Detailed thread about a substantial improvement for pinning-based hardware attestation in Android 12:
twitter.com/GrapheneOS/sta
This will make the hardware-based attestation used by the GrapheneOS Auditor app substantially more secure due to per-instance attestation signing keys.
Quote Tweet
It will otherwise work the same way as before.
Each Auditee will still make a persistent hardware-backed key for each Auditor and then a temporary fresh key for each subsequent verification.
Hardware attestation information will be far better secured via per-instance pinning.
Show this thread