Conversation

Wow what the hell??? Apparently Android apps include some form of DRM based on some Google ID baked deep into Google sanctioned ROMs?? Making it impossible to run even open source apps like Signal on phones without it.

Quote Tweet

Joshua 绿色 AKA Packed Knightley

@Elvenmonk

Jan 3

Replying to @pepijndevos

Most custom roms, or phones sold in the west, have those tool sets without realizing it. Only phones affected by the US embargo, and ones sold where Google is banned, have 0 Google kernel access.

Replying to

and

No, they don't. Signal explicitly chooses to use the Play services libraries. Android SDK is open source, can be built from source and doesn't include those by default. Using the Play services libraries doesn't impose any kind of DRM on the app. There's no basis to any of this.

Replying to

and

The only thing remotely resembling what's described is that an app developer can explicitly choose to use the SafetyNet attestation API as part of a service provided to the app to check that the device has been CTS certified. App developer has to go far out of the way to do it.

10:56 AM · Jan 3, 2022Twitter Web App

Replying to

and

SafetyNet isn't based on any ID. It has a software implementation checking for the device / OS appearing to be a combination that's certified, and a hardware implementation based on a batch certificate provisioned on 100k+ devices. It has to be very explicitly used by a service.

Replying to

and

It's really not what they were describing though. An app has to very explicitly choose to use attestation. It's annoying that some banking apps and a few other rare cases of apps use it. I don't think they were talking about SafetyNet attestation but there's nothing else similar.