My Auditor app can be expanded to verifying any device launched with Android 8+ once someone submits sample data from that device with the bootloader still locked. Install the app (via play.google.com/store/apps/det or github.com/AndroidHardeni) and press 'Submit sample data' in the menu.
Conversation
Replying to
To what extend can an app guarantee a state of the system when the underlying integrity is not verifiable?
How do you know a sample is genuine (1) and (2) even if it is, we take the report from a system difficult to verify even if AOSP.
I am really glad you cont. working on this
1
1
1
Replying to
See the documentation: attestation.app/about. The system is verifiable via hardware support for attestation and verified boot. The main thing needed from the samples is the verified boot key fingerprint to distinguish devices from each other, which is part of key attestation.
2
1
2
The app implements a protocol for paired identity and integrity verification using hardware-backed keys. It doesn't implement any integrity verification itself but rather the hardware and firmware provides it and exposes the information to the app via the hardware-backed keys.