Thanks to sample submissions from users, the next release of my Auditor app will add support for verifying the BlackBerry Key2 BBF100-6, Huawei P20 Pro CLT-L29 and Sony Xperia XZ1 G8341. Device support will be expanded further once more valid samples are submitted via the app.
Conversation
To submit a sample, install the app from the Play Store (play.google.com/store/apps/det) or GitHub (github.com/AndroidHardeni), open it, open the menu from the action bar and press 'Submit sample data'. Submissions from the stock OS with bootloader locked will enable expanding support.
Replying to
There's no harm in submissions from devices with the bootloader unlocked and/or not running the stock OS, but the attestation certificate chain won't pass validation and it won't provide the necessary information to expand device support. It's filtered out by my extraction tool.
1
2
I also added a Bitcoin address for contributing to the attestation project:
attestation.app/donate
3ALxptsF7nf7cGZ1ds8HLcnv5nf8gPsWPA
Even small contributions would be helpful to cover hardware and hosting costs. I'll have a Pixel 3 soon thanks to the earlier contributions.
1
Once the Pixel 3 arrives, I'll be quickly adding support for changes to the key attestation data (developer.android.com/training/artic) and the StrongBox Keymaster (developer.android.com/training/artic) provided by the Titan M chip on the Pixel 3:
1
4
I could use the StrongBox Keymaster in addition to the TEE Keymaster as a secondary layer of verification rather than as a replacement. It will depend on how much impact including a secondary certificate chain ends up having on reading the QR codes used for local verification.