Hmm. Why? AIUI there's enough diversity in setup that it's not super-easy to hit things remotely at scale.
Mobile voting, especially given how many people are on old, insecure versions of Android, seems way easier.
Conversation
Straightforward question: what's the minimum version of Android that will generate remotely-verifiable attestations to the OS integrity, the voting app's integrity, and the absence of apps trying to draw above the voting app? I think what you'd want is a "SafetyNet attestation".
1
SafetyNet attestation is not meaningfully verified. It's a much different thing than hardware-based attestation. Devices launched with Android 8 or later have the necessary hardware support for hardware-based attestation. SafetyNet doesn't build on it but rather is pure theatre.
1
If you verify solely based on the attestation root of trust, that would mean compromising the hardware keystore on a single device is a full compromise of the entire attestation system. It's not a solution to this problem since you need do pairing for it to provide good security.
1
Even if you had a way to securely bootstrap, vast majority of devices don't have a secure element providing a StrongBox keystore but rather only a TrustZone-based keystore. TrustZone security is not great. Also, checking patch level in the attestation will rule out most devices.
1
See attestation.app/about if you're interested in it. I built github.com/GrapheneOS/Aud and github.com/GrapheneOS/Att to provide a way for users to use hardware-based attestation with Trust-On-First-Use pairing. It does bootstrap with the root, but that's an incredibly weak check.
1
Verification based on the attestation root is essentially only useful for implementing anti-cheat / DRM. It can be fooled by anyone able to compromise a single TEE / SE on any device, including one without updated firmware. Bunch of companies also have access to valid batch keys.
1
I don't see another way of doing it for use cases like this with the current implementation. It would certainly be better than not using any hardware-based attestation at all, but unless the devices are going to have pairing done before being distributed to users it's very weak.
1
Thanks for this thread. What I think I'm hearing is that the sort of attestation that would be a meaningful lower bar for a voting app isn't going to happen any time soon for most Android devices.
1
1
In a less unpopular opinion than I initially expressed, I’d argue that SafetyNet / DeviceCheck may be Good Enough (TM) in practice.
What is an individual jailbreaking/rooting their phone able to achieve?
2
1
Might as well depend on the proper hardware-based attestation since devices launched with Android 7+ are the vast majority in the US. Just need to keep in mind that an attacker able to exploit the weakest TrustZone implementation of their choice is able to get a valid batch key.