There was an OS update between the first and second samples, so I hope they don't change the key at every update…
Conversation
Replying to
The verified boot key never changes and the fingerprint is a hash of it so it doesn't change unless there's an update to the algorithm used to calculate it which shouldn't really be done once a device is shipped. Make sure you have Auditor version 12 on both Auditee and Auditor.
2
Replying to
That was it, the Auditor device didn't have version 12, but the version from Google Play
1
Isn't the vendor patch level weird? I can't believe they didn't update *any* vendor blob since last August, since the device shipped last month.
1
Replying to
Yes, that's meaningless right now because none of the vendors (including Google) is bothering to update VENDOR_SECURITY_PATCH. You can see that they have the wrong value set by running `getprop ro.vendor.build.security_patch` which is what gets sent to the keystore in early boot.
1
I update it properly for GrapheneOS though, and I've tried reporting the issue to Google to get them to start updating the property. They thought I was trying to get a bug bounty for reporting it and rejected it as a vulnerability. I'll try reporting it another way at some point.
1
By the way, the identity is just the sha256 of the app's persistent key in the keystore so it's not really private information. It's only unique to each pairing and will be a new value for every pairing. If you do it again you'll see it performs a strong paired verification.
1
1
By the way, the reason version 12 is not being pushed out via Google Play is because of their nonsense new policies. I set the app as valid for all ages, since clearly there's nothing inappropriate, and they rejected it due to claiming it violates the Play Store family policies.
1
Replying to
I'm guessing this is an automated classification because it uses the camera ? Did they give a justification or are you still appealing the process?
1
Replying to
I think they are mad that I have a blank feature graphic which gets displayed as an image header above the app information in the Play Store. They claim that my promotional images are misleading. I don't see how it's misleading to not have the resources to design that graphic.
Replying to
Yeah they don't like these type of hacks. Hey, at least you have an adaptative icon 😃
1
Replying to
I don't see how it's in any way misleading to not have something for that graphic: "Your feature graphic is displayed before your screenshots on your app’s store listing". I guess I'll throw the app name and screenshot into some terrible online generator to make a placeholder.