Comment by ulrikrasmussen

Yes, but the regulation is wrong, since it is based on an irrational security analysis and cover-my-ass politics which belong in private companies and not in government institutions which are supposed to protect the freedoms of the citizens.

The technical security requirements should not be hard to define, i.e. the platform on which the solution runs should require all keys to be device-bound with a certificate chain from the hardware manufacturer proving this to the issuers during enrollment. The operating system should also be able to verify to the issuer that the hash of the app is recognized as an official app.

However, the strongest integrity level of solutions like Play Integrity - which is the only level that GrapheneOS cannot pass, and which only my national identity app requires - is protecting against very theoretical attacks which I don't believe actually happen in the real world, since it not only protects against fake malicious identity apps, but also against the scenario where a scammer has convinced their target of installing a custom Android operating system which fakes the app integrity verification. This attack requires a victim with a technical aptitude that allows them to unlock the bootloader and use adb, but which is at the same time gullible enough to believe the attacker. It also requires that the attacker builds a malicious Android release for the exact hardware of the victim. Seriously, if the victim is this easy to manipulate and also this resourceful, then the attacker should just convince them to disable biometrics and send the phone to the attacker by mail.

It is very very clever of Google to disguise what is essentially voluntary vendor lock-in as a security feature.

dwaite 3 days ago

Working adjacent to such digital identity app development, they are unfortunately regulated to require such device integrity approaches.

If Google Play Integrity didn't exist, the app would only be certified to run on e.g. unrooted Samsung Knox devices.

Reply View 1 reply

ulrikrasmussen 3 days ago

Yes, but the regulation is wrong, since it is based on an irrational security analysis and cover-my-ass politics which belong in private companies and not in government institutions which are supposed to protect the freedoms of the citizens.
The technical security requirements should not be hard to define, i.e. the platform on which the solution runs should require all keys to be device-bound with a certificate chain from the hardware manufacturer proving this to the issuers during enrollment. The operating system should also be able to verify to the issuer that the hash of the app is recognized as an official app.
However, the strongest integrity level of solutions like Play Integrity - which is the only level that GrapheneOS cannot pass, and which only my national identity app requires - is protecting against very theoretical attacks which I don't believe actually happen in the real world, since it not only protects against fake malicious identity apps, but also against the scenario where a scammer has convinced their target of installing a custom Android operating system which fakes the app integrity verification. This attack requires a victim with a technical aptitude that allows them to unlock the bootloader and use adb, but which is at the same time gullible enough to believe the attacker. It also requires that the attacker builds a malicious Android release for the exact hardware of the victim. Seriously, if the victim is this easy to manipulate and also this resourceful, then the attacker should just convince them to disable biometrics and send the phone to the attacker by mail.
It is very very clever of Google to disguise what is essentially voluntary vendor lock-in as a security feature.

Reply View | 0 replies