🔐 Introducing: Unified AttestationAn open-source project for verifying the integrity of Android apps—as an alternative to Google's Play Integrity.
-
Introducing: Unified Attestation
An open-source project for verifying the integrity of Android apps—as an alternative to Google's Play Integrity.The goal is to make apps such as banking and payment apps usable on independent Android systems without relying on Google services.
We invite developers, ROM projects, and app providers to get involved.
Unified Attestation
Unified Attestation is a free, open-source alternative to Google Play Integrity with offline verification and simple app + server integration.
(uattest.net)
#Volla #VollaOS #OpenSource #software #hardware #Privacy #Security #DeGoogle
@volla is opening up the attestation actually the way one should go? Attestation is harming the whole idea of FOSS because you can't run modified code on your own without significant drawbacks, so idk if it's the right way to build an "open" attestation process
-
Introducing: Unified Attestation
An open-source project for verifying the integrity of Android apps—as an alternative to Google's Play Integrity.The goal is to make apps such as banking and payment apps usable on independent Android systems without relying on Google services.
We invite developers, ROM projects, and app providers to get involved.
Unified Attestation
Unified Attestation is a free, open-source alternative to Google Play Integrity with offline verification and simple app + server integration.
(uattest.net)
#Volla #VollaOS #OpenSource #software #hardware #Privacy #Security #DeGoogle
@volla thanks. Your approach is better than google having a monopoly on device attestation.
-
@volla looks very promising !!
@lascapi @volla Android already has a hardware attestation system that's open to everyone unlike this centralized system. Volla, Murena and iodé are making a centralized system on top of the Android hardware attestation API to permit their own products while forbidding others. They're not enabling anything which wasn't already possible and are fully dependent on standard Android hardware attestation. Unified Attestation is anti-competitive and it clearly isn't legal.
GrapheneOS (@GrapheneOS@grapheneos.social)
We strongly oppose the Unified Attestation initiative and call for app developers supporting privacy, security and freedom on mobile to avoid it. Companies selling phones should not be deciding which operating systems people are allowed to use for apps. https://uattest.net/
GrapheneOS Mastodon (grapheneos.social)
-
@volla thanks. Your approach is better than google having a monopoly on device attestation.
@lutindiscret Android already has a hardware attestation system that's open to everyone unlike this centralized system. Volla, Murena and iodé are making a centralized system on top of the Android hardware attestation API to permit their own products while forbidding others. They're not enabling anything which wasn't already possible and are fully dependent on standard Android hardware attestation. Unified Attestation is anti-competitive and it clearly isn't legal.
GrapheneOS (@GrapheneOS@grapheneos.social)
We strongly oppose the Unified Attestation initiative and call for app developers supporting privacy, security and freedom on mobile to avoid it. Companies selling phones should not be deciding which operating systems people are allowed to use for apps. https://uattest.net/
GrapheneOS Mastodon (grapheneos.social)
-
@volla is opening up the attestation actually the way one should go? Attestation is harming the whole idea of FOSS because you can't run modified code on your own without significant drawbacks, so idk if it's the right way to build an "open" attestation process
@j_r Android already has a hardware attestation system that's open to everyone unlike this centralized system. Volla, Murena and iodé are making a centralized system on top of the Android hardware attestation API to permit their own products while forbidding others. They're not enabling anything which wasn't already possible and are fully dependent on standard Android hardware attestation. Unified Attestation is anti-competitive and it clearly isn't legal.
GrapheneOS (@GrapheneOS@grapheneos.social)
We strongly oppose the Unified Attestation initiative and call for app developers supporting privacy, security and freedom on mobile to avoid it. Companies selling phones should not be deciding which operating systems people are allowed to use for apps. https://uattest.net/
GrapheneOS Mastodon (grapheneos.social)
-
Introducing: Unified Attestation
An open-source project for verifying the integrity of Android apps—as an alternative to Google's Play Integrity.The goal is to make apps such as banking and payment apps usable on independent Android systems without relying on Google services.
We invite developers, ROM projects, and app providers to get involved.
Unified Attestation
Unified Attestation is a free, open-source alternative to Google Play Integrity with offline verification and simple app + server integration.
(uattest.net)
#Volla #VollaOS #OpenSource #software #hardware #Privacy #Security #DeGoogle
-
R relay@relay.infosec.exchange shared this topic
-
It seems like a decentral phone home system - so your app as an app developer has its own "home server".
Not sure what the benefit of this is and the use case in general
-
@circus_maximus The last thing the world needs right now is another corporate gatekeeper promising "independence".
People have been fed that lie too many times to believe it anymore.
-
@circus_maximus @downey @Torx Android already has a hardware attestation system open to everyone unlike this centralized system. Volla, Murena and iodé made a centralized system on top of the Android hardware attestation API to permit their own products while forbidding others. They're not enabling anything which wasn't already possible and are fully dependent on standard Android hardware attestation. Unified Attestation is anti-competitive and it clearly isn't legal.
GrapheneOS (@GrapheneOS@grapheneos.social)
Android provides a standard hardware attestation system with support for alternate operating systems via allowing their verified boot key fingerprints. It's mainly used with Google's root of trust and remote key provisioning service but the API supports alternative roots of trust. Volla's Unified Attestation is fully built on Android's hardware attestation API. It solely exists to create a centralized authority and service determining what's allowed under their control. https://mastodon.social/@volla/116238706890314617
GrapheneOS Mastodon (grapheneos.social)
-
@volla looks very promising !!
@lascapi Android already has a hardware attestation system open to everyone unlike this centralized system. Volla, Murena and iodé made a centralized system on top of the Android hardware attestation API to permit their own products while forbidding others. They're not enabling anything which wasn't already possible and are fully dependent on standard Android hardware attestation. Unified Attestation is anti-competitive and it clearly isn't legal.
GrapheneOS (@GrapheneOS@grapheneos.social)
Android provides a standard hardware attestation system with support for alternate operating systems via allowing their verified boot key fingerprints. It's mainly used with Google's root of trust and remote key provisioning service but the API supports alternative roots of trust. Volla's Unified Attestation is fully built on Android's hardware attestation API. It solely exists to create a centralized authority and service determining what's allowed under their control. https://mastodon.social/@volla/116238706890314617
GrapheneOS Mastodon (grapheneos.social)
-
@volla Interesting approach, but: How does #unifiedattestation ensure every interested other and secure alternative ROM can also pass the test?
@GrapheneOS does heavily criticize your approach. They claim it puts you (your project) in charge of controlling which ROMs pass attestation and which do not.
Is there any room for a collaboration? It sounds as if #GrapheneOS rules this out, how about you guys from @volla? Any negotiations possible? Any common ground?
I, as a user, would just like to use those banking apps without worrying they might stop functioning anytime with any updates. Those banking-app-devs are the real culprits IMHO, to rely on something like Integritycheck theater.
@volla is your secret that you will convince banking-app-devs to open up their checks?
@Torx Android already has a hardware attestation system open to everyone unlike this centralized system. Volla, Murena and iodé made a centralized system on top of the Android hardware attestation API to permit their own products while forbidding others. They're not enabling anything which wasn't already possible and are fully dependent on standard Android hardware attestation. Unified Attestation is anti-competitive and it clearly isn't legal.
GrapheneOS (@GrapheneOS@grapheneos.social)
Android provides a standard hardware attestation system with support for alternate operating systems via allowing their verified boot key fingerprints. It's mainly used with Google's root of trust and remote key provisioning service but the API supports alternative roots of trust. Volla's Unified Attestation is fully built on Android's hardware attestation API. It solely exists to create a centralized authority and service determining what's allowed under their control. https://mastodon.social/@volla/116238706890314617
GrapheneOS Mastodon (grapheneos.social)
-
@Torx Android already has a hardware attestation system open to everyone unlike this centralized system. Volla, Murena and iodé made a centralized system on top of the Android hardware attestation API to permit their own products while forbidding others. They're not enabling anything which wasn't already possible and are fully dependent on standard Android hardware attestation. Unified Attestation is anti-competitive and it clearly isn't legal.
GrapheneOS (@GrapheneOS@grapheneos.social)
Android provides a standard hardware attestation system with support for alternate operating systems via allowing their verified boot key fingerprints. It's mainly used with Google's root of trust and remote key provisioning service but the API supports alternative roots of trust. Volla's Unified Attestation is fully built on Android's hardware attestation API. It solely exists to create a centralized authority and service determining what's allowed under their control. https://mastodon.social/@volla/116238706890314617
GrapheneOS Mastodon (grapheneos.social)
@Torx We're completely willing to file a lawsuit against @volla over this as soon as there are apps permitting their products through their system while disallowing GrapheneOS. It's not legal for Volla and multiple other companies to get together to implement a system banning using anything other than their products. We aren't going to participate is an illegal anti-competitive cartel. It's clearly against the law and should be stopped now prior to it causing clear damages to GrapheneOS.
-
@Torx We're completely willing to file a lawsuit against @volla over this as soon as there are apps permitting their products through their system while disallowing GrapheneOS. It's not legal for Volla and multiple other companies to get together to implement a system banning using anything other than their products. We aren't going to participate is an illegal anti-competitive cartel. It's clearly against the law and should be stopped now prior to it causing clear damages to GrapheneOS.
@Torx @volla Devices and operating systems providing an alternative to Google's ecosystem based on AOSP is a distinct space from the broader Android app ecosystem. Companies trying to give themselves an advantage through banning arbitrary options other than their own products/services is clearly an illegal anti-competitive tactic within that space. This should be halted before it causes harm to GrapheneOS. We will not tolerate apps permitting their products through it and banning GrapheneOS.
-
@Torx @volla Devices and operating systems providing an alternative to Google's ecosystem based on AOSP is a distinct space from the broader Android app ecosystem. Companies trying to give themselves an advantage through banning arbitrary options other than their own products/services is clearly an illegal anti-competitive tactic within that space. This should be halted before it causes harm to GrapheneOS. We will not tolerate apps permitting their products through it and banning GrapheneOS.
@Torx @volla Volla and these other companies do not get to coerce us into participating in an illegal anti-competitive cartel where app compatibility would be harmed if we didn't participate. They do not get to coerce us into following their arbitrary demands and giving themselves veto power over GrapheneOS app compatibilities. Both Murena and iodé hostile towards GrapheneOS including spreading endless misinformation and direct involvement in spreading/supporting libel/harassment content.
-
@lascapi Android already has a hardware attestation system open to everyone unlike this centralized system. Volla, Murena and iodé made a centralized system on top of the Android hardware attestation API to permit their own products while forbidding others. They're not enabling anything which wasn't already possible and are fully dependent on standard Android hardware attestation. Unified Attestation is anti-competitive and it clearly isn't legal.
GrapheneOS (@GrapheneOS@grapheneos.social)
Android provides a standard hardware attestation system with support for alternate operating systems via allowing their verified boot key fingerprints. It's mainly used with Google's root of trust and remote key provisioning service but the API supports alternative roots of trust. Volla's Unified Attestation is fully built on Android's hardware attestation API. It solely exists to create a centralized authority and service determining what's allowed under their control. https://mastodon.social/@volla/116238706890314617
GrapheneOS Mastodon (grapheneos.social)
Hi @GrapheneOS, you said :
> Unified Attestation is anti-competitive and it clearly isn't legal.I don't get your point with this argument.
If I understand well, Unified Attestation is a competitor of Google Play Integrity. And everyone can try to setup another competitor.
How can you say that it's not legal?
-
Hi @GrapheneOS, you said :
> Unified Attestation is anti-competitive and it clearly isn't legal.I don't get your point with this argument.
If I understand well, Unified Attestation is a competitor of Google Play Integrity. And everyone can try to setup another competitor.
How can you say that it's not legal?
@lascapi Multiple companies collaborating together to make a system which permits their products and forbids using alternatives isn't legal. The whole point of Unified Attestation is that it's a centralized system on top of Android hardware attestation putting these companies in control of which devices and operating systems are allowed. Companies making the products being certified should not be the ones deciding what's allowed. It's clearly not legal for them to be forbidding alternatives.
-
@lascapi Multiple companies collaborating together to make a system which permits their products and forbids using alternatives isn't legal. The whole point of Unified Attestation is that it's a centralized system on top of Android hardware attestation putting these companies in control of which devices and operating systems are allowed. Companies making the products being certified should not be the ones deciding what's allowed. It's clearly not legal for them to be forbidding alternatives.
@lascapi They're pushing for banking and government apps to adopt a system which they control what's allowed to be used. They're going to be permitting their own products without reasonable security standards while locking out anything not participating in it. That's an anti-competitive cartel and not legal. We're not only going to heavily advocate against it but will file a lawsuit against Volla and the other companies involved as soon as there are apps using it while not permitting GrapheneOS.
-
Hi @GrapheneOS, you said :
> Unified Attestation is anti-competitive and it clearly isn't legal.I don't get your point with this argument.
If I understand well, Unified Attestation is a competitor of Google Play Integrity. And everyone can try to setup another competitor.
How can you say that it's not legal?
Google Play Integrity is already an illegal anti-competitive practice; the difference is that Google is the only player and has sufficient resources to defend itself, this is what we call a monopoly.
Creating an alternative that does exactly the same thing is just as illegal, since this alternative is created through a collaboration between different groups because a single group would not have the resources to do it alone, in legal terms, this is called a cartel.
The GrapheneOS project account has provided many detailed answers to help clarify the situation and explain the correct approach to take.
