Initial release of my Auditor app as an independent project: github.com/AndroidHardeni. It's also available on the Play Store as a free app: play.google.com/store/apps/det.
It provides hardware-based integrity and identity verification for a gradually expanding set of supported devices.
Conversation
Replying to
"It cannot be bypassed by modifying or tampering with the operating system (OS) because it receives signed device information from the device's Trusted Execution Environment (TEE) including the verified boot state, operating system variant and operating system version."
2
1
Replying to
I can read. However, tools like Magisk (github.com/topjohnwu/Magi) can spoof build properties - which seem to be at least part of your attestation - and other system state, what makes the trusted environment APIs invulnerable to scenarios like that? Genuinely curious.
2
Replying to
Build properties play no part in the verification process. It relies on hardware-based security features that cannot be bypassed without exploiting either the TEE or bootloader. Magisk or a rootkit with control of the kernel / OS don't have a way to spoof anything relevant.