Conversation

Ok I fully admit I'm dumb and don't understand this. But a Friday news dump of a hyper-technical article outlining new SafetyNet checks that... now rely on the cloud? Google's going to have a big database of every single phone and flag each one as legit or not? Help?

Quote Tweet

Android Developers

@AndroidDev

Mar 25

We’re upgrading Android’s attestation with Remote Key Provisioning. Starting in Android 12.0 and mandated in Android 13.0, this scheme allows us to stop provisioning to compromised devices. Learn how it works and the changes to look out for. ↓ goo.gle/3tD2c5u

Replying to

It's about hardware-based key attestation as part of the hardware keystore API available to apps. It relies on hardware-based cryptography, not any kind of database of devices. SafetyNet attestation does use hardware-based attestation when available and includes it in the result.

Replying to

and

Hardware-based attestation is an AOSP feature which works well for other operating systems and is dramatically more useful and secure than SafetyNet's sketchy software-based attestation. It can also be used based on pinning instead of chaining to Google's attestation roots.

2:46 PM · Mar 26, 2022Twitter Web App

Replying to

and

If you have a Pixel, you can try out hardware-based attestation using the Auditor app made by GrapheneOS: attestation.app/tutorial There's an attempt at explaining how it works on our about page but it needs a lot of work to make it both more understandable and comprehensive.

attestation.app

Auditor tutorial

Tutorial on using the Auditor Android app and associated service.

Replying to

and

The reason SafetyNet attestation is so easily bypassed is because it only uses hardware-based attestation when it sees it's available. It can be tricked into thinking that it's not available and falls back to the nearly useless software-based attestation that's easily tricked.

Show replies