Version 5 of my Auditor app is available:
github.com/AndroidHardeni
The update is being rolled out via the Play Store too. It can now gather StrongBox attestation samples for later use and extends support to verifying the HTC EXODUS 1, HTC U12+ and Samsung Galaxy Note 9 SM-N960F.
Conversation
QR codes will also be a bit leaner, so they'll scan faster. I forgot to regenerate the DEFLATE dictionary as part of releasing the overhauled app with a new name and signing keys. Luckily the protocol is versioned with forward / backward compatibility:
github.com/AndroidHardeni
Replying to
StrongBox attestation could be quite useful. It has much less attack surface so it's much harder to extract the app-generated keys and batch key. Exploiting the TEE wouldn't compromise the keys. It would also be harder to fake verified boot results. May have disadvantages though.
1
TEE is better positioned to perform further attestation checks in the future, although it could pass that information to StrongBox. Having a separate chip also isn't strictly better. There are advantages and disadvantages. It'd be nice if both chains easily fit into QR codes.