Love to see the ongoing progress here, but I'm really starting to worry that the growth of attestation on Android will make using custom ROMs like LineageOS impossible in future.
Is there any way we can fight this? Feels like there must be some EU/US consumer rights or digital market legislation somewhere that could be used to more directly object to organizations like banks saying "your phone works just fine but we actively block you from using it" especially as mobile apps become more and more obligatory for banking. It's a huge problem just in e-waste of old devices that work fine but can't be used because of the lack of updates.
Just one legal case upholding this somewhere would put a huge red flag over it and significantly discourage the whole trend.
Yeah, running GrapheneOS, this has been a big headache for me. And it's incredibly stupid too.
The app won't work natively due to a lack of attestation, so I have to fire up the browser and user the service.... Exactly how is that more anti-abuse than just using an app without attestation? It's security theater and has no basis in reality.
GrapheneOS seems to be advocating for hardware attestation to solve this issue, taking advantage of its boot-loader re-locking capabilities but its vehemently being opposed by Lineage OS community due to privacy concerns and that boot-loader re-locking is not an option in LOS.
Can you scan a check from your web browser? Maybe I'm wrong, but probably not; frankly, it's a logistical miracle we can do this from our phones and the banks tolerate it, but I can see why they would still want to minimize all risk involved.
The second reason though I can think a bank would want attestation is as an anti-piracy measure. With a website, you have HTTPS verifying the identity of the domain. With an app, a pirated app or a 3rd party app from any source could hypothetically intercept user's banking information, their scanned checks, or even attempt to cash their scanned checks itself. It's not about making sure the device is secure, as it is killing attempts at 3rd party, modified, or malicious clients. The last thing I want, or the bank wants, is some grandmother downloading the "Wells Fargo Bank Plus with Giant Legible Accessible Text" app she saw in an ad as an APK, installing it, and being a victim of silent fraud for years.
The third reason a bank might want it, is also just simple stupid litigant America. If such a scheme similar to the above were to occur, the bank would likely be sued by victims arguing that the above circumstance was preventable. The victims would also be correct, it was preventable. The bank is then in the unenviable position of telling the jury that supporting the rights of 0.1% of phone modders was more important than victimized grandmothers.
Or, as a bank lawyer would say, just turn on attestation, it costs basically nothing, and then none of the above could happen. Better safe than sorry. After all, is the grandmother not also a customer, and preventing malicious clients in her best interest? Sure, some customers will be inconvenienced, but this is America, where anyone depositing more than $10K is subject to an interrogation.
>The last thing I want, or the bank wants, is some grandmother downloading the "Wells Fargo Bank Plus with Giant Legible Accessible Text" app she saw in an ad as an APK, installing it, and being a victim of silent fraud for years.
I don't think this happens nowadays. Android will either block by default or give you a million prompts and warnings before it allows you to install an apk from an unknown source. It's far, far easier to install it from google play. I don't think any grandmother would manage to accidentally ignore the first 3 pages of genuine links on google and then push the right buttons that enable sideloading.
> Can you scan a check from your web browser? Maybe I'm wrong, but probably not; frankly, it's a logistical miracle we can do this from our phones and the banks tolerate it, but I can see why they would still want to minimize all risk involved.
ATMs just scan the checks now too, so why have the middle man? Usually there are limits on customer scanned deposits though, in the range of $5,000-$25,000. I've never heard of a limit on ATM deposits, although I'm sure there is one; I have had atms in WA decline to process warrants from CA state (like a check, but sometimes California has to wait for next fiscal year to clear it).
Back in 2009 during the Cyanogenmod days, Google issued a C&D to the developers to keep them from distributing Google Apps alongside the main ROM. IMO it was less about the app distribution and more to force Cyanogemod to come to the table and work with Google to develop ground rules on how 3rd party ROMs would interact with Google more broadly. Cyanogemod (now LineageOS) basically agreed not to step on Google's toes. At the time it was not to distribute Google's Apps inside of the ROM. Now it's to not bypass OS level protections like Play Integrity (formerly Safety Net)
> Any action taken to bypass Play Integrity risks a backlash against all custom OSes, and could cause Google to block them entirely from the Play Store.
So long as the main players follow this advice, Google tends to also ignore smaller players that _are_ working around this via Magisk or other means. It's also possible that this simply becomes non-viable after some time.
It's also worth noting, Google has ways to allow third parties to certify their devices on https://www.google.com/android/uncertified/ . This doesn't grant fully Safety Net, but it's definitely another way Google is working with custom ROMs to ensure you have access to the Play Store
This is an extreme oversimplification in an "Explain like I'm 5" style (terminology might also not be perfectly correct, it's more for illustration of the basic concepts):
Imagine, if inside your phone, there's your main processor named Bob. Bob runs all of your apps, Bob is occasionally stupid and gets hacked, but he means well.
Also inside your phone, is another processor named Alice. Bob can't see her even if he can send messages to her, but Alice can see Bob through a one-way mirror. Alice is also located inside of a concrete steel bunker with no entry, no exit, and UV sterilization of all single-page letters coming in or out after examination by an officer. Alice has a special ID card given to her by Google, which was only given her after Google was satisfied in the security of the bunker.
Google sends super high-secure work for Bob to do. Bob isn't the most trustworthy of fellows; so Google also sends a message asking Alice to report back on whether Bob is doing what he's supposed to. Alice sends her report back to Google with her signature on it. Google trusts that signature, because it previously inspected Alice and the security of her bunker, and knows that as long as Alice is safe and Bob can't harm her, Bob is doing the work intended.
Now, you might say, why not just make sure Bob is stronger? Well, Google tried that, but with people wanting to sideload apps, the needs of developers, security bugs, that's all extremely difficult. Having Alice do nothing but verify and sign in a super secure bunker while accepting various requests for oversight - that's easy, auditable, much easier to secure, and rarely needs change.
Where it gets even stronger is what I would call, for lack of a better word, "progressive lockdown." For example, when Bob is just starting up, Alice can check that he started up from an approved OS (Secure Boot). Once that's happened, the Secure OS might hand Alice a piece of code for the OS that is never allowed to change in the future while the device is booted (Secure Monitor / TEE). Alice doesn't have to run the code herself; just panic if that code ever changes. By doing so, the OS now has super-high-security functions for itself, that can always be changed out through any update, without Alice needing any updates, changes, or expanded attack surface herself. By that point, Alice can be OS-agnostic so it doesn't matter whether it's Bob or Kevin, and could even be a permanent hardware feature that never needs updates... oops, you've just invented TPM / Verified Boot / Titan M.
Just buy a separate low-cost device and use that only for your banking. It's a total non-issue, there are way more nefarious uses of SafetyNet/the attestation API's.
It's not just banking. Though that's clearly the most inconvenient, I've heard stories of this in all sorts of contexts, and Google actively push it for _all_ apps in the play console etc now. Carrying two devices just to use basic things will work, but god that sounds annoying.
I'm curious though, what are the more nefarious uses you're concerned about?
You'll have to change it often if you're worried about safety at all. Lineage has been keeping my phone alive for five years now, and although it only updates the upper layers and there are definitely unfixed vulns in the firmware, it's much better than if I'd used the stock OS that hasn't been updated since the beginning of 2020. Banks don't or won't understand this.
The problem is you need banking stuff on the go more and more. Here in Spain for example people often pay friends with a service called bizum that works through the bank's app.
Is there any way we can fight this? Feels like there must be some EU/US consumer rights or digital market legislation somewhere that could be used to more directly object to organizations like banks saying "your phone works just fine but we actively block you from using it" especially as mobile apps become more and more obligatory for banking. It's a huge problem just in e-waste of old devices that work fine but can't be used because of the lack of updates.
Just one legal case upholding this somewhere would put a huge red flag over it and significantly discourage the whole trend.