Doesn't work without a Google/Apple-tied device btw.
-
@pojntfx have you found in the code hard dependencies that can't be abstracted and satisfied with alternatives? I checked it quickly and the reference implementation looks very flexible and modular, so if a government wants to build it also for other OS it should be doable but I'm not 100% sure, that's why I am asking if you found road blockers in the repo?
@luboganev @pojntfx If I understand correctly (big if
), there is no strict requirement to use Play Integrity API (which excludes even GrapheneOS), but has been interpreted as such by some national implementations:
https://github.com/eu-digital-identity-wallet/eudi-app-android-wallet-ui/issues/287#issuecomment-3008971704 -
@rainer @TimothyRoes @khleedril @K4mpfie @ErikJonker @pojntfx
Which also is system-specific and therefore not portable.
What we are dealing with is a trade-off between usability, security and portability. The current approach emphasises the first two strongly over the third.
Since this is a gate-keeper app, where everyone who does not have access will also not have access to certain websites, I think a higher priority should be given to portability, even if it lowers usability or security.
@soulsource @TimothyRoes @khleedril @K4mpfie @ErikJonker @pojntfx
This hardware attestation is Android-specific, but at least not tied to Google. That fixes a major problem for a major platform. One still needs a solution for serving the rest of the market in a similarly acceptable way, of course.
-
RE: https://ec.social-network.europa.eu/@EUCommission/116408720976324749
Doesn't work without a Google/Apple-tied device btw. There is absolutely no story for how this would work on a desktop, anything without a Google/Apple account, or open source OS at all either.
@pojntfx A la unión Europea no le importa la seguridad de la infancia. Solo es una excusa
https://mastodon.social/@SecoasecasMouse/116419991571625677 -
RE: https://ec.social-network.europa.eu/@EUCommission/116408720976324749
Doesn't work without a Google/Apple-tied device btw. There is absolutely no story for how this would work on a desktop, anything without a Google/Apple account, or open source OS at all either.
@pojntfx That post is also very funny. I agree with the first two sentences but then come to the exact opposite conclusion 🫠
-
@soulsource @TimothyRoes @khleedril @K4mpfie @ErikJonker @pojntfx
This hardware attestation is Android-specific, but at least not tied to Google. That fixes a major problem for a major platform. One still needs a solution for serving the rest of the market in a similarly acceptable way, of course.
@rainer @soulsource @khleedril @K4mpfie @ErikJonker @pojntfx Yes, and correct me if I'm wrong but for an identity app that gives access to banks, taxes etc it's not unreasonable for a govt to prioritize security. You also cant work with opt-outs for powerusers because your counterparty has to be able to trust your proof of identity.
But given the anti-competitive effects maybe a neutral third party could be created? -
@rainer @soulsource @khleedril @K4mpfie @ErikJonker @pojntfx Yes, and correct me if I'm wrong but for an identity app that gives access to banks, taxes etc it's not unreasonable for a govt to prioritize security. You also cant work with opt-outs for powerusers because your counterparty has to be able to trust your proof of identity.
But given the anti-competitive effects maybe a neutral third party could be created?@TimothyRoes @rainer @khleedril @K4mpfie @ErikJonker @pojntfx There is also the option to lower usability instead of security. For instance by allowing key-storage on a dedicated device, like a FIDO token or a smartcard.
-
@soulsource @pojntfx ...why is it that so many people don't understand that improving things is a gradual process, especially in government, ofcourse we want to detach ourselves from the Google/Apple platforms, at the same time 99.9% of our citizens is there, if we can help them with this app (that remains a question by the way..), that is a "win" in my view.
@ErikJonker @soulsource @pojntfx La misma Europa que dice estar muy preocupada por la infancia es cómplice del exterminio de decenas de miles de niños en Gaza. La infancia no les importa nada, se trata de identificar a cada persona que use internet (control de edad), y saber todo lo que dicen y piensan (chatcontrol) para poder perseguir en el futuro a toda disidencia. Ya se persigue en muchos países de la UE a quienes denuncian el genocidio y se tilda de terrorista a ecologistas
-
@TimothyRoes @rainer @khleedril @K4mpfie @ErikJonker @pojntfx There is also the option to lower usability instead of security. For instance by allowing key-storage on a dedicated device, like a FIDO token or a smartcard.
@soulsource @khleedril @K4mpfie @ErikJonker @pojntfx Great point thx. I gather from the Github @rainer linked to that the idea currently is basically proof of the physical device the software is installed on, although Google also checks whether the app is installed from the Play Store and the user is logged in.
-
RE: https://ec.social-network.europa.eu/@EUCommission/116408720976324749
Doesn't work without a Google/Apple-tied device btw. There is absolutely no story for how this would work on a desktop, anything without a Google/Apple account, or open source OS at all either.
I don't support the age verification stuff at all.
But a question:
I found this apk-file on their official GitHub, a demo version of the age verification app.
Does this mean the official app, when it's released and if it's released as apk-file, can be downloaded outside the google/apple ecosystem using any phoneOS of your choice?
AOSP-based or Linux distros using the Waydroid-thingy?
And if they can publish the demo version as apk, why not then the e-wallet, when it comes, too? Using various places for apk:s is how I update certain apps today using Obtainium.
(This is an honest question, not a *statement* of how the app can be downloaded.)
"app-demo-release.2026.04-1.apk"
Release Release 2026.04-1 · eu-digital-identity-wallet/av-app-android-wallet-ui
Contribute to eu-digital-identity-wallet/av-app-android-wallet-ui development by creating an account on GitHub.
GitHub (github.com)
-
@soulsource @khleedril @K4mpfie @ErikJonker @pojntfx Great point thx. I gather from the Github @rainer linked to that the idea currently is basically proof of the physical device the software is installed on, although Google also checks whether the app is installed from the Play Store and the user is logged in.
@TimothyRoes @soulsource @khleedril @K4mpfie @ErikJonker @pojntfx
Apparently, the standard Android hardware attestation API can attest more than just the hardware. From https://grapheneos.org/articles/attestation-compatibility-guide:"The standard hardware attestation API can be used to verify the authenticity/integrity of the hardware, firmware, OS and the app running on it. It provides a verified boot key fingerprint for the OS for permitting secure aftermarket operating systems. The app ID, signing key fingerprint(s) and version code of the app enabling hardware attestation are included in the signed public key certificate for the generated key. This enables the app's service to make sure the app is genuine and unmodified along with chaining trust through the OS to the app which can sign messages with the attested hardware keystore key to prove they come from their app running on top of a verified OS, firmware and hardware. The only practical way to bypass hardware attestation is through exploiting the hardware keystore to obtain attestation signing keys, which is protected against by the ability to revoke keys that are being misused. "
-
@dukeboitans @soulsource @pojntfx ...I wish you lots of fun with all those people on mobile phones that are not using the Google or Apple platform there, it is an incredibly small niche. We can argue about the functionality, whether it is needed, useful but not any app that you can use on current smartphones in the Apple/Google ecosystem is inherently bad/garbage. Ofcourse you can be against age verification as such, there are arguments against that I agree, but many Parliaments want it.
@ErikJonker @dukeboitans @soulsource @pojntfx The "you can easily lose your Google account" part is something I think shouldn't be ignored - in this context it's more or less equivalent to the government taking away your ID and never giving you an alternative document. Except it's out of control for both you and your government and even out of our jurisdiction because it's an American lobbyist corporation.
-
M mttaggart@infosec.exchange shared this topic
