My Auditor app can be expanded to verifying any device launched with Android 8+ once someone submits sample data from that device with the bootloader still locked. Install the app (via play.google.com/store/apps/det or github.com/AndroidHardeni) and press 'Submit sample data' in the menu.
Conversation
Replying to
To what extend can an app guarantee a state of the system when the underlying integrity is not verifiable?
How do you know a sample is genuine (1) and (2) even if it is, we take the report from a system difficult to verify even if AOSP.
I am really glad you cont. working on this
1
1
1
Replying to
See the documentation: attestation.app/about. The system is verifiable via hardware support for attestation and verified boot. The main thing needed from the samples is the verified boot key fingerprint to distinguish devices from each other, which is part of key attestation.
Replying to
Well, yes, exactlywhy I was asking.
Aside the device bootloader identify, is anything else really verifiable?
Maybe better phrased the question.
1
1
Replying to
There's verified boot for the entire operating system and information about it is surfaced via the key attestation feature. It provides a signed public key certificate for the key including verified boot state + fingerprint and versions of the boot, system and vendor images.
1
1
Show replies
The app implements a protocol for paired identity and integrity verification using hardware-backed keys. It doesn't implement any integrity verification itself but rather the hardware and firmware provides it and exposes the information to the app via the hardware-backed keys.
3