Conversation

Ok I fully admit I'm dumb and don't understand this. But a Friday news dump of a hyper-technical article outlining new SafetyNet checks that... now rely on the cloud? Google's going to have a big database of every single phone and flag each one as legit or not? Help?

Quote Tweet

Android Developers

We’re upgrading Android’s attestation with Remote Key Provisioning. Starting in Android 12.0 and mandated in Android 13.0, this scheme allows us to stop provisioning to compromised devices. Learn how it works and the changes to look out for. ↓ goo.gle/3tD2c5u

4

1

20

Replying to

It's about hardware-based key attestation as part of the hardware keystore API available to apps. It relies on hardware-based cryptography, not any kind of database of devices. SafetyNet attestation does use hardware-based attestation when available and includes it in the result.

1

4

Replying to

and

Hardware-based attestation is an AOSP feature which works well for other operating systems and is dramatically more useful and secure than SafetyNet's sketchy software-based attestation. It can also be used based on pinning instead of chaining to Google's attestation roots.

1

1

Replying to

and

If you have a Pixel, you can try out hardware-based attestation using the Auditor app made by GrapheneOS: attestation.app/tutorial There's an attempt at explaining how it works on our about page but it needs a lot of work to make it both more understandable and comprehensive.

attestation.app

Auditor tutorial

Tutorial on using the Auditor Android app and associated service.

1

2

Replying to

and

The reason SafetyNet attestation is so easily bypassed is because it only uses hardware-based attestation when it sees it's available. It can be tricked into thinking that it's not available and falls back to the nearly useless software-based attestation that's easily tricked.

1

1

Replying to

and

SafetyNet attestation does include an extra value when it performed hardware-based verification, but I'm not aware of any app using it which checks for it. Their use of hardware-based attestation simply verifies based on the root. Auditor pins the attestation certificate chain.

1

1

Replying to

and

They recently added 2 new major features to hardware-based attestation. This is one and provides support for provisioning new attestation signing keys instead of being stuck with the factory-provisioned batch key which is used across at least 100k devices for privacy reasons.

2:56 PM · Mar 26, 2022Twitter Web App

Replying to

and

Other new major feature is support for apps generating their own attestation signing keys in the hardware keystore. We (GrapheneOS) requested this several years ago and they ended up providing it. Useless for SafetyNet or DRM, but very useful for Auditor.

Quote Tweet

Android 12 has far better support for the pinning-based approach to hardware attestation used by the GrapheneOS Auditor app. It was a feature we requested a few years ago and they ended up taking our feedback into account. It was one of the things that led to the new feature.

Show this thread

1

1

Replying to

and

Also see grapheneos.org/articles/attes which is a guide for app developers on how they can use hardware-based attestation to support other operating systems like GrapheneOS. It's also far more meaningful/secure if they use it as a full replacement instead of allowing one or the other.

GrapheneOS attestation compatibility guide

Guide on using remote attestation in a way that's compatible with GrapheneOS.

1