Titan M2 is a totally different thing where they did away with the Cortex secure element. They were probably working on that for at least 2-3 years before Pixel 6 launch and had Pixel 7 in development already, etc. so they see it as older than the public sees it based on launch.
Conversation
They don't state it on the page but I doubt they will pay out the stated bounties for issues not impacting the most recent Pixels since they'll see it as something they addressed already. They can't go back in time and upgrade hardware they already sold, but they mostly moved on.
2
You’re unable to view this Tweet because this account owner limits who can view their Tweets. Learn more
It has a lot of impact but whether it will be relevant going forward definitely sways the bounties. If you report a mem corruption bug in a C++ component that they've internally rewritten in Rust, they are probably going to see it as something they already addressed internally.
2
And I mean even if they haven't shipped the improvements eliminating it, they'll see it as essentially resolved internally already. The vast majority of their engineers are focused on the latest and greatest code and don't really do much work on the stable releases, etc. at all.
2
We have a lot of communication with people there and the fact that we're using stable releases while they're spending nearly all their time on much newer stuff is a communication issue. To them Android 13 is already old news and they're way past that already working on new stuff.
1
A few months ago, they gave us a rebuild of the keystore HAL with a bug fix for a security feature. They gave us both Android 12.1 and 13 libraries. Android 13 was just released 2 days ago. They didn't actually ship the fix for 12.1. We have to check if it's in 13. Takes so long.
1
You’re unable to view this Tweet because this account owner limits who can view their Tweets. Learn more
Nah, it's not that. It's not a security bug but rather a security feature exposed as an API to apps is breaks 'safely'. The anti-rollback counter in the news must be for a verified boot bypass in the SoC boot chain. They often increment Titan M anti-rollback counter with no news.
1
We previously noticed that people who upgraded to Android 12 Beta had their devices fail verification with our Auditor app on Android 11 because the Titan M would reject the older firmware since they updated the anti-rollback counter even in the betas.
1
For the OS, the anti-rollback counter is the security patch level interpreted as an integer i.e. currently 20220805 but it's stored by the secure element and is only enforced when locked so you can unlock and install an older OS version.
They didn't used to do rollback protection for the boot chain firmware because it's quite annoying for using Nexus and Pixel phones as development devices. They clearly made a decision to value providing proper security for verified boot, key attestation, etc. over that use case.
2
Keystore HAL issue we reported isn't going to get us a bounty because the feature just doesn't work right. If you generate a hardware backed attest key, it becomes unusable after the first patch level or OS version upgrade because the HAL doesn't deal with version binding update.
1
Show replies