Conversation

Mar 14, 2020

Google is really playing a bad game. However, as this is clearly an abuse of dominant position (80% of the mobile market with ##Android) this is clearly the best path for their dismantlement.

Quote Tweet

Christine Hall

@BrideOfLinux

Mar 14, 2020

This sucks: Some apps may stop working on rooted Android phones due to SafetyNet update buff.ly/2TZOeHR

Replying to

and

Those apps are choosing to depend on Play Services and use SafetyNet attestation to verify that it's a certified release without tampering. The issue is ultimately apps choosing to do that not Google improving SafetyNet attestation to make it less trivial for attackers to bypass.

Replying to

and

Those apps could also use hardware-based attestation directly, which doesn't require Play Services and would provide them with a higher level of assurance. Auditor uses hardware-based attestation to provide security verification / monitoring to users: attestation.app/about.

attestation.app

Auditor overview

Overview of the Auditor Android app and associated service.

10:38 PM · Mar 14, 2020Twitter Web App

Replying to

and

Say this to major app publishers...

Replying to

and

I don't use any of those apps, so I'm not sure why you expect me to do something about it. If the users of those apps want them to work without Play Services and on other operating systems, they should push for it. Same goes for apps implementing DRM with attestation features.

Show replies

Replying to

and

Many apps are using attestation for features like anti-fraud, anti-cheat or DRM rather than as a security feature like Auditor. Their approach can't provide high assurance because they don't have a pairing mechanism. The most they can do is verify based on the attestation root.