a standardized API to retrieve and update it, that would be great as a starting point, so that others can build libraries and server software to ease verification of devices.

GrapheneOS 6h ago

@pixelschubsi That would be a very reasonable approach but handing over control to Volla definitely isn't, especially considering they pull stuff like this:

https://grapheneos.social/@GrapheneOS/116251325625494349

@pixelschubsi @GrapheneOS UA is useless, is a illegal cartel, and is yet another way to create a centralized authority under the excuse of being open-source, and to top it all off, it has been set up and is supported by completely untrustworthy for-profit companies that users should never rely on. UA is unusable, and its existence is not acceptable.